Protecting your business by protecting your customersJoseph E. Campana Ph.D.Gramm-Leach-Bliley Act , identity theft, mortgage fraud, lawsuits, data breach, Federal Trade Commission, Red Flags Rule
Your mortgage business, defined by law as a financial
institution, must comply with privacy and information security laws
such as the Gramm-Leach-Bliley Act (GLBA), the Red Flags Rule,
Disposal Rule, and various state laws, including data breach
notification laws. These laws explicitly require the adoption and
maintenance of reasonable and appropriate privacy and information
security best practices. Two primary objectives of these laws are
to assure consumers of their right to privacy and to minimize their
risk to identity theft.
Today, consumers choose to do business with those they can trust
with their personal information. Consumers whose information is
compromised by a business may take retaliatory action in the form
of lawsuits, complaints and damaging commentaries. More than ever,
regulators are responsive to complaints. Laws protect personally
identifiable and other sensitive information in all forms &
paper, electronic, magnetic, photographic and even verbal
disclosure. Information security is not limited to computers.
If your business experiences a data breach or compromise of
consumer and/or employee information, there can be significant
liability. Liabilities, hard and soft, include lawsuits, forensic
audits, penalties, regulatory investigations, compensatory expenses
for consumer identity theft remediation services,
periodic/mandatory compliance audits ordered by regulators, public
relations conundrums and more.
Non-compliance can result in regulatory inquisitions by the
Federal Trade Commission or state Attorneys General, as well as
costly penalties associated with each account involved in a data
breach. Some state and federal privacy laws allow consumers the
right to file actions independently. GLBA penalties include prison
terms for violations by lenders regulated by the Treasury
Department. Liability costs to business can amount to $300 to $600
Even in the absence of these privacy and information security
laws, you and your business can be sued under common law if there
is financial loss or emotional stress to a victim due to negligent
privacy and information security practices.
The best approach to protect yourself and your mortgage business
is to implement a reasonable and appropriate privacy and
information security best practices program to minimize the risk of
comprising consumer information.
Best practices: A four-step process
Privacy and information security best practices are described in
two federal laws applicable to the mortgage industrythe GLBA and
the Red Flags Rule.
Safe harbor is a legal provision that reduces or eliminates
liability in the event of a privacy or information breach, as long
as reasonable and appropriate steps were taken in good faith to
comply with the prevailing regulations. Safe harbor is a compelling
reason to implement best practices.
The laws require that management take a major role in the
initiation, oversight and periodic review of the compliance
program. A management level person should be designated as the
privacy officer to oversee and implement the program.
Three types of security must be addressed to safeguard personally
identifiable information: Administrative, technical and physical.
Examples of each follow below from risk assessment experiences with
small mortgage industry businesses.
The four steps to best practices are risk identification,
documentation, employee education and audits.
I. Risk identification
What are the risks in your particular business setting? Risks must
be identified and evaluated in each of the three security
• Do you have policies and procedures (administrative
security) for the handling, collecting, filing, accessing,
processing, transmitting, sharing, storing and disposing of
sensitive consumer information?
• Is all sensitive information stored on computers
(servers, desktops and laptops) in an encrypted format (technical
• Are paper documents containing sensitive information
secured and removed from desktops when unattended and locked in
filing cabinets when not in active use (physical security)?
• Are your risk assessment and the resolutions to
identified risks in writing? If they are not, the risk assessment
never happened (administrative security).
These are just a few examples of risk factors to be evaluated.
The larger and more complex your business, the greater the
diversity of risks to consider.
II. Compliance documentation
Top-level documents include a privacy and information security
policy (internal document), a privacy notice (for consumers),
employee/vendor security agreements and a breach response plan.
Small businesses should aim for simplicity. I prescribe a single
set of top-level documents that meet the requirements of several
III. Employee education and training
Mandatory employee orientation to your compliance program is
required. Employees who handle sensitive information, for example
loan originators and administrative associates, must be trained on
the handling and safeguarding of sensitive information. Education
and training are ongoing processes, not one-time events. Document
all employee education or training, or from a legal and compliance
standpoint, it did not happen.
The first three steps: Identified, addressed and documented risks;
developed policies and procedures; and involved and trained
employees. So, are the employees doing what was stated in the
policies and procedures? Are the loan originators and
administrative staff safeguarding the documents they handle?
The compliance program must be periodically reviewed and revised
as necessary to meet changing threats and operations in your
business. Corrective action must be taken when processes are not
working or not being followed by employees.
Recently, the FTC filed a complaint in U.S. District court
against a small mortgage broker for violating the FACT Act Disposal
Rule. Among the best practices violations cited, the defendant did
not take reasonable technical and physical security measures, did
not train employees and failed to take reasonable management
responsibility. At least 230 credit reports were found in a
dumpsterthe maximum penalties are: Federal $3,500 each and state
$1,000 each. Do the arithmetic. The broker was also charged with
using deceptive trade practices because the consumer privacy notice
claimed the business took reasonable and appropriate measures to
safeguard sensitive customer information. This violation carries a
fine of $16,000. Reminder: do what you say you do, or you will face
a deceptive trade practices violation.
Fifteen months ago, another mortgage company was fined $50,000
by the FTC for improper disposal of loan documents. Orders also
require a biennial audit for 10 years by a qualified independent
third party. The complaint cited the failure of the company to
assess risks and to have appropriate documentation.
In contrast, a recent legal case related to a privacy violation
exemplifies safe harbor.10 The plaintiff, a business patron,
claimed her right to privacy was violated through employee gossip.
She sued both the employee and the business. Three state
courtsLower, Appellate and Supremerecognized that the business
acted reasonably and appropriately. The courts cited that the
business had policies and procedures; employees were trained; and
corrective action was taken with the employee (termination).
Although the business was not held legally liable, common law
proceedings are pending against the employee.
To begin the process, consider the inventory of sensitive
information collected, handled, stored, shared, transmitted and
disposed of by your business:
1. What sensitive information does your business collect?
• From consumer applicants and customers?
• From employees and other associates?
2. How do you collect the information?
3. Who has access to the information?
4. Is all the information that you collect necessary to conduct
and transact business?
5. Where is the information stored?
6. Is information stored on computers in an encrypted
7. How long do you retain the information?
8. How do you dispose of the information?
9. Is the information shared with third parties?
10. If information is shared, how is the information
The Federal Trade Commission publication, Protecting Personal
Information is useful for taking an information inventory of your
business. User-friendly computer programs are available to
self-assess identity theft, privacy and information security risks.
Model policies and procedures may be available by searching the
Internet. They can also be developed by law firms and consulting
groups that specialize in privacy and information security
compliance. A set of top-level policies, including those applicable
to compliance with the Red Flags Rule, have been published, which
can be copied and easily adapted to small businesses.
Various consulting groups can also provide education, training
and audits. Online training is becoming a popular approach to
augment live on-site training; however, live interactive training
has strong merit, especially for the initial educational
requirement. Today, protecting consumer information is a business
responsibility that cannot be neglected. The risks of haphazard
handling of sensitive information are too great to overlook.
Privacy and information security best practices is the best
insurance to protect your assets and to foster consumer
Joseph E. Campana, Ph.D. is a certified privacy and identity
theft risk management professional. He is the author of the
Makeover: The Essential Guide to Best Practices, a small
business do-it-yourself guide to privacy and information security
best practices He may be reached at (608) 241-3500 or e-mail [email protected]