The Gramm-Leach-Bliley Act of 1999 (“GLBA”) was enacted to enhance competition for financial products and services. Title V of the act governs a financial institutionʼs treatment of non-public personal information about consumers and requires that an institution, under certain circumstances, notify consumers about its privacy policies and practices. With certain exceptions, GLBA prohibits a financial institution from disclosing a consumerʼs non-public personal information to a non-affiliated third party unless the institution satisfies various notice requirements and the consumer does not elect to prevent, or “opt out of” the sharing of that information. GLBA also imposes specific requirements regarding the disclosure of customer account numbers and the reuse and redisclosure of information a financial institution provides to a third party.
The California Consumer Privacy Act (“CCPA”), enacted in 2018, creates new consumer rights relating to the access to, deletion of, and sharing of personal information that is collected by businesses.
The Right to Financial Privacy Act was enacted in 1978 to provide customers of financial institutions a reasonable amount of privacy from federal government scrutiny. The act establishes specific procedures that government authorities must follow when requesting a customerʼs financial records from a bank or other financial institution. It also imposes limitations on financial institutions prior to the release of information sought by government agencies.
Pursuant to its Information Security Policy, Enervee classifies information into four distinct categories and uses a risk-weighted approach to give each category of information appropriate protection: restricted, confidential, unrestricted within Enervee, and public.
Enervee customer data is always classified as restricted data and receives Enerveeʼs strictest level of data protection.
Consumer- A consumer is an individual who obtains or has obtained a financial product or service that is to be used primarily for personal, family or household purposes and includes such an individualʼs legal representative. An individual who has not previously engaged in a transaction becomes a consumer when he or she obtains a financial product or service in an isolated transaction. A consumer includes an individual who provides non-public personal information in order to obtain a determination about whether he or she qualifies for a financial product or service.
Customer- A customer is a consumer with a “customer relationship.” A customer relationship is a continuing relationship between Enervee and a consumer under one or more financial products or services that are provided to the consumer that are to be used for personal, family or household purposes. For example, a consumer establishes a customer relationship with a financial institution when the consumer:
- Opens and maintains a deposit or investment account;
- Obtains a loan;
- Enters into a lease of personal property; or
- Obtains financial, investment or economic advisory services for a fee.
The definition of customer under The Right to Financial Privacy Act is somewhat broader to include any person who uses or has used any service of a financial institution.
Categories of Information- GLBA identifies three categories of information: personally identifiable financial information, publicly available information and non-public personal information.
Personally identifiable financial information- Any information collected about a consumer in connection with providing a financial product or service to that consumer, including:
- Information a consumer provides to obtain a financial product or service (e.g. the consumerʼs name, phone number, address and income);
- Information about a consumer resulting from any transaction involving a financial product of service (e.g. payment history, loan or deposit balance and credit card purchases); and
- Information that is otherwise obtained about a consumer in connection with providing a financial product or service to that consumer (e.g. information from a consumer credit report).
Personally identifiable financial information also includes the very fact, as well as any information disclosed in a manner that indicates an individual is or has been a consumer of a financial institution.
Publicly available information- Any information that is lawfully made available to the general public from federal, state or local government records, widely distributed media, or disclosures to the general public that are required to be made by federal, state or local law. One has a “reasonable basis” to believe the information is publicly available to the general public if steps are taken to determine (1) that the information is of the type that is available to the general public, and (2) whether an individual can direct that information not to be made available to the general public and, if so, that the consumer has not made such a direction.
Any information that satisfies these two criteria is publicly available information, regardless of the source of that information.
Non-public personal information- Information protected under GLBA that consists of the following:
- Personally identifiable financial information that is not publicly available information, and
- Lists, descriptions or other groupings of consumers (including publicly available information contained therein) that are derived using personally identifiable financial information that is not publicly available.
When a list or other grouping of consumers is generated using customer relationships, deposit balances, account numbers or other personally identifiable financial information that is not publicly available, all information contained in that list, including any publicly available information about the consumers, is non-public personal information. By contrast, lists or other groupings of consumers that contain and are created using only publicly available information do not constitute non-public personal information.
It is Enerveeʼs policy to protect its customersʼ privacy and to transparently disclose to customers how their data will be used by adhering to the requirements of the GLBA, Dodd-Frank Act, CCPA, and relevant financial industry practices
Governence and Oversight
Senior Management is responsible for oversight of Enerveeʼs compliance with the requirements of this policy. This policy will be reviewed by the Compliance Officer on at least an annual basis as part of Enerveeʼs Compliance Management Program.
The Board of Directors will remain informed of Enerveeʼs compliance with this policy through periodic reporting on the effectiveness of the Compliance Program to the Compliance Committee, as well as through an annual independent compliance audit.
Privacy and Opt-Out Notices
GLBA requires a financial institution to notify consumers of its policies and practices regarding the treatment of non-public personal information. Disclosure of non-public personal information to any non-affiliated third-party is prohibited unless the consumer:
- Is provided with an initial notice and an opt-out notice;
- Is provided a reasonable opportunity to opt-out; and
- Does not exercise his or her right to opt-out.
Enervee provides privacy notices to its customers before it collects any NPI from them. Enerveeʼs privacy notices include the following disclosures:
- the categories of information Enervee collects
- the categories of information that Enervee discloses to affiliates and non-affiliated third-parties
- the types of affiliates and non-affiliated third-parties to which Enervee may disclose customer data
- Enerveeʼs policies and practices with respect to the treatment of former customersʼ information
- categories of information disclosed to Enerveeʼs third-party vendors
- an explanation of the customerʼs opt-out right and methods for opting out
- any opt-out notices that Enervee is required to provide under the FCRA with respect to affiliate information sharing
- Enerveeʼs policies and practices for protecting the security and confidentiality of information
- a statement that Enervee makes disclosures to non-affiliated third-parties for everyday business purposes or as permitted by law
Website and Application Data Privacy Notices
Before Enervee collects any customer data, it provides a data privacy notice on both its website and mobile application.
These notices inform Enervee customers about what categories of personal information Enervee will collect from them and the purposes for which Enervee will use that customer data. It lists any of the following categories of personal information that Enervee has collected in the 12 months prior, the source of that information, and the purpose for which Enervee has used that information:
- identifiers (such as contact information, government IDs, cookies, etc.)
- information protected against security breaches (such as your name and financial account, driverʼs license, social security number, username and password, health/medical information)
- protected classification information (like race, gender, ethnicity, etc.)
- commercial information (records of products/services purchased, consumer history)
- Internet/electronic activity (browsing history, search history, etc.)
- sensory data (audio/video data)
- professional or employment related information
- non-public education information
- inferences from the foregoing
The privacy notice also lists any categories of personal information that it has sold or disclosed to a third-party for a business purpose within the prior 12 months.
Enervee provides a notice to consumers that describes the consumerʼs right to opt out of sharing information with non-affiliated third parties. The notice provides instructions about how the consumer can exercise those rights before non-public personal information about the consumer is disclosed.
Enervee provides an annual notice of its privacy policies and practices during the continuation of a customer relationship.
Collection from Third Parties
By using Enervee products and services, Enervee customers authorize Enervee to collect information from third party financial institutions that the customer identifies to Enervee. This information includes but is not limited to account numbers, transaction histories and account balances. The third-party financial institutions that customers identify are those with which they have a banking relationship, maintain an account, or engage in financial transactions.
Customer Data Sharing
Enervee shares customer data within its organization for purposes of providing financial products and services, as well as for improving its financial products and services and analyzing relevant customer trends. As noted above, Enervee classifies all customer data as restricted and makes it available to Enervee employees and agents on an as-needed basis for business-related purposes.
In order to facilitate the provision of those financial products and services, Enervee discloses customersʼ non-public personal information to designated non-affiliated third-party vendors. This customer information may include account transaction history and account balance information.
Pursuant to Enerveeʼs Vendor Management policy, all contracts with third-party vendors that access Enerveeʼs customer data are required to contain data privacy assurances, including the vendorʼs agreement to adhere to relevant data privacy regulations such as the GLBA. Third-party vendors with access to Enervee customer data are prohibited from disclosing or using customer information for any reason other than the business purposes agreed upon and established in their contract with Enervee.
Where appropriate, contracts with third-party vendors that access Enervee customer data will require those vendors to maintain and share with Enervee complaint logs related to data privacy concerns. The Compliance Officer will review the complaint logs of third-party vendors with access to Enervee customer data on at least an annual basis to ascertain whether such vendors are adhering to the data privacy obligations in their contracts with Enervee.
Sales of Customer Data
Enervee does not currently sell customer data to any third party.
California Resident Information or Erasure Requests
Pursuant to the CCPA, Enervee customers who are California residents may make a personal information or erasure request twice in a 12-month period. These personal information requests may ask Enervee to disclose the categories of personal information that it collects, the sources from which it collects personal information, the business purposes for which it collects personal information, the categories of third parties with which it shares personal information, and the specific pieces of personal information that Enervee holds about that customer. These erasure requests may ask Enervee to delete any personal information that the customer provided to Enervee.
Enervee complies with and honors the personal information and erasure requests from California residents. Enervee collects sufficient information from the customer to verify his/her identity and responds to such requests within 45 days of receipt.
Request for Erasure
California residents may submit personal information or erasure requests by submitting a request via the Privacy Tools or by emailing firstname.lastname@example.org. When Enervee receives these requests, they are handled according to the request by Customer Success and the Compliance Officer monitors oversight of the response and/or erasure process.
The Right to Financial Privacy Act
From time to time, Enervee may be asked to provide customer financial information to government agencies conducting an investigation of an Enervee customer. Enervee may not release customerʼs financial records until the agency requesting the information has certified that it has met the requirements of the Right to Financial Privacy Act, which requires the agency to first obtain one of the following:
- An authorization, signed and dated by the customer, that identifies the records, the reasons the records are being requested, and the customerʼs rights under the act;
- An administrative subpoena or summons;
- A search warrant;
- A judicial subpoena; or
- A formal written request by a government agency (to be used only if no administrative summons or authority is available).
Upon receipt of a written certification from the government agency that they have complied with the requirements above, as well as receipt of a copy of the mechanism by which authority to release the information has been granted, Enervee may release the customer financial records being requested.
Upon receipt of a subpoena, a search warrant or other mechanism by which the government is requesting access to customer records, the request should be forwarded immediately to the Legal Department for review and determination if all requirements have been met. The Legal Department will make a determination at that time as to the response to provide and/or whether outside counsel should be engaged to review or communicate with the government agency.
The Legal Department will log all requests for customer financial information, including the following:
- Date of the request;
- Agency requesting the information;
- Name and account number of the customer;
- Type of supporting documentation, allowing access to the customerʼs financial information(subpoena, search warrant, customer authorization);
- Identification of the financial records being requested/provided;
- Date the records were provided;
- Contact information for the requesting party; and
- Notes relative to the request.
When providing customer financial information, any documentation must be provided via a secure means, either electronically through an encrypted or password protected method, or delivered physically with a delivery confirmation.
The Right to Financial Privacy Act protections do not include a request by a supervisory agency conducting an examination of Enervee or any activity related to the investigation of a consumer complaint.
Third-Party Service Providers
Enervee handles third-party vendors in accordance with its Vendor Management Policy; pursuant to that policy, all third-party software vendors have contractual requirements that obligate them to maintain the same high level of data privacy standards that Enervee employs.
Enervee will contractually require third parties who access Enervee customer information to provide equivalent or more extensive data privacy training to their employees.
Enervee will provide annual training on data privacy issues, including employee compliance with the GLBA, to all Enervee employees. New Enervee employees will be required to take this training within 30 days of hire. As part of this training, Enervee employees will be required to review this policy and certify their understanding of it.
The Compliance Officer is responsible for ensuring that appropriate written procedures and internal controls are adopted and that technology solutions are designed in a way as to ensure compliance with this policy.
Enervee engages in effective and regular monitoring of its data privacy program and enhances its internal controls on a regular basis. The Compliance Officer will conduct an assessment of Enerveeʼs data privacy program on an annual basis (or more frequently as circumstances require). Based on his/her assessment of the relevant risks, the Compliance Officer will develop plans for any required enhancements to the data privacy program. Any ad hoc modifications of or enhancements to internal controls impacting data privacy must be reviewed by the Compliance Officer prior to implementation.
The Compliance Officer will present the annual data privacy program assessment and his/her recommendations for planned enhancements to the Compliance Committee for its review and approval. At its discretion, the Compliance Committee may escalate data privacy concerns or plans for program enhancements to the Enervee Board of Directors.
Enervee takes all reasonable measures to prevent, detect, and remediate data privacy incidents. Enervee handles all data privacy incidents in accordance with the policies and procedures outlined in the Enervee Information Security Policy.
Should a system failure or security breach result in the compromise of customer data, Enervee will notify law enforcement (the Federal Bureau of Investigation) and any impacted customers within 24 hours.
The Right to Financial Privacy Act has no defined retention schedule, however, Enervee will maintain copies of all administrative and judicial subpoenas, search warrants or formal written requests given by federal government agencies or departments along with the written certification for the duration of the relationship with the customer plus five years.