Advertisement
Housing bill provision harms privacy, says diverse coalition
FTC targets mortgage companies in violation of safeguards ruleCraig Atchleypersonal and financial information, Federal Trade Commission
In December 2007, a mortgage company that left loan documents
with consumers' sensitive personal and financial information in and
around an unsecured dumpster agreed to settle Federal Trade Commission (FTC)
charges that it violated federal regulations. The FTC's complaint
alleges that the Northbrook, Ill.-based mortgage company violated
the disposal, safeguards and privacy rules by failing to properly
dispose of credit reports or information taken from credit reports,
failing to develop or implement reasonable safeguards to protect
customer information and not providing customers with privacy
notices.
FTC Chair Deborah Platt Majoras said: "Every business, whether
large or small, must take reasonable and appropriate measures to
protect sensitive consumer information from acquisition to
disposal. This agency will continue to prosecute companies that
fail to fulfill their legal responsibility to protect consumers'
personal information."
The actions taken by the FTC, pursuant to the safeguards rule,
were a part of what the FTC has termed a "nationwide compliance
sweep" directed at mortgage companies and automobile dealers
engaged in auto financing. The safeguards rule was incorporated to
assure the security and confidentiality of customers' personal
information, labeled by the FTC as non-public information (NPI).
The purpose is to prevent NPI from falling into the wrong hands,
resulting in substantial harm or inconvenience to the customer, a
first step in preventing identity theft.
The safeguards rule was an extension to the Gramm-Leach-Bliley
Act (GLB) and became effective May 23, 2003. It requires financial
institutions to conduct privacy risk assessments and implement
appropriate safeguards to protect and secure NPI.
The GLB Act was enacted on Nov. 12, 1999. In addition to
reforming the financial services industry, the act addressed
concerns relating to consumer financial privacy. The GLB Act
required the FTC and other government agencies that regulate
financial institutions to implement regulations to carry out the
act's financial privacy provisions. The regulations required all
covered businesses to be in full compliance by July 1, 2001.
The FTC is responsible for enforcing its Privacy of Consumer
Financial Information Rule.
What most Mortgage Brokers don't know is that the GLB Act names
them, specifically, as a financial institution that must comply
with the requirements of the act. The industry has addressed the
GLB Act's Privacy of Consumer Financial Information Rule that
requires loan applicants to sign the privacy policy disclosure,
which provides the applicant an opportunity to "op out" of the
company's policy of sharing personal information with affiliates
and third parties. Brokers think they are in compliance because
that document is among all the other disclosures that are signed at
application. Just as ominous, however, is the risk of
non-compliance with the safeguards rule.
The Illinois company is the most recent prosecution among
several mortgage companies that the FTC has targeted in the past.
This is the first time the FTC has assessed a monetary fine. In
previous cases, identified below, the companies were just required
to get professional help to implement an information security plan
and audit its effectiveness on a periodic basis.
According to the FTC ...
In January 2005, the FTC settled a charge against a Clearwater,
Fla. mortgage company who had failed to oversee the security
practices of its service providers and of its loan officers working
from remote locations throughout the state of Florida. The order
barred the company from future violations of the safeguards rule
and the Privacy of Consumer Financial Information Rule. In
addition, the company was ordered to have its security program
certified as meeting or exceeding the standards in the consent
order by an independent professional within six months and every
other year thereafter for 10 years. The order also contained
standard recordkeeping provisions to allow the FTC to monitor
compliance.
In April 2005, the FTC settled a charge against a McLean, Va.
mortgage company, with offices in 10 states and multiple Web sites;
the company agreed that it violated federal law by failing to
provide reasonable security for sensitive customer data. The FTC
complaint alleged that the company violated the safeguards rule
because it: (1) failed to assess risks to its customer information
until more than a year after the safeguards rule took effect; (2)
failed to implement appropriate password policies; (3) did not
encrypt or otherwise protect sensitive customer information; and
(4) failed to ensure that its service providers were providing
appropriate security for customer information.
In October 2005, the FTC settled a charge against a Tuckerton
N.J.-based mortgage company which alleged that it had failed to
comply with the safeguards rule's basic requirements, including
that they assess the risks to sensitive customer information and
implement safeguards to control these risks. In addition, it failed
to train its employees on information security issues, oversee its
loan officers' handling of customer information and monitor its
computer network for vulnerabilities. The settlement bars the
company from misrepresenting the extent to which it maintains and
protects the privacy, confidentiality or security of any personal
information collected from or about consumers, and prohibits
violations of the safeguards rule. The settlement also requires
that it hire an independent third-party auditor to assess its
security procedures every two years for the next 10 years, and to
certify that these procedures meet or exceed the protections
required by the safeguards rule. The settlement also contains
certain recordkeeping requirements to allow the FTC to monitor
compliance.
Identity theft—the real threat
These cases only deal with improper handling of credit files and
securing data; the real threat is identity theft originating in the
workplace. Credit account theft, check fraud, Social Security
number theft and drivers license fraud could all originate from any
mortgage loan application file. Such information has even been
bought and sold on the Internet. If it is traced back to the
mortgage company, the problem gets worse because now the state
attorney general's office gets involved. All but a few states have
adopted identity theft laws which contain requirements that mirror
the safeguards rule. In the state of Texas, companies such as Radio Shack, CVS Pharmacy and Life Time Fitness, along
with a host of smaller companies, have all been subjects of
investigation and prosecution by the attorney general's office for
violations under the Texas Identity Theft Enforcement and
Protection Act of 2005.
Although there is an awareness of the need to secure and dispose
of NPI in the mortgage industry, few, if any, Mortgage Brokers
possess a formal plan to comply with the GBL Act. The FTC
specifically requires that businesses subject to the GBL Act,
regardless of size, implement and maintain a comprehensive written
information security plan to protect customer NPI. Without such a
plan, the broker has no defense if there is a security breach and
sensitive customer information is lost or compromised. Identity
theft does not have to be committed for a breach to occur. A loan
officer or processor leaving the company with customers' NPI is a
breach.
The only defense the broker has is to have in place a formalized
information security plan. In the case of the Florida company, one
of the charges was the "failure of the company to assess the risks
to its customer's information until more than a year after the
safeguards rule took effect." If a company has made no attempt to
comply with the requirements of the safeguards rule, it exacerbates
the problem. No matter how innocent the broker, ignorance of the
law is not an excuse.
The safeguards rule requires companies to develop a written
information security plan that describes their program to protect
customer information. The plan must be appropriate to the company's
size and complexity, the nature and scope of its activities, and
the sensitivity of the customer information it handles. As part of
its plan, each company must:
•Appoint an information security officer to coordinate the
information security program;
•Determine the risk to customer and employee NPI in each
area of the company's operation by identifying how NPI is
collected, handled, stored and disposed of when no longer
needed;
•Design and implement rules to safeguard NPI in those areas
of risk, and regularly monitor and test the effectiveness of the
rules;
•Select service providers such as shredding companies, Web
site providers and professional trainers, and contract with them to
implement safeguards; and
•Evaluate and adjust the program in light of relevant
circumstances, including changes in the firms business or
operations, or the results of security testing and monitoring.
Brokers must consider and address any unique risks raised by
their business operations—such as the risks raised when
processors take files home to complete work, when loan officers
access customer data from their homes or other off-site locations,
or when customer data is transmitted electronically outside the
company network.
The requirements are designed to be flexible. Companies should
implement safeguards appropriate to their own circumstances. For
example, some companies may choose to put their safeguards program
in a single document, while others may put their plans in several
different documents, such as one to cover an information technology
division and another to provide the training of employees.
Similarly, a company may decide to designate a single employee to
coordinate safeguards, or it may assign this responsibility to
several employees who will work together.
These are the initiatives the FTC is expecting Mortgage Brokers to
take in order to evaluate the risk posed to their customers NPI.
Evidence that a company is in compliance with the safeguards rule
requires documentation. The FTC recommends that after the
evaluation is complete, the company:
•Prepare written policies and procedures;
•Conduct employee training on the policies;
•Have each employee sign an employee agreement to
comply;
•Formally adopt an employee interviewing, hiring and training
policy;
•Establish disciplinary action for violation of policy;
•Formally adopt the policies and procedures;
•Formally appoint an information security officer; and
•Create an NPI security breach action procedure to implement
in case a security breach occurs.
This is not a time to gamble. When the government passes a new
law, it doesn't plaster it on the front page of every newspaper in
the country—it makes examples of companies and lets someone
else print the story. With identity theft on the rise with more
sophisticated thieves, the pressure is on for the government to
pull out all stops to dampen the spread. The FTC is looking for
mortgage companies that are out of compliance with one purpose: to
make violations so costly that the industry will take notice and
comply out of fear.
For additional information and compliance requirements under the
safeguards rule, please visit www.ftc.gov/bcp/conline/pubs/buspubs/safeguards.shtm.
Craig Atchley is president of The SafeGuards Institute. He
may be reached at (214) 228-6598 or e-mail [email protected].
About the author