Reprinted with permission of the Scotsman Guide

You can take care to make your customers feel comfortable working with you. You spend time and money educating your employees. You even make sure that important documents are shredded when your company disposes of them. But is this enough?

Today, with more information being collected and stored, you must be proactive to protect customers' information and your company's health. All it takes is one lost or stolen laptop to plunge your business into a privacy nightmare.

Mortgage brokers also must know how to follow the myriad rules designed to protect customers' private information. It helps to understand current litigation, data breaches and ways to ensure that your company is doing everything possible to protect its data – and its bottom line.

Rules and how they apply

The mortgage industry is highly regulated, but in a somewhat haphazard fashion. Regulations differ depending on the nature of your business and in which jurisdiction you conduct business.

This regulatory patchwork is especially pronounced in the way companies are required to protect their customers' private and financial information. The fact that regulations sometimes overlap or contradict does not give you license to ignore them. Rather, in this litigious and regulatory climate, it is more important than ever to focus on compliance. Protection of privacy is of particular importance.

In 1999, Congress enacted the Gramm-Leach-Bliley Act (GLBA), which is designed to protect consumer financial privacy. The act requires that the Federal Trade Commission (FTC) and other government agencies that regulate financial institutions police the activities of companies such as mortgage lenders and brokers with regard to consumer privacy.

Three important additional rules have established the framework that governs the mortgage industry.

  • The Privacy Notice Rule requires that borrowers receive notice when their nonpublic customer information is pulled.
  • The Safeguards Rule requires that financial institutions take measures to safeguard consumer information.
  • The Disposal Rule discusses disposing of confidential information.

The requirements of the notice rule differ to some extent, depending on whether the GLBA considers your client a customer or a consumer. In its definition, a customer is a borrower who has a continuing relationship with you or your financial institution. A consumer is a borrower who obtains a loan or other services from a lender or broker for personal, family or household purposes. Customers also are considered consumers.

For example, if Jane Doe applies for a mortgage through you, she immediately becomes a consumer. Even if people apply for a loan, receive a rejection or withdraw their application, they are still considered consumers. If you service Jane's loan, however, she becomes your customer by virtue of your ongoing relationship with her.

Your company must make your privacy policy available to consumers. You also must provide them with an opt-out notice before sharing their nonpublic information with almost any third party, including affiliated entities. Customers must receive the same privacy notice and options, in addition to receiving your company's privacy policy at least once a year, whether you originate or fund loans for them or not.

Under the Safeguards Rule, companies of any size must develop, implement and maintain a comprehensive information-security program to protect their clients' nonpublic information. The program must be "suitable," given your business' size, nature and complexity. In other words, the complexity for a national bank's plan will be different from that of a solo broker.

Your security program should contain administrative, technical and physical safeguards. This could mean:

  • Designating an employee or employees to coordinate your information-security program;
  • Identifying reasonably foreseeable internal and external risks to the security, confidentiality and integrity of customer information that could result in compromise of the information;
  • Assessing the sufficiency of any safeguards in place to control the risks;
  • Assuring that independent contractors or service-providers can maintain safeguards for customer information and contractually requiring them to implement and maintain these safeguards; and
  • Assuring that independent contractors or service-providers can maintain safeguards for customer information and contractually requiring them to implement and maintain these safeguards; and
  • Adjusting the information-security program in light of developments that can affect the entity's safeguards.

Think you can protect yourself by getting rid of data on a regular basis? You can, but only if you dispose of the data correctly. In 2005, the FTC enacted the Disposal Rule, which requires companies to take "reasonable measures to protect against unauthorized access to or use" of "consumer information" in connection with its disposal.

The rule authorizes the disposal of documents by "shredding, burning or pulverizing." But with so much of our data now in electronic format, rather than on paper, the risk is greater that data disposal will not always be complete. Consulting a technology firm specializing in data disposal is an option.

Data and privacy breaches

The past few years have seen a number of large data breaches. Many have made the news and entered state and federal legislative discussion.

In other words, the pressure is on to go to great lengths to protect data. But protection is not cheap. On the other hand, the cost of failed security can be exorbitant.

Most lenders and brokers are doing a good job protecting themselves against hacker and data-attacks. But accidental security failures – such as a lost or stolen laptop or throwing away a box of documents rather than shredding them – can cause the biggest headaches.

Targeted attacks, however, are still a risk. While trolling through trash used to be a popular and fruitful method of identity theft, criminals are constantly improving the tools of their trade. The Internet has become their favorite place to fish. Companies must be proactive and progressive to stay compliant and one step ahead of the game.

In 2005, the "Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice" came into play through the GLBA. The guidance encourages every financial institution to develop and implement a response program designed to address unauthorized access to "sensitive customer information."

It is your obligation to notify customers of any incident of unauthorized access to their sensitive customer information. You also must conduct a reasonable investigation into the extent of the breach, the possible harm to your customers and whether misuse of the information has occurred or is likely to occur. Then you must inform your customers of the outcome of your investigation. When appropriate, you also should notify the appropriate enforcement agency, such as the local police or the FBI.

To prevent the public-relations nightmare that results from a security breach, you also should evaluate your security procedures consistently and regularly. Keep abreast of changes in privacy and data-security laws – especially if the nature or complexity of your business has changed. Be sure that your policies and procedures reflect those changes.

Finally, ensure that the privacy policies you provide to your customers reflect changes or updates in your policies.

When lawsuits occur

Litigation stemming from privacy and data-security statutes often occurs when a company has done everything right, yet one mistake by one employee subjects the company to a lawsuit. Likewise, just one breach of your information-technology system, and you are a defendant in a lawsuit challenging your security system's adequacy.

Most state and federal statutes require companies to notify every customer of a potential security breach, regardless of negligence or the likelihood of harm. In essence, many of these statutes are establishing strict liability for accidental disclosure of information.

A lawsuit filed in 2007 in Massachusetts illustrates the dangers facing even the most diligent company. In that suit, a networking company that handles customer transactions for retail stores was the victim of a hacker attack. This resulted in the theft of sensitive customer information.

After some of the stolen information was used fraudulently, a bank affected by the fraud brought a lawsuit against the company, including common-law claims of negligence, breach of contract and negligence per se. Notably, the suit also claimed that the company failed to adhere to the Safeguard Rule of the GLBA.

The GLBA and its associated regulations do not provide a private cause of action. However, the lawsuit pointed to the GLBA and its regulations to argue that they represented the minimum standard accepted within the industry with which users of customer information must comply.

The regulations, therefore, are having the unanticipated effect of serving as the backbone to private litigation, something legislators probably never intended.

Sometimes, however, human error can be your worst enemy. In another case this past June, a mortgage company agreed to pay a $500,000 settlement for the accidental disclosure of their clients' nonpublic information on the Internet. In the lawsuit, filed in California, the company was accused of inadvertently revealing the sensitive information of more than 10,000 people who had obtained mortgages with the company.

This disclosure occurred because of human error. To comply with a required U.S. Securities and Exchange Commission (SEC) filing, an agent of the company attached a document to the filing that contained customers' personal and sensitive information – which the SEC posted on the Internet.

In addition to paying the fine, the settlement requires that the company improve its security procedures and employee training programs to ensure the protection of customer information.

Protecting yourself

The FTC polices and ensures compliance within the GLBA's provisions. t also looks at how companies collect, use and secure customers' sensitive information. If a company does not comply, the FTC can instigate administrative proceedings against it. These instances are growing as the FTC cracks down on offenders.

In one example from 2006, the FTC settled a privacy-and-security charge with a title company. The company had promised its customers that it maintained numerous safeguards to protect their sensitive financial information. In reality, however, the company was accused of literally throwing consumer home loans in the trash.

In the FTC's complaint, it alleged that the company failed to provide reasonable and appropriate security to protect the information. Among other deficiencies, the company failed to implement readily available defenses to common Web attacks and steps to prevent hacker network access, which did occur. In a less high-tech failure, a local television station also discovered the company's documents – containing customers' financial information – in an unsecured dumpster.

Although there is no way to ensure that your company will never face a data-security breach, there are steps you can take to help insulate your company.

First, have at least one person at your company who is in charge of security. This person or department should be able to devote adequate time and energy to this task. Yes, it costs money, but the costs of ignoring your security and privacy obligations – from litigation and fines to bad press and loss of customer confidence – can outweigh the costs of devoting an employee to the task. Prevention is still the best medicine, and hiring an individual who can concentrate on ensuring you are up-to-date on your policies and procedures can minimize risk substantially.

Next, accept that the regulatory climate is complex and in constant flux. Consulting with an attorney or a privacy and security expert could be a good idea.

Finally, make sure your employees are well-trained. When your employees or independent contractors are not trained properly, you are asking for trouble. The most artfully crafted policies and procedures are useless in the face of human error or ignorance. Make sure that your people know what is required of them and the consequences of failure.

Ultimately, privacy should be of paramount concern, and you need to do everything in your power to prevent your company from becoming the next target.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.