May 2001
Complying with the
FTC’s New Privacy Disclosure Rules
By
Dennis O’Leary On Nov. 12, 1999, former President Bill Clinton
signed into law the Gramm-Leach-Bliley Act (Public Law 106-102, Subtitle A of
Title 5, “Disclosure of Nonpublic Personal Information”). The GLB Act requires
“financial institutions” to provide their customers with an annual notice of their
privacy policies and practices, and also prohibits financial institutions from
disclosing nonpublic personal information about a client to nonaffiliated third
parties, unless the financial institution meets various disclosure and opt-out
requirements and the customer has not elected to opt out of the disclosure.
By virtue of regulations effective on July 1, the Federal Trade Commission (FTC)
concluded that the GLB Act applies to accountants who are engaged in the business
of completing personal income tax returns and financial planners. In short, a
CPA firm involved in personal income tax preparation or financial planning must
describe its privacy policies and practices to its clients with respect to information
sharing with both affiliates and nonaffiliated third parties. An affiliate is
any company that controls, is controlled by, or is under common control with another
company. Additionally, firms must also inform clients of their right to opt out
of disclosures to nonaffiliated third parties that are not otherwise permitted
by law.
Privacy notices are not required for business clients because the
GLB Act is limited to individuals who obtain a financial product or service from
a financial institution to be used only for personal, family or household purposes.
After adopting the regulations on May 24, 2000, the FTC’s final rule took
effect Nov. 13, 2000, but delayed full compliance with the privacy notice and
customer opt-out requirements of the GLB Act until July 1 of this year.
With
respect to existing clients, the FTC expects an initial privacy notice to be delivered
by firms no later than July 1. Thereafter, each new client must be provided an
initial privacy notice no later than the time the individual becomes a client,
and, in addition, all clients must also receive an annual privacy notice. The
FTC rules give some flexibility on the timing for annual notices. If an initial
privacy notice is given to a client on a date in 2001, then the first annual notice
to that client must be delivered by Dec. 31, 2002, with each subsequent annual
notice issued within 12 months. Annual notices are not required for individuals
who are no longer clients. Additionally, single notices to married couples who
are joint clients suffice, unless one of the joint account holders requests a
separate notice.
Although the initial and annual privacy notices are required
to be issued to clients, CPA firms that do not share or reserve the right to share
a client’s nonpublic personal information with nonaffiliated third parties are
not required to include opt-out notices. Likewise, disclosures that are authorized
by law do not require opt-out notices.
It should be noted that members of
the New York State Society of CPAs (NYSSCPA) continue to be bound by Ethics Rule
301 of the Code of Professional Conduct, which is arguably more protective of
client privacy than the FTC rules. Subject to certain exceptions, Rule 301 generally
prohibits the CPA from disclosing confidential client information to any party
(including affiliates and nonaffiliated third parties) without the specific consent
of the client for such disclosure. Further, Internal Revenue Code section 7216
prohibits paid tax preparers from disclosing tax return information without the
client’s consent, other than for the specific purpose of preparing, assisting
in preparing, or obtaining and providing services in connection with the preparation
of any income tax return of the taxpayer.
Other than for exceptions discussed
below, a CPA who discloses a client’s nonpublic personal information to an affiliate
or a nonaffiliated third party based upon failure of the client to opt out of
such disclosure (e.g., passive consent) is in violation of Rule 301, which requires
specific consent.
The exceptions to Rule 301 are consistent with the exceptions
to opt-out requirements set forth in the FTC rules. Rule 301’s exceptions for
disclosure of confidential client information are limited to the following instances:
When complying with a valid and enforceable subpoena or summons, or when
complying with applicable laws and government regulations. During review
of a CPA’s professional practice as authorized by the American Institute of CPAs
(AICPA), the NYSSCPA or the New York State Board for Public Accountancy.
When initiating a complaint or responding to an inquiry made by the Professional
Ethics Committee of the NYSSCPA, the ethics division or trial board of the AICPA,
or a duly constituted investigative or disciplinary body of another state CPA
society or board of accountancy. During a review of a professional practice
in conjunction with a prospective purchase, sale, or merger of all or part of
a practice, provided that the firm takes appropriate precautions, such as a written
confidentiality agreement, to prevent the prospective purchaser from disclosing
information obtained in the course of the review. When participating in actual
or threatened legal proceedings or alternative dispute resolution proceedings
either initiated by or against the CPA firm, provided the firm discloses only
the information necessary to file, pursue, or defend against the lawsuit and takes
reasonable precautions to ensure that the information disclosed does not become
a matter of public record. AICPA Ethics Rulings 391.001 and 391.009, as well
as the FTC’s exceptions to the opt-out requirements (16 CFR 313.13), also allow
disclosure of nonpublic personal information to affiliates of the firm or nonaffiliated
third parties that perform services or functions for the firm pursuant to a contractual
agreement that prohibits the nonaffiliated third party or affiliate from disclosing
or using the information other than for the purposes for which the information
was disclosed. For example, firms can disclose nonpublic personal information
to an outside service bureau that processes clients’ tax returns or a records-retention
agency that stores clients’ records.
The FTC rule requires that initial and
annual notices to clients be clear and conspicuous and accurately reflect a firm’s
privacy policy and practices. Such notices must be in writing and mailed to the
client’s last known address, hand delivered to the client, or, if the client permits,
transmitted electronically. To comply with the FTC rule, the privacy notice of
a CPA firm should be on a separate piece of paper with bold headings and include
the following:
A. The types of information collected
B.
Parties to whom information is disclosed
1.
A statement should be included that nonpublic personal information may be disclosed
to affiliates and nonaffiliated third parties as permitted by law and the Code
of Professional Conduct of the NYSSCPA in the following instances:
(a) When complying with a valid and enforceable subpoena or summons.
(b) During
a review of a CPA firm’s professional practice as authorized by the AICPA, NYSSCPA
or New York State Board for Public Accountancy.
(c) When initiating a complaint
or responding to an inquiry made by the Professional Ethics Committee of the NYSSCPA,
the ethics division or trial board of the AICPA or a duly constituted investigative
or disciplinary body of another state CPA society or board of accountancy.
(d) During a review of a professional practice in conjunction with a prospective
purchase, sale, or merger of all or part of a practice, provided that the firm
takes appropriate precautions to prevent the prospective purchaser from disclosing
information obtained in the course of the review.
(e) When participating in
actual or threatened legal proceedings or alternative dispute resolution proceedings
either initiated by or against the CPA firm, provided the firm discloses only
the information necessary to file, pursue, or defend against the lawsuit and takes
reasonable precautions to ensure that the information disclosed does not become
a matter of public record.
2. A statement should be included
that nonpublic personal information may be disclosed to affiliates and nonaffiliated
third parties who perform services or functions for the firm and contractually
agreed not to disclose or use the information other than for the purposes for
which the information was disclosed, as permitted by law and AICPA Ethics Rulings
391.001 and 391.009.
C. General restrictions on disclosure
of nonpublic personal information to affiliates and nonaffiliated third parties
1. A statement should be included that Internal Revenue
Code section 7216 generally prohibits disclosure of income tax return information
without the client’s consent, other than for the specific purpose of preparing,
assisting in preparing, or obtaining and providing services in connection with
the preparation of any income tax return of the taxpayer.
2. A statement
should be included that all members of the NYSSCPA comply with the Code of Professional
Conduct that prohibits disclosure of confidential client information without specific
client consent, except for disclosures previously identified.
D. A statement of the firm’s practices for protecting the confidentiality and
security of nonpublic personal information
The AICPA
has set up a hot line telephone number at (202) 434-9216 for updates on the FTC
privacy disclosure requirements. In addition, the Institute is seeking an exemption
on behalf of CPAs, but one is unlikely to be granted by the compliance date of
July 1.
Although there are no administrative penalties for non-compliance
with the FTC privacy rules and no private right of action, the FTC has authority
to seek injunctive relief in federal court.
A sample privacy notice for
use by NYSSCPA members is available from Dennis O’Leary, NYSSCPA director of governmental
affairs, who can be reached at (212) 719-8418 or doleary@nysscpa.org.
