Law Technology Today From the ABA Legal Technology Resource Center
Related Articles
Data breaches have long been an important concern for the legal community. With each breach, not only does the personal information of innocent parties become exposed and potentially compromised, but the organizations responsible for allowing the breach are exposed to a myriad of legal implications. A prime example of this is the recent data breach at home loan provider Southwest Funding. This is one of the latest in a slew of data breaches that have affected the financial industry.
Details of the Southwest Funding Data Breach
This past May, security expert Jeremiah Fowler discovered a publicly accessible database on the internet containing nearly 700,000 records of customer home mortgage loan data. Secure Thoughts exposed the breach of Southwest Funding, a home-loan company based in Texas with 80 branches across the United States. Furthermore, he was able to access this data without any username or password. While this data did not appear to expose any unencrypted Social Security numbers, it did expose a lot of personally identifiable information, such as customer names, email addresses, physical street addresses and loan account numbers.
This breach included information from people who had applied for a mortgage from the company, those who were considering making an application, as well as the current status of their applications. Other data exposed included internal company information relating to the loans as well as configuration data relating to the company’s computer systems.
Perhaps the most troubling aspect of the data breach was that Fowler found indications that attackers had not only accessed the database but had also manipulated it to include elements of a ransomware attack. These elements included a demand for a payment in bitcoin.
According to Fowler, he contacted Southwest Funding soon after discovering the breach, and that the company quickly removed public access to the database. At the same time, Fowler asserts that the company has so far refused to comment on the breach, and that it is not clear whether they have informed their customers of the breach.
But they might not have a choice in the matter.
Legal Implications of the Data Breach
At the beginning of this year, Texas amended the state’s Identity Theft Enforcement and Protection Act. Previously, the law only required companies to inform state residents affected by a data breach “as quickly as possible,” but it now requires companies to inform state residents affected by a breach within 60 days of its occurrence. It also imposes serious financial penalties upon companies failing to comply. This includes a fine of up to $100 per person or $250,000.
The amendment further requires companies to notify the state’s attorney general of a data breach if the breach impacts more than 250 Texas state residents, which is likely the case in this particular incidence. Notification requirements include a detailed description of the breach, the number of state residents that the breach affected, the measures that have so far been taken in regards to the breach, the measures that will be taken in the future in regards to the breach, and an indication of whether the company has notified law enforcement of the breach.
It should be noted that these notification requirements are not unique to the state of Texas. According to the National Law Review, the amendment to the law puts the state in line with other states that have implemented similar laws. So, it is likely that Southwest Funding will have to notify more than just Texas residents and the Texas state attorney general regarding the breach.
Data breach notification laws affect all companies that handle sensitive customer data, so these companies must not only be aware of the multitude of such laws but also be ready to comply with them in the instance of a breach.
It should be known that services and sites like “have i been pwned?” which can assist in searching for your email in data breaches, but in this case Jeremiah Fowler did not save the data and submit it, therefore there is nothing to cross reference. If you have applied for a mortgage or considered to apply for one mortgage with Southwest Funding, you should be proactive and contact them if you are concerned your personal information was exposed.
