By Denis G. Kelly
Deploy best practices to protect your clients’ information
There has been an explosion of large-scale, high-profile data breaches lately. Despite these
headline-grabbing incidents, cyber-
criminals have been targeting smaller
companies within the financial-services
industry, and mortgage brokers and
loan originators are squarely in their
the last thing mortgage profession-
als want to hear is that they are the
targets of the next wave of cyber-at-
tacks. Sound policies, however, may
help mortgage originators avoid hav-
ing to close their doors and also create
a competitive advantage. Borrowers
view lending as a data industry, and
they seek to partner with originators
who are data experts.
there is a complicated quilt of fed-
eral and state laws that regulate data
safeguards (e.g., Gramm-Leach-Bliley
Act but not the Red Flags Rule). When
there is a gap in policy, the Federal
trade Commission has displayed an ea-
gerness to hold organizations account-
able for data-security transgressions as
unfair or deceptive practices.
National legislation that was pro-
posed this past June — the Secure and
Fortify Electronic Data Act (aka the
S.A.F.E. Data Act) — would supersede
all state and most federal data-security
laws. the proposed legislation does
not provide specific requirements such
as regular updates of anti-virus soft-
ware. Rather, it advocates consumer
protection by requiring reasonable se-
curity policies and procedures.
the main takeaway from the recent
round of breaches is that ignorance is
not an acceptable excuse and will not
save your career or company. the gov-
ernment believes that if you are trusted
with sensitive personal information,
then you must have policies and pro-
cedures to protect this information,
regardless of the size of your organiza-
tion. Everybody from the janitor to the
CEO must be involved in data security;
sole reliance on your information-tech-
nology department wins you a one-way
ticket into the breach club.
Data security requires an interrelated,
two-pronged approach: high-level strategies that establish standards and
guidance and ground-level tactics to
execute the strategies. there is a continuous feedback loop which refines the
strategies and tactics.
High-level strategies include these
• establish a written security policy
regarding the collection, use, sale,
other dissemination and maintenance of personal information.
• Identify an officer responsible for information security.
• regularly audit and amend security policies for vulnerabilities and
for monitoring for breach of security.
• establish a process and standard
for properly disposing of electronic
and physical personal data.
• develop education and communica-
tion processes to disseminate data-
When the high-level strategies are
determined, there are 10 ground-level
tactics of which mortgage originators
and their companies should be aware
and consider implementing:
1. reputable and updated anti-data
breach software. the right software
minimizes the likelihood of hackers or malware compromising your
data. this includes anti-virus, anti-malware, anti-spyware and firewall
software. Additionally, software
providers recognize vulnerabilities in their systems and periodically provide patches or updates.
Applying patches requires time and
resources, so expectations must be
2. appropriate access for users.
providing all users administrator
rights leaves the data-breach flood
gates wide open. Make certain appropriate parties have appropriate
rights on a need-to-know basis.
Ensure passwords are unique and
change them regularly.
Illustration: Dennis Wunsch
3. Social media blocking and/or controls. Originators generally do not
require access to social media sites
and only need access to a few sites
to do their job. Blocking these sites
prevents employees from infecting
the network by visiting malware-infected sites. If you cannot restrict
access to these sites, explain their
dangers and responsible practices
to minimize the chances of hackers
gaining access to your data through
this back door.
4. data minimization. thieves can’t
steal what you don’t have. Don’t
collect information you don’t need,
limit the number of places where it
is stored and purge data responsibly when it is no longer needed.
5. Set rules regarding what data employees can take outside the office.
About one in five data breaches
results from employees working
remotely, whether from a home-based business or while traveling.
Consider using a virtual private network for remote access.
6.dispose of information prop-
erly when it is no longer needed.
Dumpster diving — or digging
through trash — is legal in most
places, and it is one of the most-
frequent ways data breaches oc-
cur. the Fair and Accurate Credit
transaction Act’s Disposal Rule
requires originators to burn, pul-
verize or shred papers. It also
mandates that you must destroy
or erase electronic files or media.
Simply tossing out an old computer
or digital copier, which stores every
copy, fax or scan, violates this rule
and greatly increases the likelihood
of a data breach.
Denis G. Kelly is an identity-theft-prevention
expert. He is the author of The Official Identity
Theft Prevention Handbook ; chairman of the
Identity Ambassador Commission (Identity
Ambassador.org), an identity-theft education
and training organization; CEO of ID Cuffs Inc.
( IDCuffs.com), an identity-theft prevention
company; and editor-in-chief of theIDChan
nel.com, a centralized resource of the latest
identity-theft news and information. Kelly is
also a featured speaker at industry events.
He resides in Miami Beach, Fla. Reach him at
(866) 938-4035 or info@identityAC.com.