Question is in bold at the bottom
GLBA/Regulation P defines
personally identifiable financial information as any information:
(i) A consumer provides to you to obtain a financial product or service from you;
(ii) About a consumer resulting from any transaction involving a financial product or service between you and a consumer; or
(iii) You otherwise obtain about a consumer in connection with providing a financial product or service to that consumer.
I have always interpreted this to mean literally "any information", e.g., a list of account balances, the date and amount of an origination, etc. regardless of whether or not that information is disclosed in association with information that allows for the identification of the individual consumer customer tied to it.
My loan department currently offers a consumer product that is facilitated by non-affiliated merchants (something akin to dental or medical financing at the doctor's office). To help merchants understand how successful the program is, we disclose to them a list of blind data that consolidates activity over a given month, a permissible act under GLBA.
However, some merchants only have a single loan issued in a given month. I see this as problematic since a single entry is not a list and would easily permit anyone at the non-affiliate to figure out who the customer is. My Legal team is saying that consideration is out of scope of the law. There explanation is that we have a defensible position regarding the fact the information is disclosed as a list. Seems a bit of a loosey goosey interpretation to me.
So here's the question: Can a single piece of information be considered a blind list as permitted/defined under GLBA?