Data breaches have been occurring more frequently over the last ten years (think: Marriott, Facebook, Target, Sony Pictures, Yahoo, Quest Diagnostics, Uber, etc.) and a significant number of records are exposed from each event. According to the 2019 Cost of a Data Breach Report, conducted by the Ponemon Institute, the chance of an organization experiencing a data breach within two years is now 29.4 percent, up from 22.6 percent in 2014. The study also found that data breaches, on average, cost a company $3.92 million—not including the cost of reputational damage—and exposed an average of 25,575 records. While the average cost per lost record was $150, certain industries faced substantially higher costs per lost record, including Health ($429), Finance ($210), Technology ($183) and Services ($178).
A New Age of Data Privacy and Security
To better protect consumers from data breaches, a number of states and the U.S. federal government, have either enacted new legislation or are in the process of doing so. Often the European Union’s (EU) General Data Protection Regulation (GDPR) is one of the models used for data privacy and security legislation. This large regulation, which was adopted in 2016 and went into effect in 2018, has set the stage for a new age of data privacy and security—reshaping the way organizations manage and protect data. If a company violates the GDPR, it could be liable for fines of up to $22.4 million, or 4 percent of the worldwide annual revenue from the prior financial year—whichever is higher. U.S. companies fall under GDPR when they offer goods or services to residents of the EU. While not all companies in the U.S. fall under the GDPR’s scope, they may fall under the scope of new data privacy and security legislations being established in several states.
The other primary model for new state legislations is the California Consumer Privacy Act (CCPA), which goes into effect January 1, 2020. This law, sometimes dubbed GDPR-Lite, enhances privacy rights and consumer protections for residents of California, as well as imposes fines on companies that do not comply. Under CCPA, companies will be required to inform consumers what data is being collected about them, how that data will be used, and if that data will be sold or disclosed to any third-parties (and for what purposes). Consumers have the right to say no to the sale of their data and can request a company delete any data they may have collected. Additionally, companies may not discriminate against a consumer for opting out of data collection by changing pricing or services offered.
Since the beginning of 2019, a number of states—Hawaii, Maryland, Massachusetts, Mississippi, and New Mexico—have introduced stricter data privacy laws that mirror the CCPA. Other states, including New York, Washington State, and North Dakota, are considering bills that will enhance consumer data privacy for their residents. Add to that other initiatives, such as Senator Elizabeth Warren’s Corporate Executive Accountability Act, which aims to hold executive officers at large companies criminally responsible for negligent data privacy and security practices, and it is clear that we are in a new age of data privacy and security.
Best Practices to Protect Borrowers and Lenders
Considering how much personal data is required from borrowers during the mortgage process, it is critical for lenders to develop data management processes that can help minimize their exposure in the event of a data breach and prepare for the new data security regulations. Some best practices to adopt include:
- Creating and implementing an information security policy.
- Developing an incident response plan and routinely test it.
- Performing information security awareness training on a regular basis.
- Interfacing with borrowers using secure channels only.
- Using encryption technology for data transmission and storage.
- Building dataflow diagrams to keep track of how data is collected, used and stored.
- Implementing a data retention plan to limit exposure of unnecessary information.
- Disposing of physical documents securely and regularly.
- Restricting access to authorized parties.
- Performing frequent reviews of third-party vendors, integrations and data exchanges.
- Working closely with legal counsel, IT staff, and other resources to understand and mitigate potential risks.
The odds that a lender will experience a data breach are growing. With proper data management processes in place, lenders can safeguard sensitive borrower information, ensure compliance with applicable data privacy and security laws, mitigate risk for reputational damage and significant fines, and ultimately conduct business with greater confidence.
Ian Morgan is Chief Information Security Officer for Covius Holdings, Inc. and is responsible for the confidentiality, integrity, and availability of the company’s information assets. Prior to joining Covius, he led IT teams for several mortgage banks and oversaw the implementation of complete lending platforms that serviced some of the nation’s largest banks. Morgan received a B.S. in Business Administration from Colorado State University, a M.S. in Information Technology Management with Cybersecurity Specialty from Colorado State University, and holds CISSP and CSSLP certifications from ISC2. Other notable certifications include ITIL, MCSE, CCNA, and Scrum Master. Morgan can be reached at Ian.Morgan@covius.com.