Data Security:Steps to Improved Information Security

September 22, 2015

Presented by:Alex HendersonGeneral Counsel and Chief Administrative OfficerTeraverde Management Advisors

One of the issues in the FTC vs. Wyndham case was whether businesses were on notice as to what Data Security the FTC would require

• The FTC now has Data Security tools for businesses. • The FTC has published a "Protecting Personal Information, A Guide for

Businesses" which says that a sound Data Security plan should be built on 5 principles:

– take stock– scale down– lock it– pitch it– plan ahead

How does Data Security apply to a mortgage banker? Are these “events” merely security/privacy “incidents” or are they also “data breaches”?

• A loan officer downloads his customer list of 1,200 names and addresses and a pipeline report listing income and credit information and takes it to a competitor.

• A Loan Origination System reporting data base containing Personally Identifiable Information (“PII”) appears to have been entered, but it unclear by whom and whether information was extracted

• A loan office clicks on a Phishing email, and a ‘CryptoLocker’ malware locks company files and demands a ransom

• A disgruntled employee posts former customer PII on the ‘dark web’

Take a Data and Risk Inventory (GLBA Risk Assessment):

• What Personally Identifiable Information does the company collect?• Where and how is data stored and segregated?

• digital copiers, laptops, tablets, phones, mobile apps • How is very sensitive data protected (i.e. is it encrypted)?• What controls are in place to protect access to data (i.e., dual

authentication)?

Determine which laws and rules apply to you:

• Which data privacy laws apply to your collection and use of the data?• State laws generally are enforced by the state Attorneys General and

typically deal with notification requirements in the event of a data breach.

• Federal laws such as Gram-Leach Bliley(protection of PII) and the Fair Credit Reporting Act are generally more specific to particular sectors.

• The FFIEC Cyber Assessment tools provide definitive guidance

Make sure the Company’s Privacy Policies and Notices are current and enforced

• A privacy policy is a policy internal to your company, i.e., what the company tells its employees about the collection and use of personal data.

• A privacy notice is the policy the company shares with the outside world• Both have to correspond and reflect your actual purposes to avoid UDAP

issues

Manage your Vendors

• Mortgage bankers use a large number of vendors• How do vendors protect your Company and your customers’ data?• Enforce information security and privacy requirements on vendors that

line up to the Company’s Information Security requirements• Do you have a package of vendor management requirements that

includes data security?• The vendor should have a comprehensive vendor management response

document, and should carry data breach insurance

Evaluate cyber-risk insurance.

• A data breach can explode very quickly and the costs to your company can be very high (significant costs per record lost).

• Do your current insurance policies cover a data breach?• What exclusions may invalidate coverage?• can you insure against a penalty from the FTC or other governmental

entity?• Will you insurer require an outside Risk Assessment?

Create an Incident Response Plan and follow it: no matter how strong data security, a breach can occur and response is as important as security

• Who is in charge of data privacy? CIO, Legal, Compliance, COO?• Know the difference between a “security incident” and “data breach"• Make sure your whole management team is aware of the Incident

Response Plan• Engage legal counsel at the beginning. • Determine referral and notification policies to law enforcement

beforehand.• Prepare for the consumer and regulatory notice process. • Know what identity theft and other damages your clients may face• Plan for remedies to be offered to clients -- fraud security measures

Examine Social Engineering; firewalls and strong passwords are basic, but 80% of breaches occur from Social Engineering

• What training is provided to employees on Information Security?• How is effectiveness of training evaluated?• Are there periodic tests of employee compliance?• How are these periodic tests tracked and frequent violators

counseled/retrained?• Have a specific and ongoing formal program in place to train, test, and

counsel employees for social engineering risks

Questions to think about

When was your last Risk Assessment and what areas did it cover?When was your last Business Continuity Drill?When was your last Penetration Test?When was your last Information Security Training and did it cover social engineering?Do you maintain an adequate hardware and software inventory to ensure all systems have the most up-to-date firmware or software version to prevent malicious attacks?How do you handle patch management?How do you ensure anti-virus software is current?Does your internal audit and compliance monitoring system sufficiently test information security topics?Have you set up a secure method for customers to send you their verifying information for their mortgage application?

Understand the difference between a vulnerability assessment and a penetration test: more than just semantics

Vulnerability Assessments create a prioritized list of vulnerabilities, and generally how to remediate.

Penetration Tests attack a specific goal. Most helpful to organizations already at their desired security posture.

Data theft is not your only concern

• Test your business continuity / disaster recovery plan regularly• Ensure your data back-up systems are functioning and secure• Are your systems or the vendor’s cloud more secure?

Do not limit Information Security to the IT function

• CIOs think technology, not employee behaviors• Most breaches are not perimeter defense of ‘front door’ attacks• Most breaches are introduced by employees, vendors, or social media

phishers• Maintain current risk assessments• Have all areas audit user access to systems regularly • Training is the most cost effective deterrent• The money saved by bring your own device (BYOD) may not be cost

effective if it introduces a data breach

Questions or Comments?