|
The Gramm-Leach-Bliley Act, passed in 1999 and fully effective in July, 2001, addressed overall financial industry reforms as well as emerging consumer privacy and security issues. Officially called the "Financial Modernization Act of 1999", it affects the technology and information system policies used by anyone engaged in providing financial services either directly or indirectly to consumers.
Under GLB, both the security and the privacy of a consumer’s non-public personal information ("NPI") are protected. Charged with implementing the act, the Federal Trade Commission addressed the security and privacy components separately by issuing two distinct rules, the "Safeguards Rule", and the "Privacy Rule".
Appraisers are subject to the rules. All appraisers are required to implement at least the following:
• Under the Safeguards Rule, secure the transmission, receipt, and storage of data relating to any consumer’s NPI at all times, via passwords, encryption, and physical protection, backed by a written information security plan
• Under the Privacy Rule, provide easily understood privacy statements to any consumers who engage the appraiser directly, disclosing the gathering, sharing, and security of NPI data, as well as the methods the consumer may use to opt-out of sharing of the data with third parties
Compliance is not terribly difficult, but it does require understanding of the rules and the methods available. This Best Practices document will hopefully provide appraisers with information and ideas useful in implementing GLB compliance as part of their overall regulatory compliance strategy.
Safeguards Rule: Security and custody of consumer data
The Safeguards Rule requires that appraisers and all other financial institutions implement written security procedures to prevent NPI from falling into the wrong hands. The complexity and scope of the written protocols may be appropriate to the size of the institution, but core security of the NPI may not be abdicated. NPI must be secured using passwords and encryption during any sort of transmission, as well as during storage (and physically secured even when stored in paper form).
All institutions are required to respect the sensitivity of the NPI data in all phases of a transaction, and interact with service providers appropriately, according to their written information security plan. This written information security plan and the relevant protocols in it must be referenced in the privacy policy provided to the consumer (if the consumer directly engages the appraiser).
In the appraiser’s role in the transaction, NPI data is potentially received electronically under many scenarios:
• Receiving an appraisal order via e-mail
• Receiving sales contracts and other financial documents
• Transmitting final appraisal reports to the client
• Ad hoc e-mails with other service providers – agent, mortgage broker, loan officer, etc.
In addition to unauthorized access, the data must be secured from loss due to environmental hazards such as floods, as well as from technological hazards such as system failures.
Obviously, the appraiser must implement secure means of sending and receiving documents containing NPI. Utilizing regular e-mails with NPI data in the message body or attachments, and even with password protected PDFs, is not sufficient. (Appraisers of course normally send a final report PDF with a password preventing a client from editing the PDF, to prevent fraud. But that still does not prevent anyone else from reading the PDF with the NPI in it. Access to the data is undeterred by preventing the editing of the report.)
Best Practices: Adopt a "custodial" mindset on all NPI data received, thinking in terms of security as well as preservation. Develop a written information security plan and have it on file at all times, and review it regularly. The plan must specify steps used to secure any communications containing NPI. The easiest method is by using password-protected website delivery over SSL (Secure Sockets Layer).
Obviously, each appraisal firm will adopt different levels of implementation. But at its core, NPI data must be secured at all times.
There may be cases of course where the appraiser receives no NPI, and therefore, in hindsight, encryption would not have been necessary. It would be tempting for an appraiser to decide therefore that security overall is not needed until the presence of NPI is certain. However, the appraiser would not be aware of the scope of NPI until the data had already been received, which would already be a security breach if NPI was indeed present. The only safe route is to assume that NPI is present and secure all communications appropriately.
Privacy Rule: Policy statements and opt-out provisions
Under the Privacy Rule, individuals fall into two categories: "consumers", and "customers". Consumers are any individuals who engage the institution at least once. Customers are simply consumers who have an ongoing relationship with the company. Both must be given privacy statements regarding the use of their NPI, and opt-out notices at specific times and circumstances, by the institution they engaged.
That last phrase is essential. When a lender or other business client provides the appraiser with NPI on an individual as part of a transaction, the appraiser is not required to provide another privacy policy disclosure to the individual. The appraiser’s client must ensure that the suppliers it engages are in compliance with the privacy disclosures and opt-out notices it already provides to the individual.
Best Practices: Do not send privacy notices to consumers brought to you by a business client. The obligation is on the institution whom the consumer directly engages.
Appraisers who are indeed directly engaged by individuals must do the following:
• Provide a conspicuous and understandable initial notice of the privacy policy, covering handling of NPI, opt-out methods, and security safeguards
• Provide opt-out notices of sharing of NPI, with a "reasonable opportunity" to respond (weeks or months)
• Provide new revised privacy and opt-out notices if policies change
• For "customers" only, provide an annual privacy statement reminder for the duration of the relationship
Typically, an appraiser does not share the NPI with any non-affiliated third parties except where required to process the report. Appraisers don’t usually sell or otherwise distribute their databases for marketing purposes. Most appraisers should be able to invoke the exceptions to opt-out notification as provided in sections 313.13, 313.14, and 313.15 of the act.
Under section 313.14 in particular, appraisers would not be required to send an opt-out notification nor even provide notice that sharing of the NPI has been undertaken, when the party to whom the data is disclosed is a non-financial service provider used in processing the transaction. Likewise, in cases where the appraiser was not directly engaged by the consumer, the act of providing the data to the appraiser’s service providers would not be a violation of the original client’s privacy obligations to the consumer under section 313 of the law.
However, when directly engaged by the consumer and even when claiming exemption under any provision of section 313, the appraiser must provide the privacy policy statement up front in order to be granted the exception. Unless the consumer is aware of the policy overall, there can be no exceptions granted.
Also, note that the security provisions still apply. The appraiser must be sure that the service provider provides security controls, and that they are commensurate with the appraiser’s written security and safeguards policy. a la mo de "Best Practices" Series: Complying with the Gramm-Leach-Bliley ("GLB") Act
Best Practices: Do not share NPI data with anyone other than service providers who meet your security standards, and you can generally use the opt-out exceptions in section 313. Treat all consumers and customer clients the same, by providing the "initial," "revised," and "annual" privacy policy disclosures to every individual who has engaged you. Annual disclosures should be sent within the calendar year (i.e., by December of the year).
|
