Appraisals are integral to the real estate industry. However, appraisals contain sensitive information that can be vulnerable to unauthorized access or misuse. Transmitting or sharing this sensitive information requires diligence and adherence to established real estate appraisal best practices concerning nonpublic personal information (NPI). Failure to do so could land your company on the wrong side of the Graham-Leach-Bliley Act, also known as the GLB Act or GLBA, with potentially costly consequences. Here's what you should keep in mind to remain in compliance with GLBA requirements.
What Is the GLBA — and Why Should You Care?
The GLB Act, formally known as the Financial Modernization Act of 1999 was passed by Congress and signed into law on November 12, 1999 by President Bill Clinton. The GLB Act partially repealed the Banking Act of 1933, commonly known as the Glass-Steagall Act that placed restrictions on alliances between banking and securities institutions.
Designed to protect the privacy of NPI and other consumer data obtained and maintained by financial institutions, the GLB Act broadened the definition of financial services to include companies and firms that handle electronic data transactions and e-commerce. It should be noted that the GLB Act is not limited to institutions that most people consider as financial such as banks or stockbrokers. Specifically, the GLB Act applies to real estate appraisers, and there are NO exceptions. Sole practitioners are considered to be “institutions” under the GLB Act.
GLBA Rules of the Road
There are two major data protection components included in the GLB Act: the Safeguards Rule and the Privacy Protection Rule:
The Safeguards Rule requires institutions to take measures to protect the security of personally identifiable data for their customers and clients. The rule also applies to an institution’s service providers and affiliates that also have access to non-anonymous data. For instance, a firm with a client seeking to make an offer on a piece of property has a duty under the Safeguards Rule to protect the client’s financial information from unauthorized access.
The Financial Privacy Rule pertains to required notices that institutions must provide regarding its privacy policies and the way it handles NPI and how it shares NPI with affiliated and unaffiliated third parties. These notices must be provided to consumers, along with an option to “opt out” of sharing NPI that is not covered by exceptions to the GLBA. Exceptions are generally limited to sharing information that is necessary to complete transactions on behalf of clients.
For instance, your company may share NPI with a third party for processing credit checks and with outside marketers. Sharing for the purpose of processing credit checks would count as an exception under the GLB Act. However, you must still inform your clients about how you share their information, and allow them to opt out of sharing information for marketing purposes.
Consequences of GLBA Non-Compliance
Civil and criminal consequences for failure to comply with GLBA requirements can be severe. Your institution may be fined up to $100,000 for each violation, while individual officers — that means you — may be hit with penalties of up to $10,000 for each violation. Criminal penalties may also apply, including imprisonment for up to five years.
NPI Transmissions: the Secure and the Not-Secure
Improper electronic data transmission can result in GLBA non-compliance. Specifically, regular email is generally considered to be an insecure method of data transmission. Encrypted email offers some security but it’s not foolproof. Public keys are the weak link; they must be transmitted to recipients somehow. In addition, each person must have his or her own public key. Multiply this reality by hundreds of correspondents, and it doesn’t take much imagination to imagine how that situation could become unmanageable.
Many banks and healthcare provide secure email portals within their websites where consumers can compose and retrieve messages. Under this type of system, customers receive email notification that messages have been posted on the institution’s website. This is considered a reasonably secure method of transmitting email.
Ironically, transmission by third-party electronic fax is often more secure than transmission of a physical facsimile. Commercial electronic fax services often provide end-to-end security for faxes, including borrowing a page from secure email by sending regular email notification of successful or unsuccessful transmission.
Securing paper faxes presents more of a challenge. Cover sheets are a must for transmission. Ideally, the fax machine should be located in a secured location with access limited to authorized personnel. Nonetheless, you have no way of knowing whether a fax recipient implements security measures.
Transmitting NPI over public Wi-Fi connections is an invitation for a GLB Act violation. Utilizing a virtual private network (VPN) is an absolute must. Mobile devices must be equipped with remote wiping capabilities to minimize the risk of data breaches from lost or stolen devices.
Real Estate Appraisal Best Practices
Following established real estate appraisal best practices can help ensure that your company remains in compliance with GLB compliance. There are four basic guidelines, listed below:
- All NPI transmissions (including order and final appraisal) must be made by secure methods
- Assume all client information is NPI and handle it accordingly
- Adopt a custodial mindset where NPI is concerned
- Avoid sharing NPI with nonaffiliated third parties except where require to complete a transaction
Transmit All NPI via Secure Method - This may seem obvious, but when you’re rushed or just not up to going through the hassle of secure data transmission, you may be tempted to cut corners or skip secure transmission altogether. However, the penalties associated with deliberate noncompliance should convince you to resist that temptation.
Assume All Client Info is NPI - When in doubt, about non-aggregate data, err on the side of caution and assume that all non-aggregate client info is NPI, and handle it accordingly. Otherwise you risk inadvertently mishandling sensitive NPI.
Adopt a Custodial Mindset - Under the rules of the GLBA, your company is responsible for maintaining the privacy and security of any NPI in its possession. Therefore it makes sense to adopt a custodial mindset to this sensitive information.
NOT Sharing IS Caring - As discussed above, the GLB Act allows for exceptions for sharing NPI with third parties when necessary to execute business-related transactions. However, beyond these exceptions, it’s wise to avoid sharing NPI, especially with third-party marketers. Information such as credit report data should NEVER be shared with third parties for any purpose besides necessary business functions.
The GLB Act is intended to protect consumers and clients from indiscriminate sharing of sensitive private information. Secure transmission of data can be especially challenging. Adopting the real estate appraisal best practices listed above can help ensure that your firm remains GLBA compliant. DataTree Appraisal Solutions can help your firm obtain the data it needs while maintaining GLBA compliance.