Skip to main content

Security Breaches, Identity Theft and Compliance: Are You Prepared?

Nov 16, 2016

No charges are to be pressed against presidential candidate Hillary Clinton, as she was found “not guilty” by FBI Director James Comey of punishable wrong doing. It doesn’t matter what political fence you sit on, this will have repercussions as to how the courts are going to be able to look at corporate security policy breaches. How can a corporation hold an employee accountable for breaching signed corporate security policies of sharing e-mails with confidential classified information, when a presidential candidate, who happened to be in a political office at the time of the breach, is deemed “extremely careless?”

How can we as business leaders count on the courtrooms to uphold our companies’ privacy and secured classified information policies? This is scary to me. It sets a precedence that no one can deny.

This article was going to be about social media and compliance, but with this news breaking, I think we need to take a look at the strength of your corporate policies? Do you have a corporate policy in place? Are all of your employees required to sign the same policy, or do you have a different policy for those with higher security clearance handling more classified information? Will it now have to be amended to state that you are responsible for your actions, regardless of the Hillary bypass breach of security?

I think that we are in tumultuous times with laws being written and rewritten, reviewed and analyzed to keep up with social media and Internet security. Many mid-sized companies were hit with security breaches of their employee’s W-2 information last tax season, as noted by the Internal Revenue Service (IRS). Identity theft has run rampant, and now compound that with business identity theft and we have a major cybersecurity issue on our hands.

Is your business protected against fraudsters stealing your company’s identity? If a fraudster gains access to your company’s Federal Employer Identification Number (FEIN), it could be a big deal. A fraudster could use the FEIN in a number of ways. They could apply for credit based on your company’s information. They could also prepare false tax returns, but more importantly, they can create a whole slew of W-2s for fictitious employees who have never worked for your company. Why do this, it provides false tax information being paid into the IRS and state income taxes on behalf of a fictitious person who can then use a phony address to obtain illegal tax refunds.

Are you protected against this type of invasion? It mostly happens via a server that is breached. I recently witnessed first-hand a mid-sized corporation that had very lax security for their employees. They had a tiered tree that separated private documents for each department, yet there was no password protecting the files. So if I worked in marketing and was given a password to access this tree, I could then see the tax folder documents, the company’s treasurer’s folder of documents–which included documents for loans applied for, insurance information, etc. The tax information available for all to see was amazing. One of the first priorities for any company should be to limit access to those who need it, and give them the ability to lock out any others.

Your cybersecurity policy should include the management of both internal and external threats to protect your information, assets and privacy from technology-based attacks. One of the first to cause havoc within a company’s security system can be a disgruntled employee. Allowing open access to so much information was a high risk. I would have thought that this type of relaxed security didn’t exist in today’s business environment, but I was proven wrong. Common sense security has to be stated verbally and in writing so that everyone is aware of the precautions that must be followed. But what’s more important is hiring the right person to manage and protect the oversight of such security guidelines. It’s the same reasoning for compliance … the first rule is having the procedures and guidelines for both compliance and security in place. The second rule is having an employee designated for maintaining the rules and overseeing that rules are being followed, maintained and updated. We have all heard of companies closing due to improper compliance or security. Don’t let that happen to your company … at least not on your watch!

Let’s look at compliance and social media. Can you have a compliant social media plan? You can to a certain degree. Managing an employee’s personal Facebook posts that may inadvertently breach a security issue is more difficult. I suggest incorporating into your company’s security policy that no posts are to be made on any personal media: Facebook, Twitter, MySpace, etc. ever relating to clients or the company.

The company should have its own Facebook Page, Twitter feed and other social media outlets they choose to use. This way all posts are made and/or reviewed for compliance prior to being made public. Here’s a simple example of a very low key breach of compliance. I was at a nail salon getting a pedicure. A group of girls were there for a bridal party so they were excited and happy simply having fun. They started snapping photos and posting them on Facebook, innocent enough, right? Wrong, what if they captured others in pictures in those snapshots which they did. The owner was present while these girls posted selfies, but made no effort to make a simple statement: “Make sure no one else is captured in your photo, if they are, you do not have their permission to post their photo.” This would make your stand loud, verbal and audible for everyone to hear. If done against your wishes, you may still be held liable, but you made a verbal disclosure while it was happening, opening the door for anyone who might not want their photo plastered on Facebook to speak up, and say “No, please don’t get me in the picture.”

In June of 2013, the Federal Financial Institutions Examination Council (FFIEC) declared the creation of the Cybersecurity and Critical Infrastructure Working Group to improve communication amongst the FFIEC member agencies and build upon existing efforts to strengthen the activities of other interagency and private sector groups. The FFIEC released social media guidelines for financial institutions in January of 2013, with many of the initial guidelines being revised over the past few years with the explosion of social media. They now offer a comprehensive “handbook” on how financial institutions should execute social media and networking strategies. The handbook can be found at FFIEC.gov/Cybersecurity.htm.

As per the FFIEC’s guidance, platforms covered include:

►Micro-blogging (Facebook, Google+, MySpace, Twitter)
►Organization of forums, blogs, customer reviews/testimonials, and online bulletin boards (Blogger, WordPress, Yelp)
►The sharing of photos and videos (Flickr, YouTube, Instagram, Pinterest)
►Social gaming and virtualization (Badgeville, FarmVille, CityVille, Second Life)

The true value of blogging on social media for each lender, banker, mortgage company or loan officer must be evaluated prior to being broadcast on social media. Protecting your clients’ privacy, and keeping past, present and future clients trust must be a priority. The quick flash of social media may not personify who you are and what you choose to put out there. Once it’s in the cyberworld, it’s there to stay. Social media should never be used to follow procedural guidelines or the delivery of compliant documents as the risk is simply too high. The National Institute of Standards and Technology defines cybersecurity as "The process of protecting information by preventing, detecting and responding to attacks." The adoption of the National Institute of Standards and Technology philosophy will help keep your company secure, complaint and protected.



Laura Burke, MBA, MS, MIS, CFE, EA is an author, and trainer with 20-plus years of experience in the mortgage arena. She was recently one of six members chosen for the IRS IRPAC Advisory Committee, where she will serve a three-year term. She may be reached by e-mail at [email protected].



This article originally appeared in the July 2016 print edition of National Mortgage Professional Magazine. 

About the author
Published
Nov 16, 2016
Fed Rate Could Be Down To 4.6% By Year's End

Inflation must hit its 2% goal for Fed to reduce rates.

New Compliance Requirements Add Challenges

Latest changes arrive at an already disruptive time in the mortgage industry

Changes Coming For Investment Properties

Using leases to qualify will require Proof

FCC Adopts New Rules To Close The 'Lead Generator Loophole'

Mortgage lead providers respond, saying this will "wipe out" several small and mid-tier businesses

Trade Associations & Lenders Stand Behind Trigger Leads Bill

Major trade associations like The MBA, NAMB, and BAC, urge action on S. 3502.

Supply And Demand Are Still Alive And Well

Treasury auctions may face weaker demand but they’re still getting done