What do the words Gramm-Leach-Bliley mean to you?
According to a la mode's most recent newsletter: "If you're like many appraisers, you're vaguely aware that GLB (as we'll call it) is a law that deals with financial privacy. You may have heard something about it being applicable to appraisers, but no one's ever really pressed the issue, so like the vast majority of your colleagues, you've never really done anything about it. "
No one ever really pressed the issue to title companies either. That's changed now that Kansas-based Nations Title Agency Inc. has settled Federal Trade Commission (FTC) charges that it was careless with consumer information. (Kansas City Business Journal account) A Kansas City TV station found discarded mortgage loan applications in an open, unsecured dumpster on Nations Title property. That prompted the FTC, the agency that enforces GLB, to investigate.
The FTC found in addition that Nations Title had failed to secure its digitally-stored consumer information and it had been accessed by a hacker. The settlement agreement, which you can see at this link (PDF), should be read as a cautionary tale by anyone who doesn't take GLB seriously.
Then there's the Department of Veterans Affairs data analyst who lost 26.5 million veterans' personal information when his home was burglarized had often taken such data, including Social Security numbers home with him for years, VA Inspector General George J. Opfer said. A $50,000 reward for information leading to the recovery of the laptop stolen from the employee's home was announced.
Consumers, brokers and loan officers can't sue you under GLB, but can certainly report you to the FTC. They may do it because you've been careless with personal information, or they might do it for some other reason. If it happens, your t's had better be crossed and your i's dotted. Appraisers are subject to the rules
Appraisers are subject to GLB's Safeguards Rule and Privacy Rule. Lenders requested waivers during the development of the FTC's rules for its vendors, including appraisers, and the request was rejected. The FTC has time and again clarified publicly that appraisers must comply. See for example 16 CFR 313.3 (text search for "appraiser").
The size of your company or practice doesn't matter. It also doesn't matter if a particular transaction is "federally related" or not as FIRREA contemplates. The rules are applicable to you or your company overall, not specific assignments. The "non-public personal information" (NPI) the law seeks to protect need not come directly from a consumer. You are responsible for securing NPI you get from a client while it is in your possession.
You are responsible for determining whether information is "non-public." It would be a mistake to assume a phone number or e-mail address — two kinds of NPI — is publicly listed. It is best to assume none of it is. GLB and its rules trump state law. You can't simply comply with your state's privacy security laws and hope that squares you with federal law, too.
What you need to do All appraisers must, at minimum, do the following:
- Secure the transmission, receipt, and storage of data relating to consumer NPI at all times, via passwords, encryption, and physical protection, backed by a written information security plan
- Provide easily understood privacy statements to any consumers who engage you directly, disclosing the gathering, sharing, and security of NPI data, as well as the methods the consumer may use to opt-out of sharing of the data with others.
- Note that a privacy statement and opt-out procedure are only necessary when a consumer engages you directly. The information safeguards required when you're in possession of NPI are applicable at all times.
A detailed Best Practices document discussing these issues in depth is available from a la mode's resources page at this link. The Best Practices document includes a discussion of the applicability of the rules to all appraisers and how generally to respond. The second half is advice specifically for a la mode customers regarding how to use our tools to help you comply.