Enter your e-mail address and password below.


Forgot your password? New User? Register Now.
   ARTICLE   |   From Scotsman Guide Residential Edition   |   September 2011

10 Ways to Avoid a Data Breach

Deploy best practices to protect your clients' information

10 Ways to Avoid a Data Breach

There has been an explosion of large-scale, high-profile data breaches lately. Despite these headline-grabbing incidents, cybercriminals have been targeting smaller companies within the financial-services industry, and mortgage brokers and loan originators are squarely in their crosshairs.

The last thing mortgage professionals want to hear is that they are the targets of the next wave of cyber-attacks. Sound policies, however, may help mortgage originators avoid having to close their doors and also create a competitive advantage. Borrowers view lending as a data industry, and they seek to partner with originators who are data experts.

There is a complicated quilt of federal and state laws that regulate data safeguards (e.g., Gramm-Leach-Bliley Act but not the Red Flags Rule). When there is a gap in policy, the Federal Trade Commission has displayed an eagerness to hold organizations accountable for data-security transgressions as unfair or deceptive practices.

National legislation that was proposed this past June — the Secure and Fortify Electronic Data Act (aka the S.A.F.E. Data Act) — would supersede all state and most federal data-security laws. The proposed legislation does not provide specific requirements such as regular updates of anti-virus software. Rather, it advocates consumer protection by requiring reasonable security policies and procedures.

The main takeaway from the recent round of breaches is that ignorance is not an acceptable excuse and will not save your career or company. The government believes that if you are trusted with sensitive personal information, then you must have policies and procedures to protect this information, regardless of the size of your organization. Everybody from the janitor to the CEO must be involved in data security; sole reliance on your information-technology department wins you a one-way ticket into the breach club.

Data security requires an interrelated, two-pronged approach: high-level strategies that establish standards and guidance and ground-level tactics to execute the strategies. There is a continuous feedback loop which refines the strategies and tactics.

High-level strategies include these steps:

  • Establish a written security policy regarding the collection, use, sale, other dissemination and maintenance of personal information.
  • Identify an officer responsible for information security.
  • Regularly audit and amend security policies for vulnerabilities and for monitoring for breach of security.
  • Establish a process and standard for properly disposing of electronic and physical personal data.
  • Develop education and communication processes to disseminate data-security information.

When the high-level strategies are determined, there are 10 ground-level tactics of which mortgage originators and their companies should be aware and consider implementing:

  1. Reputable and updated anti-data breach software. The right software minimizes the likelihood of hackers or malware compromising your data. This includes anti-virus, anti-malware, anti-spyware and firewall software. Additionally, software providers recognize vulnerabilities in their systems and periodically provide patches or updates. Applying patches requires time and resources, so expectations must be clearly established.
  2. Appropriate access for users. Providing all users administrator rights leaves the data-breach flood gates wide open. Make certain appropriate parties have appropriate rights on a need-to-know basis. Ensure passwords are unique and change them regularly.
  3. Social media blocking and/or controls. Originators generally do not require access to social media sites and only need access to a few sites to do their job. Blocking these sites prevents employees from infecting the network by visiting malware-infected sites. If you cannot restrict access to these sites, explain their dangers and responsible practices to minimize the chances of hackers gaining access to your data through this back door.
  4. Data minimization. Thieves can't steal what you don't have. Don't collect information you don't need, limit the number of places where it is stored and purge data responsibly when it is no longer needed.
  5. Set rules regarding what data employees can take outside the office. About one in five data breaches results from employees working remotely, whether from a home-based business or while traveling. Consider using a virtual private network for remote access.
  6. Dispose of information properly when it is no longer needed. Dumpster diving — or digging through trash — is legal in most places, and it is one of the most-frequent ways data breaches occur. The Fair and Accurate Credit Transaction Act's Disposal Rule requires originators to burn, pulverize or shred papers. It also mandates that you must destroy or erase electronic files or media. Simply tossing out an old computer or digital copier, which stores every copy, fax or scan, violates this rule and greatly increases the likelihood of a data breach.
  7. Log off or lock computers when you leave them. This policy reduces access to sensitive information to unauthorized users and consequently minimizes data breaches from insider threats.
  8. Safeguard your website and applications with secure sockets layer (SSL) certificates. It is easy to hijack user sessions on websites that do not have the proper encryption, even when using a username and password. Applying SSL is a relatively simple and inexpensive way to protect from this type of attack.
  9. Secure your wireless network. An insecure network is a hacker's direct back door to your network. This allows the criminal to bypass a hardware firewall and breach at will. Close this door by creating your router's encryption using either Wi-Fi protected access (WPA) or WPA2 protocol.
  10. Educate employees. Let them know of scams thieves may use to encourage people to divulge information. Inform them of what data is being protected and the consequences of violating policy. There is a tremendous amount of publicity regarding data security. Engaging employees as part of the solution will greatly assist your data-breach-prevention efforts.

Cyber-attacks targeting small financial-services firms, including mortgage originators, are skyrocketing. Ensuring the security of your clients' information is no longer an option or second-tier priority. It is critical to your long-term viability.


Fins A Lender Post a Loan
Residential Find a Lender Commercial Find a Lender
Scotsman Guide Digital Magazine

Related Articles



© 2019 Scotsman Guide Media. All Rights Reserved.  Terms of Use  |  Privacy Policy