I'm trying to determine if an encrypted email is required when delivering 1-4 family, residential appraisals to borrowers. It seems that an email, sent to a verified email address, is often times more secure than sending postal mail. I've received more incorrectly delivered physical mail than email. Does anyone have any guidance on this?

Thank you for your time!

Do you really think that unencrypted e-mail that contains any customer information a wise choice??

I guess I don't see the difference between an unencrypted email and postal mail. Aside from the fact the email would be sent to a verified email address that will receive the appraisal--postal mail is often returned with undeliverable addresses or even incorrectly delivered.

Because e-mail is hacked all the time.

And because there is an established legal status protecting U.S. Mail with substantial consequences for the crook who is caught messing with it.

I would argue stealing postal mail is much more likely and easier to carrry out. Also, the CFAA (Counterfeit Access Device and Computer Fraud and Abuse Act) of 1984 and The Electronic Communications Privacy Act of 1986 protect against unlawfully hacking any computer connected to the internet and against unlawfully intercepting electronic communications. The CFAA allows for sentences of up to 20 years and for fines of up to $250,000 (http://www.pbs.org/wgbh/pages/frontline/shows/hackers/blame/crimelaws.html) I'm not trying to be difficult here, and I understand the vulnerabilities of unecrypted mail--I'm just not sure they are much different than physical mail. Is there any regulatory requirement that demands the use of encrypted email?

Make all the arguments that you want to, but the regulators are going to have you for lunch under the GLBA for sending customer information out in unsecured environment or in an unencrypted format. You have no arguments for that situation.

I don't follow your logic.
GLBA doesn't seem to apply because NNPI isn't being disclosed to anyone--the borrower is receiving their own information to a verified email address.

Is the burden on the institution to ensure criminals don't violate the law? If that's the case all coorespondence would need to be either hand delivered or sent certified mail. Why is standard postal mail given a pass?

Do you know of any cases involving regulatory findings associated with appraisal delivery via unencrypted email?

The disscussion is greatly appreciated!

The fact that the applicant has applied to the bank for a mortgage loan, is under contract to buy a specific piece of property, etc., is not ????? I guess your definition would be different than mine then.

But hey - have at it. Only your examiners are going to break this tie.

GLBA most certainly applies: the fact that a particular person is a customer of your bank is, in itself, NPPI.

Email is hacked every day. That's why anything important or private MUST be encrypted. Sending unencrypted email is unwise and unsafe.

The burden on the Financial Institution is to protect the customer's privacy. You cannot do that if you are sending them unencrypted email containing anything about their finances.

Standard postal mail is NOT "given a pass". Title 18 U.S. Code Section 1708 provides for imprisonment of up to 5 years for theft of mail.

I 100% agree with Randy's and John's opinions posted above.

While not banking-related, there have been lawsuits in the medical arena over physicians sending unencrypted emails to patients containing private healthcare information (in violation of HIPAA and the HITECH Act). I think GLBA is very analogous to HIPAA and HITECH.

I would *always* rather err on the side of caution. If I'm ever in doubt of sending email encrypted, I ask myself, "Is there anything at all in this email I wouldn't want publicly available on a billboard?" If the answer is even remotely yes, then it gets encrypted. If your IT department is making it difficult for you to encrypt the email, then THAT is the problem. Talk to IT and get the process streamlined. It should be a matter of a few seconds to click a button and encrypt and send. Your customer's privacy is surely worth that moment of your time.

See also:

http://www.progressinlending.com/TME0412/TME0412-35.pdf

which specifically discusses that attaching appraisal data to an unencrypted email is a violation of federal law.

I would however like the citation for the $100,000 penalty and violation of Federal law as claimed in the article.

The Gramm-Leach Bliley Act itself sets forth the $100,000 per violation dollar figure.

Care to break it down for me through specific citations? I don't see any fines in 18 USC for organizations that start at $100,000.

Of course, then give me just one example of any such fine being imposed?

I'm not too impressed with empty threats. It is like the new $2,000 penalty for every flood violation. Heck, they never ever assessed the old $385 penalty and still have not.

I'm not one to cite monetary penalties that are never assessed.