Compliance with the Gramm-Leach-Bliley Act and Negligence Liability - With Analysis of Guin v. Brazos -

The Gramm-Leach-Bliley Act was enacted to “enhance competition in the financial services industry.” Congress allowed financial institutions to affiliate with one another and those institutions to share confidential information believing that this affiliation and sharing of information would enhance the competitiveness of the institutions. A financial institution may not directly or indirectly disclose a consumer's nonpersonal information without prior notice that complies with certain requirements to the consumer with some exceptions. The issue is whether a financial institution's compliance with the Act may exonerate it from negligence liability when a breach of information security occurs. The general rule is that it may not. It is well settled that statutory compliance is merely relevant evidence of reasonable care. According to the general rule, a financial institution's compliance with the Act may not take a role as the standard of care in protecting personal information. The Guin court deviated from the general rule holding that a financial institution did not breach its duty of care because it had complied with the Act. This paper argues against the Guin court. First, statutory safety regulations are often inadequate in protecting consumers. Second, they are usually obsolete and not current due to today's rapidly changing technologies. This seems particularly to be the case in the context of information technology. Cloud computing provides a good example. Third, regulatory compliance defense hinders corporations from continuing their efforts to improve safety. Fourth, justice and fairness might require the court not to leave an injured party without a remedy. In conclusion, compliance with GLBA is mere evidence of reasonable care, but not the proof of due care.