GLB Safeguards Rule For Appraisers - Security and Custody of Consumer Data
- Receiving an appraisal order via e-mail
- Receiving sales contracts and other financial documents
- Transmitting final appraisal reports to the client
- Ad hoc e-mails with other service providers – agent, mortgage broker, loan officer, etc.
In addition to unauthorized access, the data must be secured from loss due to environmental hazards such as floods, as well as from technological hazards such as system failures.
Obviously, the appraiser must implement secure means of sending and receiving documents containing NPI. Utilizing regular e-mails with NPI data in the message body or attachments, and even with password protected PDFs, is not sufficient. (Appraisers of course normally send a final report PDF with a password preventing a client from editing the PDF, to prevent fraud. But that still does not prevent anyone else from reading the PDF with the NPI in it. Access to the data is undeterred by preventing the editing of the report.)
Best Practices: Adopt a “custodial” mindset on all NPI data received, thinking in terms of security as well as preservation. Develop a written information security plan and have it on file at all times, and review it regularly. The plan must specify steps used to secure any communications containing NPI. The easiest method is by using password-protected website delivery over SSL (Secure Sockets Layer).
Obviously, each appraisal firm will adopt different levels of implementation. But at its core, NPI data must be secured at all times.
There may be cases of course where the appraiser receives no NPI, and therefore, in hindsight, encryption would not have been necessary. It would be tempting for an appraiser to decide therefore that security overall is not needed until the presence of NPI is certain. However, the appraiser would not be aware of the scope of NPI until the data had already been received, which would already be a security breach if NPI was indeed present. The only safe route is to assume that NPI is present and secure all communications appropriately.
Note that encrypted e-mail may also be used, but is more difficult to implement, since encryption keys must be exchanged manually with multiple providers. It’s unlikely that the people dealing with an appraiser on a transaction will have encryption enabled in their e-mail at all. But all recipients and transmitters of NPI in the transaction are likely to be able to click a link to an SSL-enabled website in an automated e-mail, and to be able to set up password protected accounts on that site. There are many options available, both tailored to appraisers’ needs and generic “off the shelf” secure delivery sites.
Regardless of the scope and type of encryption methods and processes used, developing a written security plan describing them is not optional. The law specifically requires that it be written and regularly reviewed. The appraiser must have it on file, and the privacy statement must refer to its presence.Appraisal , Real Estate , Appraiser , Blog , Technology , USPAP , RESPA ,Bloomington , McLean , Regulation , Illinois , Realtor