Protecting Our Data
Fannie Mae and our business partners have a shared responsibility to protect both our own proprietary business data and nonpublic personal information (NPI) such as mortgage borrower data.
We at Fannie Mae are entrusted with a significant amount of industry and borrower data, and we have a rigorous information security program to help protect it. We also have specific requirements for our business partners to follow in the event of a data breach (including a ransomware attack).
What to do if you experience a data breach
You just learned your business experienced a data breach, now what?
Here are some reminders and guidance on what to do if your business experiences a data breach (including a ransomware attack), whether you are a seller/servicer, vendor, or other Fannie Mae business associate.
What is a data breach?
A data breach is any unauthorized access to, or use, disclosure, alteration, transfer, or destruction of, confidential information or nonpublic personal information (NPI).
Take action.
Move quickly to determine the reason for the breach, secure your systems, and fix vulnerabilities that may have caused the breach.
Let us know.
Sellers and Servicers
Fannie Mae sellers and servicers are bound by the provisions of the Selling Guide A3-2-01, Compliance With Laws (Compliance with Fannie Mae Data Breach Incident Requirements), including:
Notify Fannie Mae’s Privacy Office of any incident as soon as reasonably practicable via email. Notification must be within 72 hours if there is a data breach that
- affects 10 or more borrowers,
- requires notice to state agencies or other regulatory bodies designated by privacy and data security breach laws or involves the intentional unauthorized access or misuse of borrower NPI.
The notice must include:
- A detailed description of the scope of the incident, including the number of impacted individuals and states where they reside.
- A description of the related NPI.
- The root cause (if known).
- The response plans.
Service Providers
Fannie Mae Service Providers are bound by the provisions of their contract with Fannie Mae and/or the scope of work. Compliance includes:
Notify Fannie Mae’s Privacy Office of any incident as soon as reasonably practicable via email. Notification must be within 24 hours after the Service Provider becomes aware of such a data breach.
The notice must include...
- A detailed description of the scope of the incident, including the number of impacted individuals and states where they reside.
- A description of the related NPI.
- The root cause (if known).
- The response plans.