FHFA Director Bill Pulte’s (Director Pulte) public actions regarding referrals of mortgage fraud to the Department of Justice have been prominent in the news cycle. This series analyzes an aspect of these actions that has received less attention, privacy law implications. This article will discuss some basic aspects of the primary privacy law that applies to FHFA and Director Pulte as a federal official, the Privacy Act of 1974 (the Act). 5 U.S.C. § 552a et seq.
The basic privacy right for individuals in the Act is simply stated: “[n]o agency shall disclose any record which is contained in a system of records by any means of communication to any person, or to another agency, except pursuant to a written request by, or with the prior written consent of, the individual to whom the record pertains.” 5 U.S.C. § 552a(b). But the devil is in the details. There are a host of exceptions in Act that, if properly followed, allow a federal agency to disclose your private information to another person or agency. There are also limits built into the Act about what an individual can do about a violation of this right.
Records and Personally Identifiable Information
The Act keys on the definition of a “record” to describe information that must not be disclosed unless authorized. 5 U.S.C. § 552a(a)(4). A record includes “financial transactions” that contain “name, or the identifying number, symbol, or other identifying particular assigned to the individual.” “Other identifying particular[s]” are generally called personally identifiable information (PII). The Act covers the lifting of information from an official record and inserting it into another document which is then disclosed. Jacobs v. Nat’l Drug Intelligence Ctr., 423 F.3d 512 (5th Cir. 2005); Orekoya v. Mooney, 330 F.3d 1 (1st Cir. 2003).
All of the referral letters include names, but name is not the only potential PII covered by the Act. Physical addresses are covered. Reuber v. United States, 829 F.2d 133 (D.C. Cir. 1987), Quinn v. Stone, 978 F.2d 126 (3d Cir. 1992). The James referral and Schiff referral include the unredacted address, but appear to have been disclosed initially by the press. A key question for these would be what role FHFA played in the public release of these letters, as at least some courts have concluded that agency involvement in a press disclosure of PII can be a violation the Act. Hatfill v. Gonzalez, 505 F. Supp. 2d 33, 35-39 (D.D.C. 2007).
The Cook referrals have been disclosed by Director Pulte himself on his X account, but have the physical addresses redacted. However, they still contain unredacted zip code, loan amount, building name, and unit number information. Whether these are direct enough identifiers to be covered by the Act would be a key question, as some courts have held that information that must be combined with other outside information in order to identify a person is not covered. Fleming v. U.S. R.R. Ret. Bd., No. 01 C 6289, (N.D. Ill. Feb. 21, 2002). The unit number combined with the building name are highly re-identifiable information. Neither is included in public mortgage datasets, appraisal datasets, or securities disclosures for this reason. Loan amount is another highly re-identifiable piece of information. The public Home Mortgage Disclosure Act (HMDA) data, for example, does not include specific loan amount because of the ease of identifying an individual with that information and some information about the location of the property. FHFA applies this HMDA privacy rule for loan amount in its Public Use Database and a similar rule in the appraisal dataset that is still hosted but has not been updated under Director Pulte’s tenure. Fannie Mae and Freddie Mac also apply a similar rule in their securities disclosures.
Three Potential Disclosures in Director Pulte’s Recent Actions
In FHFA and Director Pulte’s recent actions there are three relevant disclosures for individuals with publicized referrals: (1) a disclosure of information to another agency for potential enforcement (which are typically made privately to avoid unlawful disclosure under the Act), (2) a disclosure of the referral to the public by the press (if FHFA were involved); and (3) a disclosure of information to the public through Director Pulte’s X social media account and other public media channels by FHFA or Director Pulte. Whether each these disclosures was covered by one or more of the Act’s exemptions is a key question.
The Statutory Law Enforcement Exception
The most obvious place to look would be the statutory law enforcement exception. 5 U.S.C. § 552a(b)(7). This exception is actually quite narrow as it requires the law enforcement agency to request the information from the disclosing agency. The restrictive language in this exception provides further limitation. The request must have been made in writing by “the head” of the requesting agency and some courts have rejected requests from lower level officials. Doe v. DiGenova, 779 F.2d 74, 85 (D.C. Cir. 1985). DOJ has taken the position that this may be delegated to lower officials and has done so. 28 C.F.R. § 16.40(d). The exception also requires the request to “specify[] the particular portion desired and the law enforcement activity for which the record is sought.” However, this exception would only cover the disclosure of information to another agency, it would not cover disclosure to the public or to the press.
The Routine Use Exception
The routine use exception is the most likely exception to apply. It provides an exception for for “a routine use as defined in subsection (a)(7) of this section and described under subsection (e)(4)(D).” 5 U.S.C. § 552a(b)(3). Subsection (a)(7) defines the term “routine use” to mean “with respect to the disclosure of a record, the use of such record for a purpose which is compatible with the purpose for which it was collected.” Subsection (e)(4)(D) requires Federal Register publication of “each routine use of the records contained in the system, including the categories of users and the purpose of such use.” This notice is called a system of records notice (SORN).
FHFA does appear to have a SORN for a Fraud Reporting System, and it does appear to contain a routine use to disclose records “[w]here there is an indication of a violation or potential violation of law, whether civil, criminal or regulatory in nature, and whether arising by general statute or particular program statute, or by regulation, rule or order issued pursuant thereto, the relevant records in the system of records may be referred, as a routine use, to the appropriate agency, whether federal, state, local, tribal, foreign or a financial regulatory organization, including the Financial Crimes Enforcement Network and other law enforcement and government entities, as determined by FHFA to be appropriate and that are charged with the responsibility of investigating or prosecuting such violation or charged with enforcing or implementing a statute, or rule, regulation or order issued pursuant thereto.” This kind of boilerplate routine use that goes beyond the statutory law enforcement exception is common in SORNs. Like the statutory law enforcement exception, this routine use exception would only cover the disclosure of information to another agency, it would not cover disclosure to the public or to the press.
Potential Causes of Action
There are criminal penalties for willful violations by federal officials. “Any officer or employee of an agency, who by virtue of his employment or official position, has possession of, or access to, agency records which contain individually identifiable information the disclosure of which is prohibited by this section or by rules or regulations established thereunder, and who knowing that disclosure of the specific material is so prohibited, willfully discloses the material in any manner to any person or agency not entitled to receive it, shall be guilty of a misdemeanor and fined not more than $5,000.” 5 U.S.C. § 552a(i)(1). This provision of the Act requires the person to have acted “by virtue of his employment or official position.”
Prosecutions under this section of the Act appear to be exceedingly rare, with only two reported cases in the Department of Justice treatise on the Act - a guilty plea in United States v. Gonzales, No. 76-132 (M.D. La. Dec. 21, 1976), and a bench trial resulting in a not guilty finding in United States v. Trabert, 978 F. Supp. 1368 (D. Colo. 1997), in which the judge found that the statute required more than “gross negligence” for a conviction. The criminal cause of action cannot be pursued by private plaintiffs, only appropriate federal law enforcement. Palmieri v. United States, 896 F.3d 579, 586 (D.C. Cir. 2018). The Act itself does not provide a statute of limitations, but the general federal criminal limitations period is five years. 18 U.S.C. § 3282.
Civil lawsuits are available to private plaintiffs for a much broader set of conduct under the Act, but apply to the agency instead of to the official. 5 U.S.C. § 552a(g)(1)(D). The cause of action requires an “adverse effect” on the plaintiff, a standard that essentially equates with Article III standing. Doe v. Chao, 540 U.S. 614 (2004). The Supreme Court has limited damages to “proven pecuniary or economic harm.” FAA v. Cooper, 566 U.S. 284 (2012). The statute requires “intentional or willful” conduct by the agency for recovery. 5 U.S.C. § 552a(g)(4). This is a term of art in the Act and means something like “greater than gross negligence” according to the legislative history, original administrative guidance, and case law. Coleman v. United States, 12 F.3d 824 (5th Cir. 2019).
Copyright © 2025 Wylie Law PLLC. Wylie Law PLLC is the private legal and consulting practice of James Wylie. Contact james@wylie.law for inquires. This article should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult your own attorney concerning your situation and specific legal questions you have