Legal Requirements to Protect a Client’s Personal Information
K. Michelle Lind
Real estate professionals may receive a variety of personal information from their clients and customers in connection with a real estate transaction, especially if the transaction is a short sale. As a result, real estate brokers and salespersons should ensure that their business practices protect this personal information and comply with the laws designed to prevent identity theft.
Identity theft occurs when a person fraudulently uses a victim’s personal identifying information to access the victim’s bank account, obtain a loan or credit card, purchase goods or services, or use the victim’s name in illegal activities or if arrested. Identity thieves obtain a victim’s personal information in a variety of ways, such as searching through trash for discarded information, using a data storage device to capture credit or debit card information at point of purchase, email scams, hacking into computers or bribing an employee for access to business records. Identity theft is a class 4 felony. A.R.S. §13-2008
Arizona has the highest per capita rate of reported identity theft complaints in the nation according to the Federal Trade Commission (FTC) with 149 complaints per 100,000 population. The FTC top 50 metropolitan areas for identity theft complaints in 2008 include the following Arizona cities: Flagstaff (18), Yuma (28), Phoenix-Mesa-Scottsdale (38), Lake Havasu-Kingman (41), Prescott (47), Tucson (48), Sierra Vista-Douglas (50). (FTC Consumer Sentinel Network Data Book for 2008: www.ftc.gov/sentinel/reports.shtml.) Due to the widespread threat of identity theft, there are numerous state and federal laws designed to address the problem.
A.R.S. §44-7601 commonly referred to as the “shredding law” prohibits an entity from knowingly discarding or disposing of documents that contain a person’s first name/initial and last name in combination with the person’s:
· social security number
· credit card, charge card or debit card number
· retirement account number
· savings, checking or securities entitlement account number
· driver license number or non-operating identification license number
without redacting the personal information or destroying the documents.
The law may be enforced by either the county attorney or the Attorney General. The civil penalty for each violation of improper discarding or disposal of records or documents is $500 for a first violation, $1,000 for a second violation, and $5,000 for a third or subsequent violation.
The legislation specifies that an entity will be deemed in compliance if it maintains and complies with its own procedures that are consistent with the requirements of this law. Therefore, brokers should consider adding such procedures to their policy manuals.
Notification of Unauthorized Access to Computerized Personal Information
A.R.S. §44-7501 requires that a person conducting business that owns or licenses unencrypted computerized data that includes personal information, who becomes aware of an incident of unauthorized acquisition of the data, to conduct an investigation to promptly determine if a breach of the security system has occurred. “Personal information” is defined as a person’s first name/ initial and last name in combination with any one or more of the following, when the data element is not encrypted, redacted or secured by any other method rendering the element unreadable or unusable:
· social security number
· driver license or non-operating identification license number
· financial account number or credit or debit card number in combination with any required security code that would permit access to the individual’s financial account
If the person determines that there has been a breach in the security system the person must notify the individuals affected.
Additionally, a person that maintains unencrypted computerized data that includes personal information that the person does not own, must notify and cooperate with the owner or the licensee of the information following any security breach of the system. The person that owns or licenses the computerized data is then obligated to provide notice to the individuals affected. The person that maintained the data under an agreement with the owner or licensee is not required to provide notice to the individuals affected, unless the agreement stipulates otherwise.
Brokers that own or license unencrypted personal computerized data should consider a policy to comply with these notification requirements. This law may only be enforced by the attorney general. The attorney general may bring an action to obtain actual damages for a willful and knowing violation and a civil penalty of up to $10,000 per security breach of the system.
Other Identity Theft Laws
A.R.S. §44-1698 allows a person to request that consumer credit reporting agencies place a security freeze on the person’s credit report or credit score. If a security freeze is in place, a consumer reporting agency may not release the person’s credit report or credit score to a third party without the person's prior express authorization. A.R.S. § 44-1698.01 specifies that a person who does not use a credit report in connection with the approval of credit, may not lend money or extend credit without taking reasonable steps to verify the consumer's identity and confirm that the application for an extension of credit is not the result of identity theft.
Other identity theft related laws include:
· SPAM Law A.R.S. §44-1372
· Retailer Use of Personal information A.R.S. §44-7701
· Judicial Determination of Innocence due to Identity Theft A.R.S. §12-771-773; 13-4440
All of these state laws are available at: www.azleg.state.az.us/ArizonaRevisedStatutes.asp.
Federal Red Flag Law
The FTC, along with several other federal agencies, issued rules implementing section 114 of the Fair and Accurate Credit Transactions Act of 2003 (FACT Act) that are referred to as the “Red Flag Rules.” A real estate broker or salesperson that uses credit reports, provides credit or regularly arranges for credit to be extended may be subject to some of the requirements.
The NATIONAL ASSOCIATION OF REALTORS® (NAR) has resources discussing the Red Flag rules, including a Q&A specific to real estate agents, which are available at: www.realtor.org/government_affairs/factact_identitytheft. According to the NAR Q&A, real estate brokers or salespersons that:
· use credit reports as part of their business must comply with the address discrepancy provisions of the Red Flag Rules
· provide credit as part of their business are covered as a “creditor” and must comply with the identity theft provisions of the Red Flag Rules.
· regularly arrange for credit to be extended, i.e., pulling credit reports, suggesting potential lenders, and assisting in the loan application process, may also be considered a “creditor” under the Red Flag Rules, but may have fewer requirements.
For more information contact:
· Scott Rinn, NAR Business Issues Policy Representative, Regulatory and Industry Relations at 202-383-7508 or firstname.lastname@example.org or
· FTC Bureau of Consumer Protection, Division Privacy and Identity Protection at 202-326-2252 or visit the FTC website at: www.ftc.gov/bcp/edu/pubs/business/alerts/alt050.shtm.
Protect Clients and Customers from Identity Theft
The Phoenix Police Department gives the following guidance to protect clients and customers from identity theft:
· Keep all documents containing personal information of your clients, customers and employees under lock and key.
· When personal information is held within a computer, ensure that it can only be accessed and tracked by authorized personnel using passwords and is protected with an appropriate level of security/fire walls. When the information has been transferred to the computer, any handwritten information should be shredded.
· Shred customer personal or account information and receipts before discarding them. Consider keeping shredders within reach of those employees who handle personal/account information on a regular basis.
· Create policies to restrict the handling of customer information to a limited number of employees.
· Customer personal information such as credit applications, sales receipts/carbon copies should not be temporarily kept within reach of the casual observer. This will help to deter theft by criminals or corrupt employees. Provide a secure receptacle for employees and citizens to throw out applications/receipts or provide informational signs advising them not to carelessly discard these documents.
As Arizona’s Attorney General stated: “Identity theft is a crime of convenience. Together we can make it inconvenient for identity thieves to operate in Arizona.”
AAR General Counsel Michelle Lind is a State Bar of Arizona board certified real estate specialist and the author of Arizona Real Estate: A Professional’s Guide to Law and Practice.
This article is of a general nature and may not be updated or revised for accuracy as statutory or case law changes following the date of first publication. Further, this article reflects only the opinion of the author, is not intended as definitive legal advice and you should not act upon it without seeking independent legal counsel.