A&B ABstract: Servicers should be aware of changes being made to the Department of Defense’s (“DoD”) Servicemembers Civil Relief Act (“SCRA”) website in response to a complaint that the DoD failed to protect the privacy of servicemembers’ personal information.
The SCRA provides certain financial and legal protections to active duty service members. Servicers are encouraged to identify and verify eligible populations of active duty servicemembers to ensure they are obtaining the relief benefits to which they are entitled. Under scrutiny for failing to protect the personal information of servicemembers, the DoD is making changes to the SCRA website database that may impact how servicers identify and verify eligible servicemembers.
The complaint alleged that the DoD’s SCRA website violates the Administrative Procedures Act and the federal Privacy Act of 1974 (which regulates how the federal government may collect, maintain, use and disseminate personal information about citizens and permanent residents).
Specifically, the Vietnam Veterans of America, New York State Council, Vietnam Veterans of America Chapter 7, and Thomas Barden (“Plaintiffs”) alleged that the SCRA portal leaves a servicemember’s private information unprotected. (Private information on the site includes dates of active duty service; specific dates on which a reservist, guardsman or individual not currently on active duty has been called up for future active duty; the specific component of the military in which an individual served; and confirmation that the individual served on active duty.) Further, Plaintiffs asserted that the DoD is violating the Federal Information Security Modernization Act by failing to comply with policies that strictly limit the use of social security numbers (“SSNs”). Finally, Plaintiffs asserted that the SCRA website’s purpose is only to determine whether someone is protected by the SCRA; Plaintiffs had no objections to limited disclosure of information for legitimate SCRA purposes.
The Settlement Agreement
The parties reached a settlement agreement (“Agreement”) on October 1, 2019. The Agreement requires the DoD to
On or before October 31, 2019, the Agreement requires all users to register for an account on the SCRA website in order to run searches (i.e., single-record or batch searches). DoD will collect the name, mailing address and company name of every user as part of the account creation process.
DoD Obligations under the Agreement
The Agreement also imposes a series of obligations on the DoD. First, on or before October 31, 2019, the Agreement required the DoD to:
- Implement analytics to monitor the use of the SCRA website in order to: (i) identify, among other things, patterns of misuse that would indicate a user is attempting to misuse the database; and (ii) flag accounts that are searching the same name against multiple SSNs (or vice versa); and
- Adopt a procedure to investigate potential misuse and for deactivation of accounts.
Second, within three months after the date of the Agreement, the DoD will:
- Add language to the SCRA website to discourage collection of SSNs for third-party users of the SCRA website, where the sole purpose for using the website is for SCRA verification; and
- Post a reasonable notification on the SCRA website stating that changes are made to prohibit misuse, including for non-SCRA commercial purposes, with the language set forth in Appendix C of the Agreement.
Finally, the Agreement requires DoD to:
- Publish a new Systems of Records Notice in the Federal Register that specifies the circumstances in which information may be disclosed through the SCRA website; and
- Subject to applicable laws and regulations, provide quarterly reports to Plaintiffs for two years.
Specifically, the required reports must list: (i) the company name of active users, (ii) information on volumes of searches per active user, (iii) the number of suspected and terminated accounts, (iv) the company names of suspended and terminated accounts, so long as those company names would not identify individuals, and (v) a description of the back-end analytics that have been implemented, and the results thereof.
To the extent that the DoD publishes the procedures it is obligated to adopt for investigation of potential misuse, such procedures should provide additional clarity. In the meantime, servicers should review their existing policies and procedures for conducting SCRA searches to ensure appropriate guardrails are in place to prevent the unintentional misuse of the SCRA website.