Of Interest

Stay in compliance with the ever-expanding web of mortgage & consumer lending regulations

Recent Posts

Changes to the Department of Defense’s SCRA Website Database Could Impact Servicers

BY: Nanci Weissgold
Supreme Court

A&B ABstract: Servicers should be aware of changes being made to the Department of Defense’s (“DoD”) Servicemembers Civil Relief Act (“SCRA”) website in response to a complaint that the DoD failed to protect the privacy of servicemembers’ personal information.

Discussion

The SCRA provides certain financial and legal protections to active duty service members.  Servicers are encouraged to identify and verify eligible populations of active duty servicemembers to ensure they are obtaining the relief benefits to which they are entitled.  Under scrutiny for failing to protect the personal information of servicemembers, the DoD is making changes to the SCRA website database that may impact how servicers identify and verify eligible servicemembers.

The Complaint

The complaint alleged that the DoD’s SCRA website violates the Administrative Procedures Act and the federal Privacy Act of 1974 (which regulates how the federal government may collect, maintain, use and disseminate personal information about citizens and permanent residents).

Specifically, the Vietnam Veterans of America, New York State Council, Vietnam Veterans of America Chapter 7, and Thomas Barden (“Plaintiffs”) alleged that the SCRA portal leaves a servicemember’s private information unprotected. (Private information on the site includes dates of active duty service; specific dates on which a reservist, guardsman or individual not currently on active duty has been called up for future active duty; the specific component of the military in which an individual served; and confirmation that the individual served on active duty.)  Further, Plaintiffs asserted that the DoD is violating the Federal Information Security Modernization Act by failing to comply with policies that strictly limit the use of social security numbers (“SSNs”).  Finally, Plaintiffs asserted that the SCRA website’s purpose is only to determine whether someone is protected by the SCRA; Plaintiffs had no objections to limited disclosure of information for legitimate SCRA purposes.

The Settlement Agreement

The parties reached a settlement agreement (“Agreement”) on October 1, 2019.  The Agreement requires the DoD to

make significant changes to the SCRA website to enhance security of the site and better protect the personal information of servicemembers while restricting access, pursuant to the website’s “Terms of Use,” to those individuals and entities who are using the website for its intended purpose, so as to ensure the website achieves its intended purpose.

On or before October 31, 2019, the Agreement requires all users to register for an account on the SCRA website in order to run searches (i.e., single-record or batch searches). DoD will collect the name, mailing address and company name of every user as part of the account creation process.

DoD Obligations under the Agreement

The Agreement also imposes a series of obligations on the DoD.   First, on or before October 31, 2019, the Agreement required the DoD to:

  • Implement analytics to monitor the use of the SCRA website in order to: (i) identify, among other things, patterns of misuse that would indicate a user is attempting to misuse the database; and (ii) flag accounts that are searching the same name against multiple SSNs (or vice versa); and
  • Adopt a procedure to investigate potential misuse and for deactivation of accounts.

Second, within three months after the date of the Agreement, the DoD will:

  • Implement Terms of Use Language as provided for in Appendix A of the Agreement (which restricts the purposes for which the site may be accessed, and sets penalties for violations), and require users to agree to the terms and certify under penalty of perjury that they are using the website for permissible purposes;
  • Add language to the SCRA website to discourage collection of SSNs for third-party users of the SCRA website, where the sole purpose for using the website is for SCRA verification; and
  • Post a reasonable notification on the SCRA website stating that changes are made to prohibit misuse, including for non-SCRA commercial purposes, with the language set forth in Appendix C of the Agreement.

Finally, the Agreement requires DoD to:

  • Publish a new Systems of Records Notice in the Federal Register that specifies the circumstances in which information may be disclosed through the SCRA website; and
  • Subject to applicable laws and regulations, provide quarterly reports to Plaintiffs for two years.

Specifically, the required reports must list: (i) the company name of active users, (ii) information on volumes of searches per active user, (iii) the number of suspected and terminated accounts, (iv) the company names of suspended and terminated accounts, so long as those company names would not identify individuals, and (v) a description of the back-end analytics that have been implemented, and the results thereof.

Takeaways

Based on the Terms of Use reflected in the Agreement, servicers may only use the SCRA website for purposes of ensuring that servicemembers receive SCRA protections.  Servicers may run multiple searches in the SCRA website throughout the life of a loan.  In fact, some investors require searches on a quarterly basis.  While servicers should be permitted to continue good faith searches conducted for purposes of ensuring SCRA protections are afforded, it is unclear whether excessive searches (even if conducted for good faith purposes) could nevertheless constitute misuse of the website and result in account termination.

To the extent that the DoD publishes the procedures it is obligated to adopt for investigation of potential misuse, such procedures should provide additional clarity.  In the meantime, servicers should review their existing policies and procedures for conducting SCRA searches to ensure appropriate guardrails are in place to prevent the unintentional misuse of the SCRA website.

Share to...