As a lender, are you protecting the privacy and personal information of the borrowers you serve? Data security is a vital responsibility that you take on when you accept personal information from your clients.
When borrowers fill out that mortgage application or provide financial documents, they are trusting your company to keep that information safe. And you have an ethical obligation—and increasingly, a legal one—to do just that.
California's Push for Information Security
California state officials are pushing for a clear minimum standard that mortgage companies and other businesses of all sizes must adhere to in order to avoid breaches of personal data. They are also working to create a set of guidelines that state officials can use to enforce accountability. California isn't likely to be the only state requiring more attention to data protection. Other states will also be demanding that mortgage lenders and other financial companies meet the standard.
With the February release of the 2016 California Data Breach Report, state Attorney General Kamala Harris has spelled out what expectations California has for its businesses to protect important customer data.
"[M]any of the breaches reported to us could have been prevented by taking reasonable security measures, and an organization that voluntarily chooses to collect and retain personal information takes on a legal obligation to adopt appropriate security controls," Harris wrote in the report's introduction.
The report suggests that all organizations which collect personal information need to meet the 20 critical security controls set out by the Center for Internet Security, and that not doing so shows a lack of responsibility for clients' security and a failure to meet the minimum standard of care.
The CIS Critical Security Controls
If you aren't sure about your firm's data security, the 20 critical security controls that the California Data Breach Report references are a good starting point. The controls are listed in priority order, and they work in concert to help you create complete security for your data. For example, the 12th control involves protecting laptops and mobile devices. Before you can do that, you must have met the first control, which is to know the devices you have and where they are located.
To help businesses implement these controls, the Center for Internet Security has provided information that explains each action and why it is important. Special attention was given to making sure the controls were implementable for organizations of all sizes, including small businesses.
Putting the controls in place won't stop every hacker or prevent your employees from making mistakes with data handling, but they do represent the best practices that your organization should be following, no matter the size. By taking these steps to actively keep data safe, you prove to your customers, and to your entire staff, that you are taking data security seriously.
Specific Data Security Issues in the Financial Industry
About 18 percent of all the security breaches that occurred in California during 2015 were in the financial sector, which accounted for 13 million individual compromised records. The most common breached data in financial businesses? Social Security numbers. They were compromised in 75 percent of the financial sector's security breaches.
While financial breaches were much less likely to be caused by hackers or malware compared to retail sector breaches, they are more likely to happen because of an internal human error, such as:
- Sending personal information to the wrong recipients
- Accidentally posting personal information to a public website
- Failing to properly dispose of personal information
- Allowing unauthorized employees to access personal information
This means that mortgage companies need to be especially concerned with having processes in place that protect information from being accidentally released or compromised.
Next Steps to Take
Implementing the 20 controls and staying on top of other data security requirements can be a challenge for mortgage companies. Often, loan officers take work home; are they protecting data in all the locations from which they work? Many mortgage companies are smaller firms; do they have the resources in place to implement these controls?
The answer is using a third-party platform that can exceed security requirements, while making it easy for employees get their work done. A tool like MortgageWorkSpace™ from Access Business Technologies allows companies of all sizes to get work done securely from any location. Here's what the DocumentGuardian® component of ABT's software does:
- Uses the latest encryption and banking standard protocols, including 256-bit encryption and SSL/TLS transfer protocols, to ensure information is kept safe from security breaches, hackers and identity thieves.
- Allows emails and files to be transferred using the same high-end encryption.
- Provides a secure workspace environment so you are not storing financial data on individual computers, laptops, or mobile devices.
- Maintains files in an ultra-secure, state-of-the-art, enterprise-class data center.
Using the right software platform can also minimize the risk that employees will make critical errors that lead to the public release of private data. It is important that the software is not just secure, but it’s easy to use. Making sure you provide secure easy to use software increases compliance and therefore increases security.
Contact us for more information on using MortgageWorkSpace™ to secure your mortgage company's data. Doing so can help you comply with state and federal audits and give you the peace of mind that you are keeping your borrowers safe.