Brokers that collect client Social Security numbers, driver’s license numbers or any information about their clients’ credit cards or financial accounts may be affected by two state laws on data security. One of these two laws make it a summary criminal offense to “intentionally communicate or otherwise make available to the general public” any individual’s SSN and prohibits certain other uses of the SSN that might have it exposed to public view. The other law requires those who collect any computerized data involving a client’s name and social security number or financial account numbers to notify the customer if there is any breach of the security of that database.

 

Brokers and agents who collect any personally identifiable information regarding consumers should also have a privacy policy posted on their Web site.  A privacy policy is required for anyone operating a VOW site.  This policy should tell consumers what information is being collected and how it may be used. 

 

  -------------

 

 

 

Breach of Personal Information Notification Act Act 94 of 2005

The Breach of Personal Information Notification Act ("BPINA") -- effective June 20, 2006 -- regulates entities that collect "personal information" about clients in computerized databases. "Personal information" is defined as any data that links a person's name with their Social Security Number, driver's license number or financial account information. If the security of any computerized database containing this information is breached, the entity collecting the information is required by the Act to notify the affected consumers.

 

Privacy of Social Security Number Act Act 60 of 2006

 

Answers common questions on the enactment of Pennsylvania's new Data Security law effective June 20, 2006.

 

Answers common questions on the enactment of Pennsylvania's Privacy of Social Security Number Act, an additional Data Security law passed by the state's legislature and effective December 26, 2006.

Social Security Number Authorization Form (PAR Form SSA) (scroll to bottom of page to link)

The safest and easiest way to avoid becoming entagled in either of these laws is to simply not collect Social Security Numbers  from clients.  The reality of many transactions is that this can't easily be avoided, as the real estate broker/agent is often expected to be the point of contact for submitting this information to other participants in the transaction.  For those instances where it is necessary to collect a client's SSN, PAR Form SSA should be used.  This form provides necessary authorization to the broker to collect and distribute the SSN as necessary, and it also serves as a single point of collection so you only need the number once on that form rather than having it filled in on multiple forms.

Broker's Guide to Consumer Data Security and Confidentiality -- PAR MEMBERS ONLY -- REQUIRES PASSWORD

Two Pennsylvania Data Security laws became effective in June and December, 2006.  These laws work in connection with existing state and federal laws governing the collection, storage and use of various types of consumer information.  This Broker's Guide summarizes the relevant portions of these laws and regulations.

 

Sample Brokerage Office Policy -- PAR MEMBERS ONLY -- REQUIRES PASSWORD

Sample policy drafted by PAR counsel.  Note that brokers should NOT simply adopt this policy as written, but should consult with brokerage counsel in drafting a comprehensive data security policy based on your specific office practices and needs.

 

NAR has partnered with the Federal Trade Commission to promote this national program targeting identity theft.  This page on the NAR Web site contains links to order the FTC brochure, articles to help you and your clients avoid ID theft, and a link to the NAR Field Guide on Identity Theft, which contains numerous other links.

 

 

 

 

Any Web site that collects any information about users should have a privacy policy governing the use of that data, but the NAR VOW policy now requires that all VOW sites must have a privacy policy for users.  Because the terms of a privacy policy are completely dependent on how information is gathered and used, it is difficult for PAR to draft a sample policy that would be usable by members.  These links provide information about developing and implementing a privacy policy.

 

Privacy Policies: Say What You Mean and Mean What You Say - Federal Trade Commission

Basic information about privacy policies.

 

Protecting Personal Information: A Guide for Business - Federal Trade Commission

Not specifically directed to privacy policies, but includes interactive tutorial, brochures and articles relating to information privacy and security, and various other FTC resources related to the protection of personal information.  Good general resource to help determine basic rules on what to collect and how to collect it.

 

7 Steps to Developing a Privacy Policy with Teeth - Microsoft

Basic article on issues to consider when developing a privacy policy

 

Ten Steps to Develop a Multilayered Privacy Notice - Hunton & Williams 

Multilayered Notices Explained - Hunton & Williams

These detailed whitepapers discuss development of privacy notices.  They have been prepared by the law firm of Hunton & Williams as part of their participation in The Centre for Information Policy Leadership. 

 

Privacy Statement Generator - Organisation for Economic Co-operation and Development

OECD is an international organization (headquartered in France, with offices in several other countries including the US) dealing with various issues related to economic development.  One of its ongoing projects is helping businesses to safeguard consumer information.  The Privacy Statement Generator is an engine that allows a business to develop a model privacy policy by answering a series of questions about its privacy practices.  The engine may be overly complex for many offices, but can be a good resource to understand the many different elements involved in creating a policy.