1. Introduction
The MISMO V3 LDD includes a Personal Private Information column to designate mortgage industry data points that have been identified as Personal Information (“PI”) in one or more state security breach notification laws. Examples of Personal Information identified by laws include Social Security Number, financial account numbers and driver’s license numbers. Most laws specify that identified data elements constitute PI only when combined with a person’s name. For example, the consumer name and Social Security Number together, or consumer name and financial account number together, are considered to be personal information. However, the consumer name by itself, or a Social Security Number by itself, is not considered personal information because it is their combination that enables a privacy breach. Since the exact requirements vary from state to state, MISMO has elected to flag any data element in the LDD as sensitive that is identified in one or more state breach notification laws as being PI, regardless of any requirement that it be combined with other flagged data elements.
Independent of privacy laws, organizations may consider information assets other than PI to be confidential. An organization may classify Intellectual Property (IP), financial information, corporate correspondence and more as confidential. These assets should be identified and protected by an organization. A general MISMO V3 schema attribute that identifies sensitive information, regardless of personal or corporate origin, would benefit the mortgage industry.
The guidelines here are intended to raise awareness, both within MISMO process areas and among MISMO implementers. Knowledge regarding the changing dynamics of the mortgage process is beneficial to all participants. The specific reference is State security breach notification laws. As of 2009, 44 states have enacted laws on security breaches. Unfortunately, the various laws are not identical. Differences include data elements, notification triggers, regulator authority, etc.
The guidelines here are not intended to represent all privacy laws, such as Gramm-Leach-Bliley Act (GLB), Fair and Accurate Credit Transactions Act (FACT), ID Theft Red Flag regulation, or others. Nevertheless, knowledge of state security breach notification data elements can only raise awareness of other laws and regulatory requirements.
There are many parties involved in a mortgage loan transaction, including the borrower(s), the seller(s), the lender, the settlement agent, real estate services providers, and so forth. Privacy laws are normally focused upon protecting the “consumer”. Therefore the ISWG made the decision to flag data elements associated only with the consumer(s) involved with the transactions, and to exclude data elements associated with any other participants. More specifically, of the many parties in a mortgage loan transaction, ISWG believes privacy protections apply only to the borrower and seller parties. Other parties to the transaction are service providers and not subject to personal identity theft laws. Of course, individual employees of those service providers are subject to personal identity theft laws, but there is a presumption that even if their names are visible in the mortgage loan transaction, that no other private information regarding them is visible.
Confidential organizational assets are the responsibility of the business. The information provided is educational in nature, providing general information about legal developments and is not intended as legal advice. You should consult an attorney for any specific legal questions.
1.1 Audience
MISMO Analysts and Developers: MISMO is not a regulatory agency and the Personal Private Information column in the LDD is an exercise in security awareness, not an assurance of compliance. The objective is to trigger a thorough risk assessment by the organizations that use the MISMO standards. Business Analysts, Privacy Officers, Counsel, Application Developers and Information Technologists should work together to quantify and mitigate the risk associated with their organization’s use of these, and potentially other, data elements. Organizations are advised to examine their corporate policies for any additional data elements.
MISMO Workgroups: MISMO Workgroups are responsible for evaluating whether their newly proposed data points are Personal Private Information in the LDD, and for submitting their evaluation with their proposed data points to Core Data Structures. This exercise can be subjective as the privacy aspects of all data points are not intuitively obvious. Workgroups can take a conservative approach by recommending questionable data points and submitting a Work Request to the MISMO Information Security Work Group (ISWG) for review. Additionally, the MISMO Core Data Structures Workgroup will vet all data points for privacy as part of the review and approval process.
1.2 Terminology
The key words “MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”, “SHOULD”, “SHOULD NOT”, “RECOMMENDED”, “MAY”, and “OPTIONAL” in this document are to be interpreted as described in RFC 2119
. See «add reference to MISMO glossary for terminology used in this MEG».
1.3 Document Status
The information supplied in this document reflects the MISMO interoperability principles at the time of writing. It is a living document, which will be updated as required to reflect the evolving nature of XML technologies and service requirements identified by MISMO constituency. Comments on this document should be sent to the MISMO designated contact identified in the document preface. MISMO does not accept any liability for the accuracy, adequacy or completeness of the information contained in these Guidelines.
2. Rationale for this MEG
MISMO Information Security Work Group (ISWG) is attempting to increase awareness of sensitive Personal Information (“PI”). Due to increased occurrence of identity theft, the protection of PI has become a major concern to both the private and public sectors. Gramm-Leach-Bliley Act (GLBA), Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act (USA PATRIOT ACT) and Sarbanes-Oxley Act are examples of federal regulations that impact the protection of PI. Over 40 state governments have codified laws requiring organizations to provide notifications when PI may be compromised due to a privacy breach.
The mortgage process requires organizations to collect, process, store, transfer and dispose of PI. As the foremost standards organization in the mortgage industry, MISMO is raising awareness and providing guidance on how to identify PI and mitigate risk for organizations that handle PI. All participants in MISMO must be well informed on PI and address safeguards as part of their standards development.
Sensitive Information is often referred to as “personally identifying information” (“PII”) or “identifying information” (“II”). The FTC’s rule defines ‘‘identifying information’’ to mean any name or number that may be used, alone or combined with any other information, to identify a specific person, such as a name, social security number, date of birth, official State or government issued driver’s license or identification number, alien registration number, government passport number, or employer or taxpayer identification number. The intent of defining identifying information is to limit the potential for identity theft, which is ‘‘a fraud committed or attempted using the identifying information of another person without authority.’’
The exercise conducted by the ISWG is subjective. Laws/regulations don’t delineate every possible data element, and the MISMO LDD data element names frequently don’t correlate precisely with those delineated in laws. Hence, the ISWG used its best judgment to appropriately flag private information data elements. Further, after extensive debate, the ISWG made the decision to flag data elements associated only with the consumer(s) involved with the transactions, principally the borrower(s) and seller(s), and to exclude data elements associated with any other participants. An example is that an appraiser’s ID number is not flagged as PI as it was determined that the appraiser is a participant, but not a consumer. Each MISMO Workgroup is responsible for evaluating whether their newly proposed data points should, or should not be flagged as PI in the LDD, and for submitting their evaluation to Core Data. This exercise can be subjective as the privacy aspects of all data points are not intuitively obvious. Workgroups can take a conservative approach by recommending questionable data points and submitting a Work Request to the MISMO Information Security Workgroup (ISWG) for review. Additionally, all data points will be vetted by the MISMO Core Data Workgroup for privacy as part of the submission process.