by Morgan Clemons
On July 11, 2015, USA Today reported on a MasterCard survey that found fifty-five percent of people would rather have nude pictures of them leaked online rather than have their financial information stolen. Then, on July 22, 2015, two “hackers” revealed that a Jeep Cherokee could be hacked. Wired reporter Andy Greenberg recounted his experience behind the wheel of the Jeep Cherokee controlled remotely by the two hackers. Specifically, hackers were able to control the Jeep Cherokee’s steering, brakes, and transmission from a laptop. Such remote hacking of a vehicle could result in fatal car crashes. Within a week, Fiat Chrysler recalled 1.4 million vehicles to prevent the cars from being hacked, and the National Highway Traffic Safety Administration fined the company $105 million.
Data breaches and matters of data security have become recurring headlines in recent years as hackers attack across industries, including assaults against retail giants and government agencies, and discover new means for striking fear in consumers. Where does the protection of consumer financial data fall on this spectrum of consumer fear? Perhaps somewhere between the leak of nude photos and death-by-hacked vehicle. Nevertheless, mortgage companies must make the protection of consumer financial data a high priority by plugging holes on a number of fronts—privacy compliance, identity theft, and vendor management risk.
Just last year HALOCK Security Labs reported that 70% of mortgage lenders were at risk for a data breach due to permitting consumers to send personal financial information through unencrypted email, via fax, and through other unsecure means. Mortgage companies must balance the desire for customer convenience with the need for financial privacy protection. In April 2015, a major finance company indicated that private consumer information about mortgage accounts had been compromised. Following these headlines, if mortgage companies have not begun to do so already, now is the time to review compliance programs related to the security of consumer financial information. Financial institutions must disclose to customers and consumers the institution’s policies and practices for protecting the confidentiality and security of nonpublic personal information. The mortgage company must inform customers and consumers of the nonpublic personal information the institution collects and discloses to third parties. The mortgage company has established a customer relationship, causing the need to provide the privacy notice, when certain triggers occur, including (1) when the mortgage company originates the loan, (2) when the individual obtains credit from the mortgage company, (3) when the individual provides personally identifiable financial information to the mortgage company in an effort to obtain a mortgage loan, or (4) when the mortgage company purchases the servicing rights to the loan.
October marks National Cyber Security Awareness Month. This month may be the perfect time to revisit the information technology and security awareness policies and procedures to determine whether customer information is susceptible to being leaked by current employees to competitor companies or susceptible to being leaked due to an employee accessing a malicious link. Does the company’s security policy include inspection or monitoring of data stored on personal file directories? Does the company’s security policy include requiring employees to log off or shut down workstations at the end of the workday? Does the company’s information technology staff have programs in place to block accessing external sites and personal accounts on the company network?
The Consumer Financial Protection Bureau (CFPB) is tasked with enforcing the Privacy of Consumer Financial Information Act, or Regulation P. Senator Edward “Ed” Markey (D-MA) and Senator Richard Blumenthal (D-CT), the ranking member of the Senate subcommittee on Consumer Protection, Product Safety, Insurance, and Data Security, are co-sponsoring the Security and Privacy in Your Car Act of 2015 in response to cars’ vulnerability to security threats. Notably, these same two senators, along with heavyweight Elizabeth Warren (D-MA), who is credited with proposing and advising on the creation of the CFPB in its early stages, have co-sponsored the Consumer Privacy Protection Act of 2015. While the Consumer Privacy Protection Act of 2015, as currently written, is not applicable to financial institutions subject to Gramm-Leach-Bliley Act data security requirements, the bill and the support from consumer protection advocates demonstrate increased efforts to place legal restrictions on the private sector’s handling of data security and the protection of sensitive information.
Finally, many states, which are tasked with licensing mortgage companies, have their own privacy laws requiring notification to consumers of data breaches as well as laws mandating how sensitive data must be kept. While a company may be familiar with a state’s laws at the outset and upon initial licensure, are compliance personnel monitoring trends and law changes in the states in which the mortgage company does business? With licensing renewals approaching in the last quarter of the year, it may be a perfect time to conduct a periodic review of privacy and data security measures to make sure they are still meeting the company’s needs. It can be burdensome for large mortgage companies to stay abreast of law changes when licensed in many states. Nevertheless, a security breach could lead to law violations, reputational fallout, and hefty fines. In addition, the mortgage company may subject itself to additional financial loss. Specifically, a company may lose money due to the interruptions in business and may suffer due to the expense associated with any required response to the security breach. Such costly measures may include notifying customers and providing remediation services to affected consumers, such as credit-monitoring services and identity theft insurance.
A mortgage company not only must manage its own systems to protect against instances of security breaches but also must remain alert in its response to outside incidences of identity theft. For example, mortgage companies typically train employees to recognize “red flags,” such as notifications from consumer reporting agencies indicating fraud. Each new product or expansion of the company’s customer base may be susceptible to new identity theft threats. Does the mortgage company update its identity theft policy accordingly? Does the company train staff at hire and on an annual basis to be able to respond to novel threats as they emerge?
Mortgage companies must also ensure that their contracts with their service providers reflect prudent compliance practices. In 2008 Premiere Capital Lending settled with the Federal Trade Commission (FTC) after the FTC alleged that the company left private data vulnerable by allowing a third party to access the data. That third party was later hacked and the data compromised. Regulation P references the sharing of sensitive consumer information with affiliates and nonaffiliates and includes limitations on redisclosure by third parties. In Bulletin 2012-03, the CFPB made clear that it would hold financial institutions accountable for the violations of their service providers. Therefore, mortgage companies must be sure that, in addition to the periodic review of their own practices, they regularly monitor their vendors, based on the service the vendor provides to the mortgage company and the risk posed to the company.
Prior to contracting with a vendor, the mortgage company may wish to review the vendor’s physical security and software to determine the sufficiency of data security in addition to other due diligence assessments. Specifically, the mortgage company may wish to research the potential vendor’s business practices to search for any red flags. In May of this year, the CFPB released a statement indicating that Verizon and Sprint would be required to pay thirty-eight million dollars in fines. In its statement, the CFPB noted that the companies continued to use vendors that had lawsuits against them alleging law violations.
After performing due diligence, the mortgage company should have an effective means of evaluating its high risk vendors—those with access to or potential access to personally identifiable information. Oftentimes, financial institutions fail to consider at the outset how long it would take to replace the third-party provided service if the vendor was unable to perform. Does the contract specify how sensitive data may be transferred once the contractual relationship concludes at the end of the term, following a data security breach, or following a vendor business continuity issue? In addition, mortgage companies should review contracts at renewal to ensure that the contracts include notification by the vendor to the mortgage company of information technology changes or security breaches, as well as negotiate for which party shall bear the remediation costs associated with a compliance breach by the vendor.
Proactive vs. Reactive
While it may not be as life-threatening as hacking into a car that the consumer is driving, it may be telling that the average consumer would rather be physically exposed than financially exposed. Financial institutions must implement strong measures to protect against data breaches. The financial institution must remain aware of all instances in which consumer notifications are required, including as a result of both intentional and unintentional information-sharing. The financial institution should rely on its compliance department or outside counsel to update the company on the effective dates for law changes that affect the industry. Additionally, companies should be able to rely on legal counsel to update them on proposed legislation and relevant news that could point to political trends, trickle into financial services industry privacy requirements, or serve as a catalyst for the company to identify weaknesses in its current data protection systems. Finally, mortgage companies must proceed with caution in contracting with vendors and in verifying the identity of loan applicants. Much like the hefty fine assessed against Fiat Chrysler by the National Highway Traffic Safety Administration, many CFPB enforcement orders include the assessment of civil penalties and reference the need for improved vendor management as a remedial measure. Similarly, many state enforcement orders reflect state law violations in the relationships or arrangements between a lender and broker or other third party. While these enforcement orders can be negotiated to mitigate the consequences of violations, it is more ideal for the mortgage company to be proactive, rather than reactive, by having appropriate policies and procedures and by periodically testing the sufficiency of its policies and procedures.
Morgan Clemons is an attorney in the Regulatory Compliance group at Aldridge Pite LLP. She previously worked at a regulatory agency and has experience in enforcement, examinations, and administrative proceedings related to the mortgage industry. She may be reached at email@example.com.