• Any information given for a financial product or service, including name, address, income, SSN, or any other information that might be on an application
• Any information gained from a transaction involving a financial product or service, including your relationship with the individual, account numbers, payment history, balances, or purchases
• Any information obtained about an individual in connection with providing a financial product or service, such as information from a consumer report or court records

1. Your policies and practices for disclosing NPI to nonaffiliated third parties.
2. What kind of third parties you might disclose information to.
3. What kind of NPI you collect and the categories of information you might disclose.
4. How you handle the NPI of former customers.
5. Your policies for ensuring the confidentiality and security of NPI.
6. An explanation of the opt-out option and what methods a consumer can use to opt-out at any time.
7. Any disclosures required by the FCRA.
8. If you disclose NPI to a nonaffiliated third party under a section thirteen exception, a separate statement needs to be included of the categories of information you disclose and the categories of third parties that you've contracted.
9. Any disclosures required by section 14 or 15 exceptions.

1. A statement in which you state that you disclose or have the right to disclose NPI to a nonaffiliated third party
2. A statement that the consumer has the right to opt out of having their NPI disclosed
3. A reasonable way for the consumer to opt-out.

As long as you've explained which categories of NPI you may disclose and the categories of nonaffiliated third party you would disclose it to, your notice is considered adequate. You also need tell the consumer which of the financial products or services the consumer gets from you that the opt-out applies to.

Reasonable methods for a consumer to opt-out include any of the following:

• prominent check boxes on relevant forms
• an included reply form, along with the address it should be mailed to (if applicable)
• electronic means, such as an emailed form (if the consumer has agreed to the electronic delivery of information)
• a toll-free phone number consumers can call

The opt-out is effective until the consumer revokes it in writing or electronically. The opt-out continues to apply even after the customer relationship ends.

No, they can actually be included in the same form, and the safe harbor templates for the privacy notice include the opt-out option. They can be provided separately if that is your preference, but they should always be delivered at the same time.

A short-form notice needs to:

1. explain that the full privacy notice is available on request,
2. describe a reasonable way consumers can get the full notice, and
3. include an opt-out notice.

A customer is an individual who has a continuing relationship with an institution, whereas a consumer does not. An individual who merely cashes a check, makes a wire transfer, or applies for a loan would be a consumer. An individual who opens a line of credit, obtains a loan, or leases an automobile would be considered as having a continuing relationship with an institution, and would  be considered a customer.

1. To service or process a financial product or service that the consumer authorized
2. To maintain or service a consumer's account
3. For a securitization, secondary market sale, or similar transaction that is related to a consumer's transaction
4. With the consent of the consumer, or at the consumer's request
5. To protect the security of your records
6. To protect against fraud, unauthorized transactions, or other liability
7. For required risk control for your institution or resolving customer disputes or inquiries
8. To a person who is acting as a representative of the consumer
9. As specifically permitted by the law to self-regulatory organizations, law enforcement agencies, or for public safety investigations
10. In compliance with Federal, State, or local laws, authorized investigations, subpoena, or judicial process
11. To a credit reporting agency in accordance with the Fair Credit Reporting Act
12. To provide information to:
    1. insurance rate advisory organizations
    2. guaranty funds or organizations
    3. rating agencies of your institution
    4. compliance auditors
    5. your own attorneys, accountants, and auditors

• When the customer's deposit account is considered inactive
• When a closed-end loan is paid in full, charged off, or sold (and you didn't retain servicing rights)
• When, in an open-end credit relationship, you don't provide statements or notices about that relationship anymore, or if you sell the credit card receivable (without retaining servicing rights)
• If you have not communicated with the customer for a year beyond annual privacy notices or marketing material

You can reasonably expect a consumer to receive a physical copy of the notice if:

• You hand-deliver a printed notice
• You mail a printed notice to the last known address

You can reasonably expect a consumer to receive a electronic copy of the notice if:

• You post the notice on your electronic site and do not allow a consumer to obtaining a financial product or service until they have acknowledged receipt of the notice. (This includes isolated transactions, such as use of an ATM.)

For a customer, the notice must be given as soon as a customer relationship is established. The only exceptions are:

1. If providing the notice immediately would substantially delay the customer's transaction (such as when the relationship is entered into via phone) and the customer agrees to receive the notice at a later time.
2. If the newly established customer relationship is not the customer's choice. (For example, if you have acquired the customer's deposit liability or servicing rights to their loan from another institution.)

If either of these exceptions apply, the initial notice must be provided a "reasonable time" after the customer relationship is established.

For a consumer, the short form notice and opt-out must be delivered prior to your disclosure of any NPI about the consumer.

You can reasonably expect a consumer to receive the annual notice if the customer uses your website for financial products and services and agrees to receive the notice at the website. This only works if you post your current privacy notice where it is always obviously noticeable.
If a customer has requested not to be sent any information regarding their customer relationship with you, you must abide by that request. However, you will still need to make sure the notice is available upon request.

You can provide a joint notice from you and you affiliates or other financial institutions as long as the notice remains accurate for all institutions involved.
You can also provide a single notice to two or more consumers who jointly obtain a financial product or service from you. If you do, you need to make sure that the opt-out of one of the joint consumers can apply to all of the joint consumers, though you may allow each consumer the right to opt-out individually. You are not allowed to require all joint consumers to opt-out before you apply any opt-out direction.

The categories of NPI you disclose and whether the third party is a service provider or a financial institution

You don't need to list these exceptions in the privacy notice. To describe the categories in regards to the third parties covered by these exceptions, you only need to state that you make disclosures to nonaffiliated companies for your everyday business purposes or as permitted by law.

Your safeguards need to: 

• be appropriate for your size and complexity, your activities, and the sensitivity of the customer information you handle
• reasonably ensure the security and confidentiality of your customer information
• protect against anticipated threats or hazards to the security of the information 
• protect against unauthorized use of or access to information that could cause inconvenience or harm to your customers

Financial institutions that collect consumer information from less than 5,000 consumers are exempt from the requirements for a written risk assessment, continuous monitoring or annual penetration testing and biannual vulnerability assessment, an incident response plan, and annual reporting to the governing body of the institution.

1. What the criteria are for evaluating the risks you face
2. What the criteria are for assessing the security of the information system
3. How you will address the identified risks

Continuous monitoring can be accomplished by use of any system that allows the institution to ongoing monitoring of the information system’s security in real-time.

The periodic penetration testing is required at least once annually unless the risk assessment indicates a greater frequency is required, while the vulnerability assessments are required at least twice a year and any time there is a higher risk that new vulnerabilities have been introduced to your information systems.

Financial institutions can also hire a third party (an employee of an affiliate or service provider) to be their qualified individual. If they do so, they must still designate one of their own senior employees to direct and oversee the qualified individual, and they still retain responsibility for compliance with the Rule. The third party affiliate or service provider needs to maintain their own information security program in accordance with the Rule.

• The status of the financial institution’s compliance and the status of the information security program.
• Material matters such as the risk assessment, risk management decisions, arrangements with service providers, testing results, security events and management responses, and change recommendations. (The qualified individual is responsible for determining what matters are ‘material’ and should be included in the report.)

A security event is any instance in which there is unauthorized access, disruption, or misuse of information in physical or electronic form.

The safeguards rule requires that financial institutions encrypt data that is transmitted externally, which is defined by the Rule as “the transformation of data into a form that results in a low probability of assigning meaning without the use of a protective process or key, consistent with current cryptographic standards and accompanied by appropriate safeguards for cryptographic key material.” There is no specific way the rule requires these criteria to be met, just that whatever process used needs to be sufficient to prevent the information from being deciphered. 

Every financial institution needs to implement access controls for all customer information, regardless of whether it is stored electronically or physically. The rule also requires that they implement the “principle of least privilege,” which means that each employee should only have access to the information necessary to perform their job duties. In pursuit of this goal, multi-factor authentication is required for all employees with access to networks that contain customer information.

For the inventory, financial institutions are required to identify everything they use to run their business. The goal of this requirement is to make sure that financial institutions have a full understanding of every part that goes into their information systems and its relevance to the information security program. This inventory is not limited to just those systems that are directly related to information security in order to prevent an incomplete knowledge of the institution's systems.

Financial institutions are required to log user activity to monitor active users and their activities related to customer information. They also need to be able to monitor access to physical records and ensure access controls are being utilized. An example of this could be a sign in sheet, key card access logs, or a security camera.

Customer information needs to be disposed of within two years after the last time a product or service is provided to the customer, and the financial institution needs to develop procedures for the secure disposal of such information. These procedures and policies need to be periodically reviewed to ensure customer information is not unnecessarily retained.

The Rule also requires that financial institutions have change management procedures in place. This means that anytime there is an addition, modification, or removal of elements of the information system, the institution needs to have procedures in place to assess the effect of the change.

All employees should be provided with security awareness training that takes into account any risks identified by the risk assessment. The training program only needs to be appropriate to their organization, and only needs to be updated as necessary.

Financial institutions need to have qualified information security personnel sufficient for their information security requirements. The financial institution is the one who determines what ‘qualifies’ security personnel, and the information security personnel can be employed by the financial institution itself or by affiliates or service providers.

Financial institutions need to periodically assess their service providers’ safeguards to ensure they adequately protect customer information.

Financial institutions need to establish written incident response plans to address security events that materially affect the “confidentiality, integrity, or availability of customer information in their control.”

It’s important to note that these plans only need to address events that affect customer information ‘materially’ and only need to suit the financial institution’s needs; they don’t need to address all possible scenarios or every small detail.

1. Making a false statement to an officer, employee, or agent of a financial institution
2. Making a false statement to a customer of a of a financial institution
3. Providing a document to an officer, employee or agent of a financial institution while knowing that it is fraudulent or contains false information
4. Requesting another person to commit one of the previous actions to obtain customer information