THE FIRM
PRACTICE AREAS
CLIENTS
LEGAL TOPICS
CONTACT

Atwood, Haiman & Westerberg

Legal Topics October, 2001

Privacy and the Title Company:
What is "nonpublic personal information" protected by new federal Privacy Law? And why every title and escrow company needs to know about it.
By Eric S. Haiman

In 2000, the Graham-Leach-Bliley Act ("the Act") was enacted into law. Effective July 1, 2001, the Federal Trade Commission promulgated rules to enforce the Act ("FTC Rules"). These new rules apply to all financial institutions, which are defined by the Act and the FTC Rules to include companies providing title and escrow services in connection with a real estate transaction.

The key concept in the new Privacy Law is "nonpublic personal information." In order to ensure compliance with the new Privacy Law, it is essential that every title and escrow company understands what "nonpublic personal information" includes. Title and escrow companies must now closely analyze the information it provides to anyone other than the parties to the transaction to determine whether it contains "nonpublic personal information."

Under the new Privacy Law, title and escrow companies are also required to adopt a privacy policy and Privacy Notice Disclosure. If your company has not already adopted such a policy and disclosure statement, it is imperative that it do so immediately. If your company has a policy and disclosure statement which adequately describes the information sharing practice at issue, you may under certain circumstances provide "nonpublic personal information" about a customer to others. In order to do so, the policy and disclosure statement must first provide the customer with the ability to "Opt-Out" of the relevant information sharing practice. If such a disclosure statement has been properly provided to the customer and the customer does not opt out, the company may provide information pertaining to that customer to others, provided it does so in a manner consistent with the privacy policy and Privacy Notice Disclosure.

While the definition of "nonpublic personal information" is somewhat complex, it is not particularly mysterious.

Provisions of the Privacy Law

The Act, at Title 15 of the United States Code section 6809(4), defines "nonpublic personal information" as follows:

personally identifiable financial information__

  1. provided by a consumer to a financial institution;

  2. resulting from any transaction with the consumer or any service performed for the consumer; or

  3. otherwise obtained by the financial institution.
B. Such term does not include publicly available information, as such term is defined by the regulations prescribed under section 6804 of this title.

C. Notwithstanding subparagraph (B), such term__

  1. shall include any list, description, or other grouping of consumers (and publicly available information pertaining to them) that is derived using any nonpublic personal information other than publicly available information; but

  2. shall not include any list, description, or other grouping of consumers (and publicly available information pertaining to them) that is derived without using any nonpublic personal information.
The FTC Rules essentially re-word this definition and provide examples of "lists" as set forth below. The FTC Rules also provide definitions and examples of the key phrases "personally identifiable financial information," "publicly available information" and "reasonable basis" all of which is also set forth below verbatim.

 
16 Code of Federal Regulations 313.3(n) provides as follows:

  1. Nonpublic personal information means:
    1. Personally identifiable financial information; and
    2. Any list, description, or other grouping of consumers (and publicly available information pertaining to them) that is derived using any personally identifiable financial information that is not publicly available.
  2. Nonpublic personal information does not include:
    1. Publicly available information, except as included on a list described in paragraph (n)(1)(ii) of this section; or
    2. Any list, description, or other grouping of consumers (and publicly available information pertaining to them) that is derived without using any personally identifiable financial information that is not publicly available.
  3. Examples of lists -
    1. Nonpublic personal information includes any list of individuals' names and street addresses that is derived in whole or in part using personally identifiable financial information (that is not publicly available), such as account numbers.
    2. Nonpublic personal information does not include any list of individuals' names and addresses that contains only publicly available information, is not derived, in whole or in part, using personally identifiable financial information that is not publicly available, and is not disclosed in a manner that indicates that any of the individuals on the list is a consumer of a financial institution.
16 Code of Federal Regulations 313.3(o) provides as follows:
  1. Personally identifiable financial information means any information:
    1. A consumer provides to you to obtain a financial product or service from you;
    2. About a consumer resulting from any transaction involving a financial product or service between you and a consumer; or
    3. You otherwise obtain about a consumer in connection with providing a financial product or service to that consumer.
  2. Examples -
    1. Information included. Personally identifiable financial information includes:
      1. Information a consumer provides to you on an application to obtain a loan, credit card, or other financial product or service;
      2. Account balance information, payment history, overdraft history, and credit or debit card purchase information;
      3. The fact that an individual is or has been one of your customers or has obtained a financial product or service from you;
      4. Any information about your consumer if it is disclosed in a manner that indicates that the individual is or has been your consumer;
      5. Any information that a consumer provides to you or that you or your agent otherwise obtain in connection with collecting on, or servicing, a credit account;
      6. Any information you collect through an Internet "cookie" (an information collecting device from a web server); and
      7. Information from a consumer report.
    2. Information not included. Personally identifiable financial information does not include:
      1. A list of names and addresses of customers of an entity that is not a financial institution; and
      2. Information that does not identify a consumer, such as aggregate information or blind data that does not contain personal identifiers such as account numbers, names, or addresses.
16 Code of Federal Regulations 313.3(p) provides as follows:
  1. Publicly available information means any information that you have a reasonable basis to believe is lawfully made available to the general public from:
    1. Federal, State or local government records;
    2. Widely distributed media; or
    3. Disclosures to the general public that are required to be made by Federal, State or local law.
  2. Reasonable basis. You have a reasonable basis to believe that information is lawfully made available to the general public if you have taken steps to determine:
    1. That the information is of the type that is available to the general public; and
    2. Whether an individual can direct that the information not be made available to the general public and, if so, that your consumer has not done so.
  3. Examples -
    1. Government records. Publicly available information in government records includes information in governmental real estate records and security interest filings.
    2. Widely distributed media. Publicly available information form widely distributed media includes information from a telephone book, a television or radio program, a newspaper, or a web site that is available to the general public on an unrestricted basis. A web site is not restricted merely because an Internet service provider or a site operator requires a fee or password, so long as access is available to the general public.
    3. Reasonable basis -
      1. You have a reasonable basis to believe that mortgage information is lawfully made available to the general public if you have determined that the information is of the type included on the public record in the jurisdiction where the mortgage would be recorded.
      2. You have a reasonable basis to believe that an individual's telephone number is lawfully made available to the general public if you have located the telephone number in the telephone book or the consumer has informed you that the telephone number is not unlisted.
 
Guidelines

Following are some basic guidelines which title and escrow companies should follow to help ensure compliance with the new Privacy Law:

  1. Avoid providing any information, orally or in writing, that includes any list, description, or other grouping of customers;

  2. Avoid providing any information that includes the names, addresses or telephone numbers of any customer or any other information that could identify a particular individual as a being a customer of your company. Do not provide a name, address or any other such identifying information about a customer, unless it is part of a public document, such as a recorded instrument or publicly available Assessor's record. The FTC Rules specifically state that "publicly available information in government records includes information in government real estate records," that is not publicly available;

  3. Only provide information that your company has taken steps to determine is otherwise available to the general public;

  4. Only provide information with respect to which your company has taken steps to determine whether an individual can direct that the information not be made available to the general public and, if the individual can so direct, that he/she has not done so; and

  5. Be wary of relying on the exception for lists, descriptions or any other grouping of customers that are derived without using any personally identifiable financial information that is not publicly available. The word "financial" may be very misleading. As stated in the FTC's published comments on the FTC Rules, the range of information that will be considered "financial" for purposes of the FTC Rules is "extremely broad." The Commission "believes that any information should be considered financial information if it is requested by a financial institution for the purpose of providing a financial product or service." This may include all sorts of information that "might not be thought of as financial" such as names, addresses, telephone numbers, etc. Therefore, any list, description or any other grouping of customers that is derived from any information that your company has obtained from its customer is nonpublic personal information for purposes of the Privacy Law. Remember, title and escrow companies are "financial institutions" under the Privacy Law.

If you are at all uncertain as to whether an anticipated action violates the new Privacy Law, obtain the advice of an attorney who is competent on this subject. *

©2007 Atwood, Haiman & Westerberg. All rights reserved. Disclaimer