Privacy–part 2: The privacy notice
Clemmer, William A
IT’S ALL ABOUT MONEY
Last month’s issue discussed the fact that “privacy notices” abound. Unfortunately, not many are read completely or in-depth; rather, they are put aside for later perusal or as basis for a suit. Some seem to conform to the letter of the law for a “written notice” while others try to get at the heart of providing “notice to customers about its privacy policies and practices” and “customers with practical procedures that would effectively prevent any distribution” of nonpublic personal information. Most notices clearly identify the issuer and the issues, while others are difficult to understand (and trust). In one notice, the type was small (9 pt.) and the issuing company was identified only once, and then without emphasis in the body of the notice, which did not include an address or telephone number.
The ethical practitioner will always seek to allay customers’ fears regarding any aspect of their practice. Confidence is critical to the practice, and privacy and data security are primary in that effort.
Following is a brief review of privacy notices. More complete detail is available from several sources (including the authors). However, the following will provide enough information to recognize an adequate notice and serve as the basis for a notice that can be designed for your particular practice and clientele. Also included is a sample privacy notice document.
The privacy notice
A “Written Notice” must include:
* The types of information collected
* Parties to whom information is disclosed
* How (and why) confidentiality and security of past and present client information is protected
Since the IRS already has issued regulations, some practitioners are including a statement regarding IRS restrictions on disclosure to affiliates and non-affiliated third parties.
An “Initial Notice” must be given (with exceptions), when a customer relationship is established. No “Notice” is required, or may be delayed:
* if a customer is not accepted or rejected
* if such Notice would substantially delay a customer’s transaction
* for customers before the firm distributes nonpublicly available personal information to a non-affiliated entity
Initial Notices were to have been provided to existing customers by July 1, 2001. “Notice” means that you and/or your firm have established a system for providing new customers with an initial notice and have mailed notices to all existing customers.
A “Clear and Conspicuous Notice” is an annual notice, which accurately reflects the firm’s policies ands practices. This notice must call attention to the nature and significance of the information contained and be reasonably understood. Attention should be paid to specific ingredients of the notice, calling attention to key features with language, typeface and type size, margins and graphics. The rules also include the manner in which the notice is posted on a Web site.
Included below is a “sample”‘” starter document, which can be tailored to individual needs and checked, enhanced or streamlined by counsel.
NOTICE OF OUR FIRM’S PRIVACY POLICIES
Recently issued FTC (Federal Trade Commission) regulations mandate that we provide our clients with information about our Firm’s privacy policies. After reading the policies, feel free to call, write or e-mail us with any questions.
Acquisition of Client Information: Our Firm collects nonpublic personal information about our clients from the following sources.
Client-Provided Information: Our client engagements routinely require us to obtain nonpublic personal information about our clients so that we can provide the various services we perform for our clients as part of our agreed-upon professional relationship. Nonpublic personal information is generally considered to be information that we would not be able to acquire if the client had not provided the Firm with any information.
Information Obtained Through Other Sources: Depending upon the particular service a particular client has engaged the Firm to provide within the scope of our engagement letter, we may request nonpublic personal information concerning the matter at hand. However, this information is never obtained without the client’s specific authorization of the type of information and the sources) from which it may be obtained. Examples would be disclosure to-or requests of information fromother firms with which the client deals that have information our Firm needs to accomplish the client’s goals.
Disclosure of Nonpublic Personal Information: Other than as provided above or in the following section termed Service Providers, it is the policy of our Firm to never disclose nonpublic personal information, or any other information, about our clients unless specifically authorized by them.
Nonpublic personal information is defined in the regulations as any publicly available information that we acquire by using information the client has provided in connection with any professional services we perform for the client, which is not public information. An example would be a bank account number which the client provides the Firm that is somehow used to acquire information regarding a court trial or other public record that would not have been found by the Firm without using the bank account number acquired from the client. In a generic sense, any information that a client provides which involves a financial product or service is likely considered nonpublic personal information and receives the same protection from disclosure as any other information about our clients.
For purposes of our business relationships with our clients, information acquired is disclosed ONLY under the following conditions.
Employees of the Firm:
Employees who need such information to conclude a transaction for which the client has engaged the Firm will have access to information they deem necessary.
Service Providers: As with any business, we may have our own accounting, insurance and other service firms, which we may need to provide information that the FTC regulations consider nonpublic personal information.
An example might be the information on the client’s account activity that an accounting firm needs to prepare billings and financial statements for our internal or external purposes.
Another example would be computer consultants who must have access to certain client records in order to increase the efficiency of our computer processing systems.
A third example of a circumstance in which the Firm might disclose nonpublic personal information would be a release of necessary information to other professionals who are assisting our Firm in carrying out a client engagement. In such a case, we would require the client’s approval for such a disclosure. For example, if we hire a valuation firm to help us appraise the value of the client’s real estate for purposes of setting a price in a buy-sell agreement with the client’s other co-investors, we would need to disclose certain information. We have always insisted that any such information deemed absolutely necessary to be disclosed for a business purpose be considered strictly confidential and not used for ANY purpose other than the specific business need. That well-understood business policy of confidentially will be reinforced by a contractual agreement between all service providers to the Firm referencing the FTC regulations.
Other Disclosures: Other than as stated above, we do not voluntarily disclose nonpublic personal information, or any other information, to any outside party that our client has not specifically authorized our Firm to disclose. Obviously, it is possible that we may have to disclose information involuntarily-for example, if compelled by court order.
Internal Revenue Code Rules: In addition to the privacy protection that the new FTC regulations provide, the Internal Revenue Code prevents the disclosure of client information provided for tax planning or preparation services, without the client’s written permission.
PROHIBITION ON DISCLOSURE
The Firm and the Service Provider hereby enter into this Agreement defining the responsibilities of the Service Provider in protecting any client information, whether of a nonpublic personal nature or otherwise, provided to the Service Provider, or discovered by the Service Provider in the course of the Service Provider’s provision of services to the Firm.
The Service Provider understands that Federal Trade Commission Rules, 16 CFR 313, require that the Firm place contractual restrictions on the Service Provider’s disclosure of nonpublic personal information, in addition to the Firm’s historical requirement that no client information be disclosed to any third party without the Firm’s written permission, unless such disclosure is necessary to the provision of services to the Firm.
The Service Provider will enter into a contractual arrangement with such other firm which prevents such other firm from disclosing any information provided to the Service Provider unless in accordance with the terms of such contractual relationship between the Service Provider and the other firm.
William A. Clemmer and Gary S. Lesser, JD, head up Financial Services Agency Consulting (FSAC), a division of The Rough Notes Company. Clemmer has more than 25 years of financial services industry experience on Wall Street. Lesser writes and lectures widely on retirement planning and taxation issues. He is a member of the board of advisors for the Journal of Taxation of Employee Benefits.
Copyright Rough Notes Co., Inc. Oct 2001
Provided by ProQuest Information and Learning Company. All rights Reserved