Privacy Advisor

Federal District Court Rejects FTC Opinion on Attorneys' Gramm-Leach-Bliley Act Coverage

August 1, 2003

Peter S. Smedresman

On August 11, 2003, the U.S. District Court for the District of Columbia issued a lengthy ruling in the suit brought by the American Bar Association (and other bar groups) against the Federal Trade Commission challenging the FTC's position that attorneys were subject to the privacy notification provisions of the 1999 Gramm-Leach-Bliley Act. (N.Y. State Bar Ass'n v. FTC, Civ. Actions 02-810 and 02-1883, 2003 LEXIS 13939). In denying the FTC's motion for summary judgment dismissing the bar associations' complaint, the court gave the FTC a refresher course in the basics of statutory interpretation.

To understand the issues, we must look at the Gramm-Leach-Bliley Act in its entirety, not just as a privacy law. The GLBA broke the decades-old congressional logjam involving commercial banks' activity in the securities business (embodied mainly by the federal Glass-Steagall Act) and the insurance business (embodied primarily in the federal Bank Holding Company Act and state statutes). The GLBA created the status of "financial holding companies" which (if they are well capitalized and managed) would be permitted to affiliate with other financial concerns. The GLBA has finally enabled the U.S. financial sector to explore related business lines in a rational manner, but it also preserves the broader principle that banking should be separated from "commerce."

The primary regulatory statement of permitted bank (or, strictly speaking, bank holding company affiliate) activities was — and for institutions not qualifying as financial holding companies, still is — the laundry list of permitted nonbanking activities in Regulation Y of the Federal Reserve Board. This is a relatively restricted list of activities deemed "closely related to banking"; the newer standard for financial holding companies under the GLBA is a broader one, activities that are "financial in nature." The Reg Y laundry list thus has some, albeit reduced, vitality.

Reg Y has nothing at all to do with lawyers or with privacy concerns as such. In the GLBA privacy rules, though, the key term "financial institution" — in other words, those entities to which the privacy rules would apply — was defined as those engaged in activities permitted for financial holding companies. This reference incorporates the Reg Y laundry list plus the additional activities that are "financial in nature." Two of these items are "providing real estate settlement services" and "acting as an investment or financial advisor to any person, including … providing tax-planning or tax-preparation services." The FTC took the view, in a brief opinion dated April 8, 2002, that lawyers who — in common with banks — happen to offer these services, become "financial institutions."

It is not unusual for an agency to try to frame a question in a way that reserves its power to decide the issue, as the FTC did here by stating that it was unable to grant an exemption for lawyers from its version of the privacy regulations. However, the FTC opinion simply ignored the "institution" part of "financial institution." Its statement contained no appreciation of congressional concern that it was precisely the newly permitted affiliations between banks, insurance companies, and securities firms provided elsewhere in the GLBA that raised new risks for confidentiality of customer data. In fact the FTC opinion contained no reasoning or explanation at all.

There are also other statutes using the term "financial institution" that would have provided useful guidance. One such occurs in the state securities ("blue sky") laws, the basis of some widely reported enforcement action in New York of late. It was not considered by the court in this case but is worth mentioning. Many enactments of this law contain an exemption from registration for offers or sales of securities (to quote the uniform version) to "a bank, savings institution, trust company, insurance company, investment company as defined in the Investment Company Act of 1940, pension or profit-sharing trust, or other financial institution or institutional buyer or to a broker-dealer" [emphasis added]. It will be observed that lawyers are not on this list (though no doubt there are lawyers who think of themselves as institutions of a sort).

The court observed that rules governing attorneys' use of client information have always been stricter than the GLBA privacy rules and, furthermore, have been the exclusive province of the state legislatures. The court was unable to accept that a new area of federal regulation could be imposed without explicit statutory language and easily distinguished examples of other rules governing attorney conduct presented by the FTC. The court was unwilling to defer to the commission's expertise (which is not focused on attorney regulation or financial services anyway) in light of the total absence of rationale and deliberation on the commission's part. The ruling was subjected to the harshest criticism possible: it was found to be "arbitrary and capricious" agency action, not merely contrary to the relevant statute.

The court was correct on all points. Hopefully the FTC will, on reflection, agree that on this occasion it has ventured too far out on an interpretive limb.

Peter S. Smedresman is a partner with Moses & Singer LLP. His practice focus is on corporate, banking and finance, and privacy law. Smedresman can be reached at (212) 554-7869 or psmedresman@mosessinger.com.