Consumer Privacy Law Compliance
Essent Complies With GDPR, CCPA, and Other Consumer Privacy Laws
Essent is an early adopter and proponent of clear, concise privacy policy and terms of use and welcomes the high standards established by the General Data Protection Regulation (GDPR), a set of laws passed in the European Union, the California Consumer Privacy Act (CCPA), and other consumer privacy laws.
The GDPR took effect May 25, 2018, to heighten standards for personal privacy for Europeans, and the CCPA took effect January 1, 2020, with similar protections for Californians.
Under the GDPR and CCPA, organizations who store Personally Identifiable Information (PII) of European and California citizens, respectively, must meet new requirements for the protection of personal data. The laws also enhance requirements for transparency on how personal data are collected, retained, and used.
Essent is deeply experienced in protecting personal data and we’ve incorporated GDPR into our framework for protecting the personal data not just of European citizens, but of everyone who uses Essent products and services.
As such, we’ve updated our Master Terms of Use, which includes our Master Services Agreement, Breach Notification Policy, and Privacy Policy. The documents are now clearer and more transparent in describing how we handle and protect personal data.
We are committed to keeping private data private.
What is Personally Identifiable Information?
Personally Identifiable Information (PII) is information that can be used to identify an individual, whether the information is used alone or combined with other information (e.g. SSNs, name, DOB, home address, home email).
A single piece of information can reveal an individual identity, but it’s more likely that a combination of information reveals an identity. Even information as sensitive as payment card data may not fully identify an individual, or may not be useful, without being linked to some other personal data like a full name or a citizenship identifier like a Social Security Number or a National Insurance Number.
Information that is not PII can become PII if new information becomes available. For example, a common last name like Smith refers to tens of thousands of people and is unlikely to identify an individual. Combined with a new information like a first name and an address, however, the information now can reasonably be used to identify an individual.
The Approach to Protecting PII
Therefore, the concern of personal data protection is to protect not just any single type of information, but a wide variety of information that may combine with other information to identify an individual.
It’s a comprehensive effort to protect all types of information, an all-encompassing effort that includes policies, training, controls, monitoring, notifications, and more, as well as the vigilant practice and implementation of them.
Essent has long advocated and implemented comprehensive security features for large sets of data, and applauds the goals of GDPR to standardize such comprehensive protection.
Agreements and Privacy
The Essent Master Terms of Use clearly articulate how Essent collects, stores, and uses personal data, as well as other data, adhering to requirements of consumer privacy laws. The Terms of Use furthermore clearly articulate the terms and conditions for use of the data.
Some documents, like the Essent Master Services Agreement, include terms and conditions that are entered into by signature. Other documents, such as the Essent Privacy Policy, include terms and conditions that are entered into by certain actions, such as using a website.
The terms and conditions are spelled out in the Master Services Agreement, the Privacy Policy, and the Data Breach Notification Policy – together, the Master Terms of Use.
Infrastructure Security
Consumer privacy laws like the GDPR and CCPA call on organizations to implement appropriate security measures to protect personal data, and many are measures that Essent has implemented for years.
Essent Cloud and Hosting Services are designed to provide security, including secure collection, storage, and processing of personal data.
Essent software subscription services are hosted by Essent at one or more facilities and accessed remotely via the Internet. Essent hosting services are designed to be extremely reliable and employ state-of-the-art information technology patterns and practices. Specifically:
Facilities
Some features of Essent facilities specific to the protection of private data, including Personally Identifiable Information and Payment Card Information, include:
- The architecture is designed for the protection of sensitive data and complies with Payment Card Industry Data Security Standards.
- The facilities are physically secured in stand-alone, masonry structures dedicated to hosting and all equipment is cordoned and isolated.
- The facilities are staffed 24x7x365 days a year by technical and security personnel and physical access to the facility is restricted to named personnel with keycards and photo identification.
Monitoring
Essent employs 24x7x365 network monitoring to guard against threats and vulnerabilities to sensitive data, including Personally Identifiable Information.
Essent performs monitoring using both commercially available network monitoring tools, as well as proprietary network monitoring tools. This includes the Essent NetSet network monitoring service and firewall, which was designed and developed by Essent.
Testing
Users and Systems are tested annually to determine their incident response capability and incident response effectiveness. Essent meets annually for a tabletop exercise, designed to test the breach response procedure and to help ensure members of the Response Team are familiar with the plan and understand their specific roles.
Training
Essent protects the information entrusted to it. Security and privacy training must be completed prior to obtaining access to information and annually to ensure individuals are up-to-date on the proper handling of PII. Security and Privacy Awareness training is provided by Essent. Failure to complete required training will result in denial of access to information.
Access Control & Encryption
Essent software includes integrated security management based on access control and encryption, including:
Access Control
Access is controlled through user accounts with assigned passwords and permissions.
The permissions define who has access to which portions of the system and therefore who has access to which information, including PII. For example, a manager or administrator might have access to many modules and information sets while sales representatives might have access only to modules and information needed to perform their role.
Essent employees likewise are provided access only to the modules and information needed to perform their roles, and not more. This limits the exposure of the data so that it’s much less likely that information is made available in personally identifiable or risky combinations.
Encryption
The Essent Business Management System supports advanced security protocols including Virtual Private Networks (VPN) and NSA (United States National Security Agency) C2-Level Encryption Algorithms.
The Essent SiteBuilder web content management system enables Hyper Text Transfer Protocol Secure (HTTPS) via a Secure Socket Layers (SSL) Certificate, which provides an encrypted link between a web server and web browser.
In other words, information that is at rest or in transit between a SiteBuilder website and a person viewing it is protected with encryption, as is information that is at rest or in transit from the Essent Business Management System to a SiteBuilder website.
This includes customer and user information, including Payment Card Information and Personally Identifiable Information.
Summary
Essent supports the goals of the General Data Protection Regulation and the California Consumer Privacy Act and has incorporated those and other consumer privacy laws and standards into our framework for data protection.
We are deeply experienced in protecting sensitive data, including personal data, and long have implemented many of the standards that new consumer privacy laws call for.
We employ a comprehensive approach to protecting Personally Identifiable Information, as well as other sensitive and even not-so-sensitive information. The approach guards against the breach of information that can reveal an individual’s identity, and just as importantly information that can reveal an individual identity when combined with other information.
Our Master Terms of Use – including our Master Services Agreement, Privacy Policy, and Data Breach Notification Policy – clearly articulate how we collect, store, and process sensitive data and have been updated to incorporate the latest consumer privacy laws.
In practice, however, Essent has long implemented measures called for in the GDPR. Infrastructure, monitoring, testing, training, access control, and encryption are well positioned to accommodate the requirements of the new consumer privacy laws GDPR and CCPA, which we wholeheartedly endorse.