Protecting your business by protecting your customersJoseph E. Campana Ph.D.Gramm-Leach-Bliley Act , identity theft, mortgage fraud, lawsuits, data breach, Federal Trade Commission, Red Flags Rule Your mortgage business, defined by law as a financial institution, must comply with privacy and information security laws such as the Gramm-Leach-Bliley Act (GLBA), the Red Flags Rule, Disposal Rule, and various state laws, including data breach notification laws. These laws explicitly require the adoption and maintenance of reasonable and appropriate privacy and information security best practices. Two primary objectives of these laws are to assure consumers of their right to privacy and to minimize their risk to identity theft. Today, consumers choose to do business with those they can trust with their personal information. Consumers whose information is compromised by a business may take retaliatory action in the form of lawsuits, complaints and damaging commentaries. More than ever, regulators are responsive to complaints. Laws protect personally identifiable and other sensitive information in all forms & paper, electronic, magnetic, photographic and even verbal disclosure. Information security is not limited to computers. If your business experiences a data breach or compromise of consumer and/or employee information, there can be significant liability. Liabilities, hard and soft, include lawsuits, forensic audits, penalties, regulatory investigations, compensatory expenses for consumer identity theft remediation services, periodic/mandatory compliance audits ordered by regulators, public relations conundrums and more. Non-compliance can result in regulatory inquisitions by the Federal Trade Commission or state Attorneys General, as well as costly penalties associated with each account involved in a data breach. Some state and federal privacy laws allow consumers the right to file actions independently. GLBA penalties include prison terms for violations by lenders regulated by the Treasury Department. Liability costs to business can amount to $300 to $600 per account. Even in the absence of these privacy and information security laws, you and your business can be sued under common law if there is financial loss or emotional stress to a victim due to negligent privacy and information security practices. The best approach to protect yourself and your mortgage business is to implement a reasonable and appropriate privacy and information security best practices program to minimize the risk of comprising consumer information. Best practices: A four-step process Privacy and information security best practices are described in two federal laws applicable to the mortgage industrythe GLBA and the Red Flags Rule. Definitions Safe harbor Safe harbor is a legal provision that reduces or eliminates liability in the event of a privacy or information breach, as long as reasonable and appropriate steps were taken in good faith to comply with the prevailing regulations. Safe harbor is a compelling reason to implement best practices. Management responsibility The laws require that management take a major role in the initiation, oversight and periodic review of the compliance program. A management level person should be designated as the privacy officer to oversee and implement the program. Security Three types of security must be addressed to safeguard personally identifiable information: Administrative, technical and physical. Examples of each follow below from risk assessment experiences with small mortgage industry businesses. The four steps to best practices are risk identification, documentation, employee education and audits. I. Risk identification What are the risks in your particular business setting? Risks must be identified and evaluated in each of the three security areas. • Do you have policies and procedures (administrative security) for the handling, collecting, filing, accessing, processing, transmitting, sharing, storing and disposing of sensitive consumer information? • Is all sensitive information stored on computers (servers, desktops and laptops) in an encrypted format (technical security)? • Are paper documents containing sensitive information secured and removed from desktops when unattended and locked in filing cabinets when not in active use (physical security)? • Are your risk assessment and the resolutions to identified risks in writing? If they are not, the risk assessment never happened (administrative security). These are just a few examples of risk factors to be evaluated. The larger and more complex your business, the greater the diversity of risks to consider. II. Compliance documentation Top-level documents include a privacy and information security policy (internal document), a privacy notice (for consumers), employee/vendor security agreements and a breach response plan. Small businesses should aim for simplicity. I prescribe a single set of top-level documents that meet the requirements of several applicable laws. III. Employee education and training Mandatory employee orientation to your compliance program is required. Employees who handle sensitive information, for example loan originators and administrative associates, must be trained on the handling and safeguarding of sensitive information. Education and training are ongoing processes, not one-time events. Document all employee education or training, or from a legal and compliance standpoint, it did not happen. IV. Audit The first three steps: Identified, addressed and documented risks; developed policies and procedures; and involved and trained employees. So, are the employees doing what was stated in the policies and procedures? Are the loan originators and administrative staff safeguarding the documents they handle? The compliance program must be periodically reviewed and revised as necessary to meet changing threats and operations in your business. Corrective action must be taken when processes are not working or not being followed by employees. Recently, the FTC filed a complaint in U.S. District court against a small mortgage broker for violating the FACT Act Disposal Rule. Among the best practices violations cited, the defendant did not take reasonable technical and physical security measures, did not train employees and failed to take reasonable management responsibility. At least 230 credit reports were found in a dumpsterthe maximum penalties are: Federal $3,500 each and state $1,000 each. Do the arithmetic. The broker was also charged with using deceptive trade practices because the consumer privacy notice claimed the business took reasonable and appropriate measures to safeguard sensitive customer information. This violation carries a fine of $16,000. Reminder: do what you say you do, or you will face a deceptive trade practices violation. Fifteen months ago, another mortgage company was fined $50,000 by the FTC for improper disposal of loan documents. Orders also require a biennial audit for 10 years by a qualified independent third party. The complaint cited the failure of the company to assess risks and to have appropriate documentation. In contrast, a recent legal case related to a privacy violation exemplifies safe harbor.10 The plaintiff, a business patron, claimed her right to privacy was violated through employee gossip. She sued both the employee and the business. Three state courtsLower, Appellate and Supremerecognized that the business acted reasonably and appropriately. The courts cited that the business had policies and procedures; employees were trained; and corrective action was taken with the employee (termination). Although the business was not held legally liable, common law proceedings are pending against the employee. Getting started To begin the process, consider the inventory of sensitive information collected, handled, stored, shared, transmitted and disposed of by your business: 1. What sensitive information does your business collect? • From consumer applicants and customers? • From employees and other associates? 2. How do you collect the information? 3. Who has access to the information? 4. Is all the information that you collect necessary to conduct and transact business? 5. Where is the information stored? 6. Is information stored on computers in an encrypted format? 7. How long do you retain the information? 8. How do you dispose of the information? 9. Is the information shared with third parties? 10. If information is shared, how is the information transmitted? The Federal Trade Commission publication, Protecting Personal Information is useful for taking an information inventory of your business. User-friendly computer programs are available to self-assess identity theft, privacy and information security risks. Model policies and procedures may be available by searching the Internet. They can also be developed by law firms and consulting groups that specialize in privacy and information security compliance. A set of top-level policies, including those applicable to compliance with the Red Flags Rule, have been published, which can be copied and easily adapted to small businesses. Various consulting groups can also provide education, training and audits. Online training is becoming a popular approach to augment live on-site training; however, live interactive training has strong merit, especially for the initial educational requirement. Today, protecting consumer information is a business responsibility that cannot be neglected. The risks of haphazard handling of sensitive information are too great to overlook. Privacy and information security best practices is the best insurance to protect your assets and to foster consumer loyalty. Joseph E. Campana, Ph.D. is a certified privacy and identity theft risk management professional. He is the author of the book, Privacy Makeover: The Essential Guide to Best Practices, a small business do-it-yourself guide to privacy and information security best practices He may be reached at (608) 241-3500 or e-mail [email protected].
About the author