Regulators have been warning companies in the mortgage space for years that they need to take this issue seriously. While the Federal Trade Commission has typically been the enforcer of data security policies, the Consumer Financial Protection Bureau, emboldened with its reach of authority, has also entered the data security enforcement field.
In March 2016, the CFPB took action against online payment system company Dwolla, Inc. The CFPB alleged Dwolla engaged in deceptive business practices by failing to maintain adequate data security practices by not adopting and implementing reasonable and appropriate data security policies and procedures.
Dwolla settled with the CFPB, agreeing to cease misrepresentation of its security measures and practices, implement comprehensive (and no doubt, costly) data security measures and policies, hire or designate a qualified person to oversee and coordinate a data security program, repair existing security weaknesses found on web and mobile applications and, of course, pay a $100,000 fine.
While proponents of regulation argue the need and effectiveness of having the CFPB oversee data security, the irony is that the CFPB has its own work cut out for it in this regard. In October 2016, the Office of the Inspector General released a memorandum outlining four management challenges for the bureau.
The area of most importance? Ensuring an effective information security program.
“Although the CFPB has transitioned its IT infrastructure from the U.S. Department of the Treasury and continues to mature its information security program, it faces challenges in fully implementing its information security continuous monitoring program, including a comprehensive data loss prevention system, and overseeing the security of contractor-operated information systems,” the memo read.
The OIG concludes in the memo, addressed to CFPB Director Richard Cordray, that the bureau does not have a comprehensive set of policies for some areas and that its staff were not completely aware of and compliant with existing procedures and policies.
In September, the New York Department of Financial Services unveiled a set of cybersecurity regulations designed to beef up security measures for banks, insurance companies and other financial services companies that operate within the state.
The regulations require all institutions subject to NYDFS supervision to establish and maintain a cybersecurity program meeting “certain regulatory minimum standards” and require additional levels of security when working with third-party service providers, as most lenders do. The third-party servicers should expect these regulations to trickle down to them, as well, if they are working with sensitive financial data.
Revisions made to the NYDFS regulations late in 2016 created a small business exemption for companies that have less than 10 employees, $5 million in gross annual revenue, or $10 million in year-end total assets, providing some relief to smaller banks and lenders, who are the ones who truly feel the burn from data breaches. Unlike their larger counterparts, small community banks and credit unions can’t always shoulder the cost of an attack on confidential user data.
Money aside, the biggest loss for a company can be losing a consumer’s trust and business.
“These are valuable assets your customers have entrusted you with,” Bill Kresse said. Kresse is an assistant professor at Governors State University in Illinois and is the former director of the Center for the Study of Fraud and Corruption at Xavier University.
“Just as you wouldn’t use a cigar box to hold valuables, don’t use something basic for private information. If a company is breached, customers won’t just feel their own losses, they’ll feel betrayed.”
Kresse said the costs for a company that has been breached is about $7 per consumer breached, but the costs incurred by the consumer go well beyond just money. The effects of having personal information stolen can last a lifetime, involving months of work to clean up and recover personal data and deter further use of that data for illicit activities, like signing up for credit cards, payday loans and wire transfers.
“It can last until after you’re dead,” Kresse said.
Financial institutions that don’t give enough attention to data security are underestimating the long-term impact that a data breach will have on their bottom line — and their reputation. Fighting on the front lines of this battle, companies in the mortgage industry have to be constantly and creatively vigilant.