Millions of Americans may soon become part of an expanded government database that would give two federal regulatory agencies an up-close and personal (perhaps too up-close and personal) view of their private financial lives that, if breached, could make for a really bad day for a whole lot of people.
The seed for this proposed database expansion was buried in the 261-page Housing and Economic Recovery Act of 2008; a requirement that the Federal Housing Finance Agency monitor the National Mortgage Database, and expand it, to provide a monthly report on the state of the mortgage market.
That didn't sound unreasonable.
All the information collected in the expanded NMD would be shared with the Consumer Financial Protection Bureau, and also used in an annual report on the mortgage market presented to Congress. Again, not unreasonable.
CFPB Director Richard Cordray's Jan. 28 testimony before the House Financial Services Committee included a clear statement that the database would aggregate information -- but that there would be no personal identifiers attached to it. Anonymized data has become the coin of the realm and certainly can be helpful if utilized properly.
However, there's much more to the story.
Too Much Information
The National Mortgage Database was started in 2012, and tracks "first-lien single-family mortgages in existence any time from January 1998 forward."
According to the Washington Examiner, the National Mortgage Database contained information on at least 10.1 million mortgage holders as of July last year, and the FHFA has two contracts with CoreLogic, which says it has the industry's "largest, most comprehensive active and historical mortgage databases of over 227 million loans." Cordray confirmed that NMD was using data from CoreLogic.
While such a large trove of financial data stored in one place would be worrisome, the fact that the data points were aggregates disconnected from particular people made it acceptable.
Then on April 16, the FHFA and CFPB posted a notice to the Federal Register, the daily journal of the U.S. government, which detailed a policy shift regarding the kinds of data that would be included in the expansion of the National Mortgage Database. It beggared the imagination.
The proposed expansion would allow the FHFA and the CFPB to see more information than most people can remember about themselves, including your name, current and past addresses, your telephone numbers, your date of birth, race/ethnicity, gender, the languages spoken in your home, your religion, your Social Security number -- even your education records, military status/records, and employment history. Additionally, it would include every detail of your financial history stretching back to 1998, including balances owed, payment history, how much you paid for your house, your debt-to-income ratio and a gaggle of other data points.
On May 15, Rep. Jeb Hensarling (R-Texas), chairman of the House Financial Services Committee and Sen. Mike Crapo (R-Idaho), the ranking Republican on the Senate Banking, Housing and Urban Affairs Committee issued a letter proclaiming the expansion, "an unwarranted intrusion into the private lives of ordinary Americans."
Data Security & the Threat of Cyber Attack
While there is some overlap in sentiment with Hensarling and Crapo, I also see the wisdom of the provision in the Housing and Economic Recovery Act of 2008. Given the massive failure of regulatory bodies to prevent a financial crisis that created a recession and nearly destroyed America's reputation in global financial markets, regular check-ups are a very good idea.
That said, we are in the middle of a cyber war with an enemy we barely understand. The Pentagon's annual report to Congress released May 6 explicitly pointed to China in describing the threat of cyber attacks. But China isn't the only threat. Hackers are everywhere, and they have different reasons for wanting access to your files and personal information.
An expanded National Mortgage Database would be like El Dorado for every kind of cyber attacker out there, the information not only being of value to identity thieves, but potentially as part of a full-spectrum attack on U.S. financial markets.
While the threat of cyber attacks grows, we need to be very careful about the kind of information we aggregate and store in any one place. Unfortunately, attacks are a given, breaches are the third certainty in life and until that is no longer the case, until we can be absolutely certain that the information we collect is safe, we should be exceedingly mindful about avoiding the data equivalents of a Pandora's Box.