Mortgage Banker Compliance Considerations – Understanding Data Breach Notification Law Requirements

December 6th, 2021 by Sean A. Stephens, Esq., CMB®

What are the Key Components that make up a Data Breach notification law?

When determining a mortgage lender’s compliance considerations that need to be addressed both before and after a breach, it is important to first understand what constitutes a data breach.

As discussed in our last post, due to their being no federal data breach notification law, this creates a patchwork assembly of varying state data breach notification laws with their own definitions based on state statute.

As a result, it can be difficult for mortgage companies to clearly understand the full extent of their responsibilities. Beyond the analysis of applicability, many cannot separate their information technology infrastructures to comply with varying state requirements, as well as those at the federal level. If a mortgage lender is unable to comply, then they run the risk of suffering hefty consequences.

Mortgage Lender Data Breach Notification Requirements

Notification Requirements vary by state statue and include your reporting obligations to consumers and states attorney generals. Strict compliance with a state’s notification requirements are essential to mitigating exposure, because a failure to do so can result in heavy penalties and be crippling to a mortgage banker’s operations!

Now, let’s compare and contrast the regulator notification requirements between California and Texas.

CA Civil Code § 1798.82 states in part the following: “A person or business that is required to issue a security breach notification pursuant to this section to more than 500 California residents as a result of a single breach of the security system shall electronically submit a single sample copy of that security breach notification, excluding any personally identifiable information, to the Attorney General.”

In contrast, TX Business and Commerce Code § 521.053 states in part: “A person who is required to disclose or provide notification of a breach of system security under this section shall notify the attorney general of that breach not later than the 60th day after the date on which the person determines that the breach occurred if the breach involves at least 250 residents of this state.

Here, you can see that California requires more than 500 residents to trigger notification to the Attorney General while notification in Texas is required if the breach involves at least 250 residents.

Summary – Mortgage Lender Data Breach Notification Law Requirements

This is not meant to be a complete analysis of the regulator notification requirements that surround a breach for these two statutes, but instead provides a sample of the differences that can occur due to the myriad of state data breach notification laws.

It is also important to note, that as you read through each statute, you will also see that the timing, delivery, and penalties can  also vary which underscores the importance why mortgage bankers should note take a one size fits all approach, especially if you are licensed in multiple states.

If you have any topics that you would like to be considered, please submit any request via email..

Sean A. Stephens, Esq., CMB® 

Legal Disclaimer: The information provided on this blog does not, and is not intended to, constitute legal advice; instead, all information, content, and materials available on this site are for general informational purposes only. No representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, or availability to this information. Use of, and access to, this Blog or any of the links or resources contained within the site do not create an attorney-client relationship. Broker to Banker Consulting, LLC is not a law firm and does not provide legal services.

back to top
Subscribe To Our Newsletter

Subscribe To Our Newsletter

Join our mailing list to receive the latest news and updates from our team.

You have Successfully Subscribed!