Question is in bold at the bottom

GLBA/Regulation P defines personally identifiable financial information as any information:



I have always interpreted this to mean literally "any information", e.g., a list of account balances, the date and amount of an origination, etc. regardless of whether or not that information is disclosed in association with information that allows for the identification of the individual consumer customer tied to it.

My loan department currently offers a consumer product that is facilitated by non-affiliated merchants (something akin to dental or medical financing at the doctor's office). To help merchants understand how successful the program is, we disclose to them a list of blind data that consolidates activity over a given month, a permissible act under GLBA.

However, some merchants only have a single loan issued in a given month. I see this as problematic since a single entry is not a list and would easily permit anyone at the non-affiliate to figure out who the customer is. My Legal team is saying that consideration is out of scope of the law. There explanation is that we have a defensible position regarding the fact the information is disclosed as a list. Seems a bit of a loosey goosey interpretation to me.

So here's the question: Can a single piece of information be considered a blind list as permitted/defined under GLBA?

I can't seem to edit the original post so here are two clarification:
1) Regarding "any information" being a list of account balances - this is in reference to information we store and maintain, not a disclosed blind list. If properly disclosed, I recognize that such a list is permitted
2) The Legal team is stating that the blind list, whether one or more records, does not itself contain information that links it to any specific individual which is their reasoning behind why a single record qualifies as a blind list.

I would vote #2.