Is a HUD-1 Considered Non-public Information?
|August 22, 2013
Passed in 1999, the Gramm-Leach-Bliley (GLB) Act addressed concerns relating to consumer financial privacy. GLB required the Federal Trade Commission (FTC) and other government agencies that regulate financial institutions to implement regulations to carry out the Act's financial privacy provisions (GLB Act). The regulations required all covered businesses to be in full compliance by July 1, 2001.
The FTC is responsible for enforcing its Privacy of Consumer Financial Information Rule, which protects a consumer's "nonpublic personal information" (NPI). NPI is any "personally identifiable financial information" that a financial institution collects about an individual in connection with providing a financial product or service, unless that information is otherwise "publicly available. The Privacy Rule applies to ALTA members that provide real estate settlement services.
ALTA members should note that the FTC considers NPI to be any information obtained about an individual from a transaction involving a company’s services. This could include a person’s name, address, income, Social Security number or other information on an application. This also includes any information from court records or from a consumer report.
Data security and protection of (NPI) is a major concern of lenders, according to Penny Reed of Wells Fargo Home Mortgage.
“There is a window of time when the settlement statement is considered NPI and settlement and title agents should be taking precautions to protect consumer and lender information,” Reed said.
The FTC said NPI does not include information that is believed to be lawfully made "publicly available." In other words, information is not NPI when steps have been taken to determine:
- that the information is generally made lawfully available to the public; and
- that the individual can direct that it not be made public and has not done so.
For example, while telephone numbers are listed in a public telephone directory, an individual can elect to have an unlisted number. In that case, his or her phone number would not be "publicly available."
Examples of publicly available information include:
- federal, state, or local government records made available to the public, such as the fact that an individual has a mortgage with a particular financial institution.
- information that is in widely distributed media like telephone books, newspapers, and websites that are available to the general public on an unrestricted basis, even if the site requires a password or fee for access.
Additionally, information in a list form may be NPI, depending on how the list is derived. For example, the FTC said a list is not NPI if it is drawn entirely from publicly available information, such as a list of a lender's mortgage customers in a jurisdiction that requires that information to be publicly recorded. Also, it is not NPI if the list is taken from information that isn't related to your financial activities, for example, a list of individuals who respond to a newspaper ad promoting a non-financial product you sell. A list derived even partially from NPI is still considered NPI, according to the FTC. For example, a creditor's list of its borrowers' names and phone numbers is NPI even if the creditor has a reasonable basis to believe that those phone numbers are publicly available, because the existence of the customer relationships between the borrowers and the creditor is NPI.
ALTA’s “Title Insurance and Settlement Company Best Practices
” include guidelines for companies to protect against data theft and help meet GLB requirements. The third pillar of the Best Practices provides procedures on physical and network security of NPI, how to properly dispose of NPI, developing a disaster management plan, employee training to ensure compliance and oversight of service providers.