In one of the most atrocious releases of Personally Identifiable Information (PII) in the history of the Mortgage Field Services Industry, Assurant Field Asset Services (AFAS) released over 8000 Line Items of Client, Vendor and Homeowner Information yesterday. Today, we merely release some rough details. Tomorrow, we follow up with the hard hitting questions and evaluation which the Foreclosurepedia Nation has come to expect.
Details are still emerging with respect to yesterday’s Assurant Field Asset Services (AFAS) improper dissemination of Personally Identifiable Information (PII). What we know for sure is that Ashley Bowers, AFAS Vendor Admin, screwed the pooch in a manner not seen in, well, forever. In fact, as we reveal tomorrow with the publication of both her emails and Bill Roach’s pathetic plea not to use any information sent, Bower’s release of not once but twice borders upon the unimaginable. Did I forget to mention the spreadsheet is over 8,000 line items?!
The document which includes details pertaining to the Clients, Vendors and Loan Numbers; that the details are in such minutia that one almost believes this is a covert CIA Report, it is believed by this author that J Edgar Hoover, himself, would have blushed.
Specifically, the Realtor’s names addresses phone numbers and emails; Clients such as Ditech PPR FNMA, et al., are splashed all over the spreadsheet; and ditto for the Vendors. More seriously, though, is the fact that the REO and Loan Numbers are listed. s if that wasn’t enough, the City, State and Status of the properties are listed AND THEY INCLUDE Lock Box and Key Codes for them.
Being that the spillage occurred in a spreadsheet format, it potentially an invitation to criminals to identify and select their next burglary in an area they are most comfortable in.
So, how do state regulators address this being that it appears obvious that AFAS would rather sick a bunch of lawyers on reporters? Here, take a look at a great article put out by Peter J Guffin, a Partner at Pierce Atwood, and was originally published in the December 2011 issue of inFocus, PRISM’s Quarterly Journal,
U.S. State Breach Notification Laws
Forty six U.S. states have now adopted a breach notification law.8 The laws generally apply to all persons that own, license, store or maintain certain sensitive personally identifiable information (“PII”) about a resident of the state, regardless of where the person or PII is located. In addition, in at least one state, Connecticut, the Insurance Commissioner has issued its own data beach notification rules applicable to insurance companies and other persons subject to its jurisdiction.
The specific requirements of the laws can vary substantially, but in very general terms, the laws mandate that if there is unauthorized acquisition, use or access
to unencrypted PII that threatens the integrity or security of such PII creating a risk of identity theft, the person that “owns” such PII must notify affected state residents, state agencies, consumer protection agencies and, in some instances, statewide media. If a service provider maintains the PII on behalf of its customer (the data owner), the service provider generally must notify the data owner which, in turn, must make the required notices.
In practice, the variations in these laws can present significant challenges.
A. Scope of Covered PII
The definition of covered PII varies among the states. Many states, such as Illinois, focus on the key data fields of name plus Social Security numbers, bank account numbers and credit or debit card numbers. Some states, such as Alaska, also include passwords, PINs and other access codes for financial accounts as separate data fields. Other states, such as North Dakota, have laws that cover a broad range of other data fields, such as date of birth, electronic signature, mother’s maiden name, employer identification number and the like. Still other states, such as Nebraska and North Carolina, have laws that cover “unique biometric data,” including fingerprints, voice prints and retinal images, within the definition of PII. Collectively, across the patchwork of state laws, there are more than 30 different categories of PII that can trigger a breach notification obligation.
B. Trigger for Notification Obligation
There are also variations as to what circumstances trigger an obligation to notify. For example, some states, such as Colorado, do not require notice unless
misuse of the data is likely; similarly, some states, such as Maine, require notice if the breach creates a substantial risk of identity theft or fraud. In other words, in these states a “risk of harm” threshold applies before notice is required. In contrast, other states, such as Massachusetts, presume “risk of harm” and mandate notification whenever a person knows or has a reason to know that the covered PII was acquired or used by an unauthorized person or used for an unauthorized purpose.
C. Recipients of Notice
Although virtually all states with breach notification laws require some form of notice to residents affected by a data breach, individual states vary with respect to whether additional notice must be given to other entities, such as consumer reporting agencies or state agencies. In some states, such as Arkansas, no such additional notice is required. However, in Minnesota, if a data breach requires notification of more than 500 persons, then additional notice of the breach must be given to all national consumer reporting agencies. The threshold is different in other states, such as Michigan and Nevada, where the laws require national consumer reporting agencies to be notified if a data breach requires notification of more than 1,000 residents. And, in Georgia, notification of more than 10,000 residents is the relevant threshold for triggering notice to national consumer reporting agencies. Suffice it to say, there are similar variations among the states regarding notification of states agencies and attorneys general.
D. Content of Notice
Variations also apply regarding mandatory content in the notice. For example, North Carolina mandates that the notice to the individual must describe the
nature of the incident. In contrast, Massachusetts specifies that the notice to Massachusetts residents must not describe the nature of the incident or the number of residents affected. Such direct conflicts generally drive towards different notices to different state residents, although such divergent requirements pose obvious challenges in situations where notice is also provided via the organization’s website, given that both North Carolina and Massachusetts residents will view the same website.
E. Timing of Notice
Perhaps the most acute challenges arise on the timing of the notice. Many states, such as Massachusetts, require that notice be provided as soon as practicable and “without unreasonable delay.” Some states establish specific timelines for notification in certain cases. For example, California requires notice in five days for certain health records. In contrast, other states, such as Arizona, impose affirmative obligations to conduct a reasonable investigation regarding the incident before notifying the affected individuals. In practice, a reasonable investigation could actually require substantially more than five days to complete, particularly if the situation involves a hacking incident or other complex scenario. The organization thus may not be able to satisfy both Arizona and California law on timing, even though both laws may apply to the same incident. Many states allow for delay in notification if requested by appropriate law enforcement agencies.
Most state breach notification laws do not directly establish a private right of action. Alaska, California and Delaware are among the few states that do provide a private cause of action. In some states, violation of breach notification laws may constitute an unfair practice, for which persons may bring suit when injured by such violation. In Massachusetts, the Attorney General may bring an action under the Massachusetts unfair and deceptive practices statute for violations of the breach notification law. Similarly, consumers in Maryland may bring actions under that state’s law governing unfair and deceptive trade practices.
The Securities and Exchange Commission (SEC) has taken cybersecurity seriously over the years. Item 503(c) of Regulation S-K provides that a public company must disclose the most significant factors that make an investment in the company speculative or risky (see Item 503(c) of Regulation S-K, and Form 20-F, Item 3.D). The Guidance provides that whether those factors include cyber risks depends on the registrant’s particular facts and circumstances, when applicable:
Cybersecurity risk disclosure provided must adequately describe the nature of the material risks and specify how each risk affects the registrant. Registrants should not present risks that could apply to any issuer or any offering and should avoid generic risk factor disclosure.
In light of the fact that AFAS is under the umbrella of a publicly traded insurance firm, I have reached out to both SEC as well as both state and federal insurance regulators in an attempt to make public any type of After Action Report (AAR) which may be forthcoming.
We close out with three important documents, the final one is where AFAS hired the same lawyers whom attempted to screw us over on our monies owed nearly two years ago. — I retained the emails if you want to read them Counselor and perhaps ask Berghorst’s former Michigan Lawyer if my opinion holds weight.
Does the Florida Information Protection Act of 2014, which became effective July 1, 2014, impact AFAS and their recalcitrant attitude to publicly report this PII Spillage? The fines are startling! Take a read and determine for yourself. Understand that for any breach of security affecting 500 or more individuals in Florida, notice must be provided to the Department of Legal Affairs. Upon the Department of Legal Affairs’ request, the company must provide the following: (i) a police report, incident report, or computer forensics report; (ii) a copy of the policies in place regarding breaches; and (iii) steps that have been taken to rectify the breach. Make no mistake whatsoever that there were far more than 500 individuals involved and that Foreclosurepedia is going to follow up with Florida Monday.
Hey Rosenbaum, that is one of the questions I have for you Monday as well! 😉
While we are currently dealing with a former AFAS Lawyer, Jason Rosenberg, whom last encounter labeled me as “a prolific writer,” fact of the matter is Foreclosurepedia has every intention of engaging a protracted and asymmetrical strategy. Here is the most recent salvo between Alston – Byrd and myself,