GLB Safeguards Rule For Appraisers - Security and Custody of Consumer Data

a la mode, inc. has developded a “Best Practices” Series dealing with compliance issues of the Gramm-Leach-Bliley (G-L-B) Act - Click here for the full article The first in this series - Must Appraisers Comply With the Gramm-Leach-Bliley Act? - dealt with some of the background issues, how it applies to appraisers, what are some of the risks in ignoring the act, and the two rules that affect appraisers - Safeguards and Privacy. This section deals specifically with the Safeguards Rule. The Safeguards Rule requires that appraisers and all other financial institutions implement written security procedures to prevent NPI from falling into the wrong hands. The complexity and scope of the written protocols may be appropriate to the size of the institution, but core security of the NPI may not be abdicated. NPI must be secured using passwords and encryption during any sort of transmission, as well as during storage (and physically secured even when stored in paper form). All institutions are required to respect the sensitivity of the NPI data in all phases of a transaction, and interact with service providers appropriately, according to their written information security plan. This written information security plan and the relevant protocols in it must be referenced in the privacy policy provided to the consumer (if the consumer directly engages the appraiser). In the appraiser’s role in the transaction, NPI data is potentially received electronically under many scenarios:

• Receiving an appraisal order via e-mail
• Receiving sales contracts and other financial documents
• Transmitting final appraisal reports to the client
• Ad hoc e-mails with other service providers – agent, mortgage broker, loan officer, etc.

In addition to unauthorized access, the data must be secured from loss due to environmental hazards such as floods, as well as from technological hazards such as system failures.

Obviously, the appraiser must implement secure means of sending and receiving documents containing NPI. Utilizing regular e-mails with NPI data in the message body or attachments, and even with password protected PDFs, is not sufficient. (Appraisers of course normally send a final report PDF with a password preventing a client from editing the PDF, to prevent fraud. But that still does not prevent anyone else from reading the PDF with the NPI in it. Access to the data is undeterred by preventing the editing of the report.)

Best Practices: Adopt a “custodial” mindset on all NPI data received, thinking in terms of security as well as preservation. Develop a written information security plan and have it on file at all times, and review it regularly. The plan must specify steps used to secure any communications containing NPI. The easiest method is by using password-protected website delivery over SSL (Secure Sockets Layer).

Obviously, each appraisal firm will adopt different levels of implementation. But at its core, NPI data must be secured at all times.

There may be cases of course where the appraiser receives no NPI, and therefore, in hindsight, encryption would not have been necessary. It would be tempting for an appraiser to decide therefore that security overall is not needed until the presence of NPI is certain. However, the appraiser would not be aware of the scope of NPI until the data had already been received, which would already be a security breach if NPI was indeed present. The only safe route is to assume that NPI is present and secure all communications appropriately.

Note that encrypted e-mail may also be used, but is more difficult to implement, since encryption keys must be exchanged manually with multiple providers. It’s unlikely that the people dealing with an appraiser on a transaction will have encryption enabled in their e-mail at all. But all recipients and transmitters of NPI in the transaction are likely to be able to click a link to an SSL-enabled website in an automated e-mail, and to be able to set up password protected accounts on that site. There are many options available, both tailored to appraisers’ needs and generic “off the shelf” secure delivery sites.

Regardless of the scope and type of encryption methods and processes used, developing a written security plan describing them is not optional. The law specifically requires that it be written and regularly reviewed. The appraiser must have it on file, and the privacy statement must refer to its presence.

Appraisal , Real Estate , Appraiser , Blog , Technology , USPAP , RESPA ,Bloomington , McLean , Regulation , Illinois , Realtor