Does the Gramm-Leach-Bliley Act (GLBA) require that appraisal firms email appraisals only by encrypted email?

We believe that federal and Illinois privacy requirements would require the encryption of appraisals only if the appraisal document contains “sensitive customer information” or “personal information.” While some appraisal reports may contain customer names and account numbers, others may contain no customer information at all. For example, we spoke to MountainSeed Appraisal Management, an appraisal management company, and they observed that some banks include cover sheets with appraisals that contain private customer information. To determine whether an appraisal document contains customer information, review the definitions of “sensitive customer information” and “personal information” below.

Federal Interagency Guidelines Establishing Information Security Standards

Under the Interagency Guidelines Establishing Information Security Standards  (OCC, FRB, FDIC), financial institutions must protect against unauthorized access to or use of “sensitive customer information.” Sensitive customer information means data (whether in paper, electronic, or other form) that combines at least one item from column A and one item from column B, below, or any other combination of data that would allow someone to log onto or access the customer’s account.

“Sensitive Customer Information” =

Any item from Column A

In conjunction with …

Any item from Column B

Customer name

 

Customer social security number (SSN)

Customer address

 

Customer driver’s license number

Customer telephone number

 

Customer’s account number

 

 

Customer’s credit card number

 

 

Customer’s debit card number

 

 

Customer’s personal identification number (PIN)

 

 

Customer’s password

or,

“any combination of components of customer information that would allow someone to log onto or access the customer's account, such as user name and password or password and account number”

Further, under the federal rules, any account numbers sent to an unaffiliated third party would have to be encrypted. 12 CFR 40.12(c)(1).

Illinois Personal Information Protection Act

Illinois’s requirements are slightly different than the federal requirements. In general, under the Personal Information Protection Act, a bank must notify customers of a data breach if it “compromises the security, confidentiality, or integrity” of a customer’s “personal information.” 815 ILCS 530/5815 ILCS 530/10. One difference from federal law is that the Illinois law applies only to “computerized data” (while the federal guidelines apply to paper, electronic, and other forms of data). Also, “personal information” has a slightly different definition than “sensitive customer information” under the federal guidelines: the items in Column A and Column B are slightly different, and it exempts any data that was encrypted or redacted. 815 ILCS 530/5.

“Personal information” =

Any item from Column A

In conjunction with …

Any item from Column B

Customer first name or first initial and last name

 

Customer social security number (SSN)

 

 

Customer driver’s license number

 

 

Customer’s State identification card number

 

 

Customer’s account number

 

 

Customer’s credit card number

 

 

Customer’s debit card number

or,

“an account number or credit card number in combination with any required security code, access code, or password that would permit access to an individual’s financial account.”