Peter S. Smedresman

On August 11, 2003, the U.S. District Court for the District of Columbia issued a lengthy ruling in the suit brought by the American Bar Association (and other bar groups) against the Federal Trade Commission challenging the FTC's position that attorneys were subject to the privacy notification provisions of the 1999 Gramm-Leach-Bliley Act. (N.Y. State Bar Ass'n v. FTC, Civ. Actions 02-810 and 02-1883, 2003 LEXIS 13939). In denying the FTC's motion for summary judgment dismissing the bar associations' complaint, the court gave the FTC a refresher course in the basics of statutory interpretation.

To understand the issues, we must look at the Gramm-Leach-Bliley Act in its entirety, not just as a privacy law. The GLBA broke the decades-old congressional logjam involving commercial banks' activity in the securities business (embodied mainly by the federal Glass-Steagall Act) and the insurance business (embodied primarily in the federal Bank Holding Company Act and state statutes). The GLBA created the status of "financial holding companies" which (if they are well capitalized and managed) would be permitted to affiliate with other financial concerns. The GLBA has finally enabled the U.S. financial sector to explore related business lines in a rational manner, but it also preserves the broader principle that banking should be separated from "commerce."

The primary regulatory statement of permitted bank (or, strictly speaking, bank holding company affiliate) activities was — and for institutions not qualifying as financial holding companies, still is — the laundry list of permitted nonbanking activities in Regulation Y of the Federal Reserve Board. This is a relatively restricted list of activities deemed "closely related to banking"; the newer standard for financial holding companies under the GLBA is a broader one, activities that are "financial in nature." The Reg Y laundry list thus has some, albeit reduced, vitality.

Reg Y has nothing at all to do with lawyers or with privacy concerns as such. In the GLBA privacy rules, though, the key term "financial institution" — in other words, those entities to which the privacy rules would apply — was defined as those engaged in activities permitted for financial holding companies. This reference incorporates the Reg Y laundry list plus the additional activities that are "financial in nature." Two of these items are "providing real estate settlement services" and "acting as an investment or financial advisor to any person, including … providing tax-planning or tax-preparation services." The FTC took the view, in a brief opinion dated April 8, 2002, that lawyers who — in common with banks — happen to offer these services, become "financial institutions."

It is not unusual for an agency to try to frame a question in a way that reserves its power to decide the issue, as the FTC did here by stating that it was unable to grant an exemption for lawyers from its version of the privacy regulations. However, the FTC opinion simply ignored the "institution" part of "financial institution." Its statement contained no appreciation of congressional concern that it was precisely the newly permitted affiliations between banks, insurance companies, and securities firms provided elsewhere in the GLBA that raised new risks for confidentiality of customer data. In fact the FTC opinion contained no reasoning or explanation at all.

There are also other statutes using the term "financial institution" that would have provided useful guidance. One such occurs in the state securities ("blue sky") laws, the basis of some widely reported enforcement action in New York of late. It was not considered by the court in this case but is worth mentioning. Many enactments of this law contain an exemption from registration for offers or sales of securities (to quote the uniform version) to "a bank, savings institution, trust company, insurance company, investment company as defined in the Investment Company Act of 1940, pension or profit-sharing trust, or other financial institution or institutional buyer or to a broker-dealer" [emphasis added]. It will be observed that lawyers are not on this list (though no doubt there are lawyers who think of themselves as institutions of a sort).

The court observed that rules governing attorneys' use of client information have always been stricter than the GLBA privacy rules and, furthermore, have been the exclusive province of the state legislatures. The court was unable to accept that a new area of federal regulation could be imposed without explicit statutory language and easily distinguished examples of other rules governing attorney conduct presented by the FTC. The court was unwilling to defer to the commission's expertise (which is not focused on attorney regulation or financial services anyway) in light of the total absence of rationale and deliberation on the commission's part. The ruling was subjected to the harshest criticism possible: it was found to be "arbitrary and capricious" agency action, not merely contrary to the relevant statute.

The court was correct on all points. Hopefully the FTC will, on reflection, agree that on this occasion it has ventured too far out on an interpretive limb.

Peter S. Smedresman is a partner with Moses & Singer LLP. His practice focus is on corporate, banking and finance, and privacy law. Smedresman can be reached at (212) 554-7869 or psmedresman@mosessinger.com.


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Advertise in IAPP Publications

Find out how to get your message in front the people you want to reach. Download a media kit now.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Registration Open

New! Intensive two-day GDPR training led by the sharpest minds in the field. It's a can't-miss event.

The Congress Is Cancelled

The IAPP Europe Data Protection Congress 2015 is cancelled. Click through to learn more.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»