Scotsman Guide - September 2011 Residential Edition

By Denis G. Kelly
Chairman
identity ambassador
Commission

10;Ways;to;Avoid;a;Data;Breach
Deploy best practices to protect your clients’ information

There has been an explosion of large-scale, high-profile data breaches lately. Despite these
headline-grabbing incidents, cyber-
criminals have been targeting smaller
companies within the financial-services
industry, and mortgage brokers and
loan originators are squarely in their
crosshairs.
the last thing mortgage profession-
als want to hear is that they are the
targets of the next wave of cyber-at-
tacks. Sound policies, however, may
help mortgage originators avoid hav-
ing to close their doors and also create
a competitive advantage. Borrowers
view lending as a data industry, and
they seek to partner with originators
who are data experts.
there is a complicated quilt of fed-
eral and state laws that regulate data
safeguards (e.g., Gramm-Leach-Bliley
Act but not the Red Flags Rule). When
there is a gap in policy, the Federal
trade Commission has displayed an ea-
gerness to hold organizations account-
able for data-security transgressions as
unfair or deceptive practices.
National legislation that was pro-
posed this past June — the Secure and
Fortify Electronic Data Act (aka the
S.A.F.E. Data Act) — would supersede
all state and most federal data-security
laws. the proposed legislation does
not provide specific requirements such
as regular updates of anti-virus soft-
ware. Rather, it advocates consumer
protection by requiring reasonable se-
curity policies and procedures.
the main takeaway from the recent
round of breaches is that ignorance is
not an acceptable excuse and will not
save your career or company. the gov-
ernment believes that if you are trusted
with sensitive personal information,
then you must have policies and pro-
cedures to protect this information,
regardless of the size of your organiza-
tion. Everybody from the janitor to the
CEO must be involved in data security;
sole reliance on your information-tech-
nology department wins you a one-way
ticket into the breach club.

Data security requires an interrelated, two-pronged approach: high-level strategies that establish standards and guidance and ground-level tactics to execute the strategies. there is a continuous feedback loop which refines the strategies and tactics.

High-level strategies include these steps:

• establish a written security policy regarding the collection, use, sale, other dissemination and maintenance of personal information.

• Identify an officer responsible for information security.

• regularly audit and amend security policies for vulnerabilities and for monitoring for breach of security.

• establish a process and standard for properly disposing of electronic and physical personal data.

• develop education and communica-
tion processes to disseminate data-
security information.

When the high-level strategies are determined, there are 10 ground-level tactics of which mortgage originators and their companies should be aware and consider implementing:

1. reputable and updated anti-data breach software. the right software minimizes the likelihood of hackers or malware compromising your data. this includes anti-virus, anti-malware, anti-spyware and firewall software. Additionally, software providers recognize vulnerabilities in their systems and periodically provide patches or updates. Applying patches requires time and resources, so expectations must be clearly established.

2. appropriate access for users. providing all users administrator rights leaves the data-breach flood gates wide open. Make certain appropriate parties have appropriate rights on a need-to-know basis. Ensure passwords are unique and change them regularly.

Illustration: Dennis Wunsch

3. Social media blocking and/or controls. Originators generally do not require access to social media sites and only need access to a few sites to do their job. Blocking these sites prevents employees from infecting the network by visiting malware-infected sites. If you cannot restrict access to these sites, explain their dangers and responsible practices to minimize the chances of hackers gaining access to your data through this back door.

4. data minimization. thieves can’t steal what you don’t have. Don’t collect information you don’t need, limit the number of places where it is stored and purge data responsibly when it is no longer needed.

5. Set rules regarding what data employees can take outside the office. About one in five data breaches results from employees working remotely, whether from a home-based business or while traveling. Consider using a virtual private network for remote access.

6.dispose of information prop-
erly when it is no longer needed.
Dumpster diving — or digging
through trash — is legal in most
places, and it is one of the most-
frequent ways data breaches oc-
cur. the Fair and Accurate Credit
transaction Act’s Disposal Rule
requires originators to burn, pul-
verize or shred papers. It also
mandates that you must destroy
or erase electronic files or media.
Simply tossing out an old computer
or digital copier, which stores every
copy, fax or scan, violates this rule
and greatly increases the likelihood
of a data breach.

Denis G. Kelly is an identity-theft-prevention expert. He is the author of The Official Identity Theft Prevention Handbook ; chairman of the Identity Ambassador Commission (Identity Ambassador.org), an identity-theft education and training organization; CEO of ID Cuffs Inc. ( IDCuffs.com), an identity-theft prevention company; and editor-in-chief of theIDChan nel.com, a centralized resource of the latest identity-theft news and information. Kelly is also a featured speaker at industry events. He resides in Miami Beach, Fla. Reach him at (866) 938-4035 or info@identityAC.com.