Lawyers as "Service Providers" Under the Gramm-Leach-Bliley Act
Posted by Peter Mucklestone and Stuart Louie
Despite a ruling by the D.C. Circuit Court of Appeals that lawyers are not "financial institutions" under the Gramm-Leach-Bliley Act ("GLBA") and therefore need not comply with the privacy obligations under the GLBA required of financial institutions, it is likely that lawyers are "services provides" for the purposes of the GLBA when representing GLBA-regulated financial institutions. (See American Bar Ass'n v. Federal Trade Comm'n, 430 F.3d 457, 21 Law. Man. Prof. Conduct 616 (D.C. 2005). The consequence? Lawyers representing GLBA-regulated financial institutions may be required to give contractual assurances about their information security practices and, in particular, the steps they are taking to protect any personal information they may acquire in the course of their representation.
The Federal Trade Commission—one of the federal agencies authorized to make rules implementing the GLBA—already requires financial institutions to oversee their service providers by "taking reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the customer information at issue," and "require service providers by contract to implement and maintain such safeguards." (16 C.F.R. § 314.4(d)).
The good news? A service provider’s obligations under GLBA extend only to the safeguard rules and not the privacy rule. Furthermore, the legal profession, with its longstanding professional duty to protect client confidentiality, should already be providing information security measures necessary to meet the safeguard rules under GLBA. A prudent law firm may also circumvent its GLBA obligation by including language in its retention letter to the effect that its representation of the financial institution does not require access to nonpublic personal information.