President Obama signed the Fixing America’s Surface Transportation Act (FAST Act) into law on December 4, 2015. The FAST Act not only provides long-term funding for highway and infrastructure improvements and other transportation projects, but also includes several privacy- and security-related provisions, including an important provision that may reduce consumer confusion and industry compliance costs by eliminating annual privacy notice requirements for financial institutions in certain circumstances.
Changes Affecting GLBA Annual Privacy Notices
Under the Financial Services Modernization Act of 1999, better known as the Gramm-Leach-Bliley Act (GLBA), financial institutions must mail an annual privacy notice to their customers that sets forth how they collect, use, and disclose those customers’ nonpublic personal information (NPI) and whether customers may limit such sharing. Section 75001 of the FAST Act eliminates this annual notice requirement for financial institutions that satisfy two criteria:
- the financial institution does not share NPI with nonaffiliated third parties except pursuant to certain GLBA exceptions permitting such disclosures (i.e., where sharing occurs in a manner that does not require the financial institution to provide an opt-out right to consumers under the GLBA);1 and
- the financial institution has not changed its privacy policy and procedures regarding NPI since it sent its most recent GLBA privacy notice to consumers.
This amendment to GLBA was effective immediately, so financial institutions planning to send out annual privacy notices in 2016 may no longer need to do so and may wish to review their privacy practices and procedures to determine if the FAST Act exemption applies. The new FAST Act exemption will not apply to all financial institutions: if, for example, a financial institution changes its practices and discloses NPI to nonaffiliated third parties in a manner that would require it to offer customers an opt-out, the financial institution would be required to send a revised privacy notice to its customers.
In addition to Section 75001 of the FAST Act, financial institutions should consider the potential application of a Consumer Financial Protection Bureau (CFPB) final rule issued in October 2014, which also allows financial institutions that meet certain requirements and limit data sharing to post privacy notices online in place of mailing notices to individuals. Between the FAST Act and the CFPB rule, financial institutions may save considerably on costs associated with mailing annual privacy notices. Additionally, as U.S. Rep. Blaine Luetkemeyer (R-MO), the sponsor of the GLBA amendment, noted, the FAST Act provisions may help consumers by “put[ting] an end to redundant mailings” and “mak[ing] it more likely for people to pay closer attention to mailings they receive from their financial institutions because they would be receiving fewer.”
FAST Act Provisions Relating to Transportation and Infrastructure Privacy and Security
In addition to exempting certain financial institutions from annual privacy notice requirements, the FAST Act also includes a number of transportation- and infrastructure- related privacy and cybersecurity matters, including the following:
- Driver Privacy. Sections 24301–24303 of the FAST Act establish rights to the data stored by event data recorders (e.g., “black boxes”) in vehicles. Under the FAST Act, “[a]ny data retained by an event data recorder . . . is the property of the owner . . . or lessee . . .” of the vehicle. The FAST Act also provides that data stored or transmitted by such devices cannot be accessed by anyone other than the owner or lessee except where: (1) there is a court order; (2) the owner or lessee consents; (3) the data is retrieved pursuant to certain National Transportation Safety Board or Department of Transportation authorized investigations and most personally identifiable information is not disclosed; (4) the data is needed to facilitate emergency medical response to a crash; or (5) the data is to be anonymized and used for traffic safety research purposes. This will likely limit the ability of insurers to make use of vehicular black box data unless the insurer has obtained prior owner/lessee consent. Finally, Section 24303 of the FAST Act also provides for the Administrator of the National Highway Traffic Safety Administration to: (i) report to Congress upon the results of a study conducted to determine the amount of time event data recorders in passenger motor vehicles should capture and record vehicle-related data in conjunction with an event in order to provide sufficient information to investigate the cause of motor vehicle crashes; and (ii) promulgate related regulations.
- IoT and Transportation Privacy. Section 3024 of the FAST Act requires the Secretary of Transportation to issue a report and recommendations on the “Internet of Things to improve transportation services in rural, suburban, and urban areas,” which must address “best practices to protect privacy and security” in connection with transportation and the Internet of Things.
- Transportation Security Research. Section 6006 of the Fast Act provides $400 million in funding for the Department of Transportation to research “Intelligent Transportation Systems,” including research into the development of tools “to help prevent hacking, spoofing, and disruption of connected and automated transportation vehicles.”
- Electric Infrastructure Cybersecurity. Section 61003 of the FAST Act implements several reforms aimed at protecting the U.S. energy infrastructure, including: (i) designating the Department of Energy as responsible for cybersecurity for the energy sector; (ii) creating new classifications for infrastructure-related information and setting rules regarding the sharing of such information; (iii) defining criteria for declaring federal emergencies relating to the energy infrastructure; (iv) establishing an information-sharing regime for federal agencies with authority over energy infrastructure; and (v) establishing liability protections for energy infrastructure entities when sharing information or complying with Department of Energy requests during emergencies, except for actions that are determined to be “grossly negligent.”
1 Specifically, these exceptions are set forth in the following GLBA sections: Sections 502(b)(2) (permitting the disclosure of NPI to a nonaffiliated third party to perform services for or functions on behalf of the financial institution if the financial institution fully discloses the providing of such information and enters into a contractual agreement with the third party that requires the third party to maintain the confidentiality of such information); 502(e) (permitting disclosure of NPI for, inter alia, effectuating or administering transactions for consumers, with the consent of consumers, protecting certain rights of or complying with legal obligations binding upon the financial institution, consumer reporting purposes permitted under the Fair Credit Reporting Act, or in connection with mergers or acquisitions); and 504(b) (permitting primary regulators for financial institutions to promulgate additional exceptions to the GLBA’s general bar on NPI disclosure).