Federal and State Regulations affecting Data Breaches for Mortgage Lenders
Federal and State Data Breach Regulations affecting Mortgage Bankers, Lenders, and Brokers
From a federal standpoint, under the Gramm-Leach-Bliley Act (GLBA) and through the Safeguards Rule, the FTC, as well as other federal agencies and regulators, enforce data protection rules for consumer banking, finance, and lending. However, there is no federal data breach notification law.
Further, while only a handful of states have enacted privacy regulations, many don’t realize that all 50 states have varying security breach notification laws. Mortgage companies need to realize that the breach notification laws of the state where the consumer resides will apply, not where the security breach occurs! This can be extremely problematic for those licensed in multiple states or even nationwide, because it would require the analysis to extend to each state’s law where a consumer had been affected.
Comparison of California and Texas Data Breach statutes:
Breach – CA Civil Code § 1798.82:“breach of the security of the system” under the CA Civil code means the “unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the person or business. Good faith acquisition of personal information by an employee or agent of the person or business for the purposes of the person or business is not a breach of the security of the system, provided that the personal information is not used or subject to further unauthorized disclosure.”
Breach – TX Business and Commerce Code § 521.053: On the other hand, the Texas Business and Commerce code defines “breach of system security” as an “unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of sensitive personal information maintained by a person, including data that is encrypted if the person accessing the data has the key required to decrypt the data. Good faith acquisition of sensitive personal information by an employee or agent of the person for the purposes of the person is not a breach.”
As you can see, I have bolded the similar wording found within both statutes of “unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity” and although both breach definitions are similar in nature, they each also contain different requirements to be aware of.
Does the Definition of Personal Information have to include a Social Security number?
It is also important to note that definitions for personal information can also vary from state to state. For example, let compare and contract the personal information definition for California and Texas.
CA Civil Code § 1798.80 uses the term “personal information” and defines it as “any information that identifies, relates to, describes, or is capable of being associated with, a particular individual, including, but not limited to, his or her name, signature, social security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information. “Personal information” does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.”
Now, this definition is quite extensive, but because most of the information included within the definition of personal information are common items obtained during the mortgage process this should be of particular concern to mortgage bankers because it is not just limited to a borrower’s social security number.
In contrast, Texas Business and Commerce Code §521.002 uses the term “sensitive personal information” as follows:
A) an individual’s first name or first initial and last name in combination with any one or more of the following items, if the name and the items are not encrypted:
(i) social security number;
(ii) driver’s license number or government-issued identification number; or
(iii) account number or credit or debit card number in combination with any required security code, access code, or password that would permit access to an individual’s financial account; or
(B) information that identifies an individual and relates to:
(i) the physical or mental health or condition of the individual;
(ii) the provision of health care to the individual; or
(iii) payment for the provision of health care to the individual.
Once again, these are common pieces of information obtained during the mortgage application process and is not limited to a borrower’s social security number.
Summary – Federal and State Regulations affecting Data Breaches for Mortgage Bankers, Lenders, and Brokers
This comparison highlights the importance of understanding the data breach laws within the states that you conduct business, because what constitutes personal information in one state, may not be the same as in another. Moreover, mortgage lenders, bankers, brokers, and credit unions must understand what constitutes a data breach, because once a breach occurs, this triggers additional legal obligations which need to be followed!
If you have any topics that you would like to be considered, please submit any request via email..
Sean A. Stephens, Esq., CMB®
Legal Disclaimer: The information provided on this blog does not, and is not intended to, constitute legal advice; instead, all information, content, and materials available on this site are for general informational purposes only. No representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, or availability to this information. Use of, and access to, this Blog or any of the links or resources contained within the site do not create an attorney-client relationship. Broker to Banker Consulting, LLC is not a law firm and does not provide legal services.