(202) 349-8000
1250 24 th St NW · Suite 700 · Washington D.C. 20037
www.buckleykolar.com

NATIONAL HOME EQUITY MORTGAGE ASSOCIATION

Equity Update

www.nhema.org

NEW ILLINOIS BILL RAISES SERIOUS PRIVACY CONCERNS

Jacob G. Thiessen

Kirk D. Jensen

Buckley Kolar LLP

1250 24th Street NW, Ste. 700

Washington, DC 20037

(202) 349-8000

Illinois is poised to create a state-run database of sensitive consumer information, with no clear limits on the use of the information and no guarantees of the security of the database.

On May 31, the Illinois legislature passed a bill that would require (1) all brokers or originators; (2) all credit counselors; and (3) all title insurance companies or closing agents to report extensive information about mortgage loans made in Cook County. This information includes, but is not limited to, the borrower’s name, address, social security number, date of birth, credit score, and the borrower’s income and expense information. The information must be reported – even if a consumer requests that it not be.

The bill’s negative impact on the availability and cost of consumer credit rightly has been the focus of much criticism. See, e.g., Erick Bergquist, Ill. Poised to Vet Mortgage Applications, AM. BANKER, June 15, 2005. But the privacy risks posed by the bill have so far gone largely unnoticed.

First, the challenge of safeguarding all of this information may be too much for the Department of Financial and Professional Regulation, the agency that the bill makes responsible for maintaining the database. A recent state audit of the Illinois Office of Banks and Real Estate (a division of the Department of Financial and Professional Regulation) found, among other deficiencies, that “[a]ccess to the [agency’s] system was not effectively controlled. We identified former employees with active access rights and staff with excessive rights based on job duties.” See http://www.state.il.us/auditor/Banks%2004.htm. Recent highly publicized cases of security breaches by major financial institutions and other holders of sensitive data show the difficulties that even institutions with sophisticated procedures and technology face in safeguarding consumer information. The combination that the bill would create – a database full of non-public information in the hands of a regulator with documented
inadequacies in the most basic aspect of security, employee system access – practically invites another ChoicePoint or MasterCard situation, only this time at taxpayer expense.

Perhaps more troubling, the bill creates no clear limits on how the database is to be used. The bill’s stated purpose is to collect information to combat predatory lending, but nowhere does the bill impose any limits on the state entities that can have access to the information. It does not even create procedural safeguards in connection with such access, much less substantive limitations on what the state of Illinois can do with the information. In a society where limited government access to library records has created heated public debate, we are surprised that this sort of information-gathering has attracted so little criticism.

The governor has until the first week of August to sign the bill. According to published reports, the governor intends to do so. Given the major privacy concerns raised by the bill, the governor should reconsider.