If you are a mortgage broker or mortgage originator doing business in Massachusetts you need to understand how MGL93H and Regulation 201.CMR.17 impacts how you need to handle personal information and manage your business in the future. Effective March 1, 2010 licensed mortgage brokers are responsible for the safety and security of any Massachusetts residents personal information that is collected, handled or stored by you or your staff. Your mortgage business must have a written plan, known as a WISP “Written Information Security Plan” in place and being followed, to not only protect the safety and security of the personal information of your clients, but also to protect your business. Below is a checklist to help you get organized and develop the plan you will need to comply.
The Commonwealth of Massachusetts enacted MGL 93H which defines security breaches and regulations for the safeguarding of personal information of any Commonwealth of Massachusetts resident. Regulation 201 CMR 17.00 implements the provisions of the law and describes what you need to have in place in order to achieve compliance.
What Does 201 CMR 17 Mean For My Mortgage Business?
201 CMR 17.00 sets the minimum standards for the protection of personal information of any Massachusetts resident. It does not matter if this personal information is stored in a filing cabinet, a desk drawer or on your network database, you are responsible for its safety and security as set forth in 201 CMR 17. Massachusetts, like many states is responding to the growth of identity theft and is putting responsibility on those businesses (such as a mortgage broker) to follow a set of requirements in order to effectively protect personal data from those that might use it inappropriately or illegally. As a mortgage broker these regulations impact how you do business and who you do business with. If your originators, processing staff or even others that may be involved with a loan transaction such as an attorney, real estate agent or credit bureau have access to or store personal information about your borrowers or prospects (that reside in Massachusetts) such as their name, along with:
- Social Security number
- Credit card number
- Driver’s license information
- Other state issued identification information
then these regulations will affect them also and you are responsible for taking steps to comply and control the collection, handling storage and distribution of this personal information. This means that you need to protect yourself and your business and only share personal data with businesses that you verify are in compliance with 201 CMR 17.
This regulation is not just about clients and customers. If you are located in the Commonwealth of Massachusetts and have employees who reside in Massachusetts and you keep employment applications, a copy of a drivers license, a personnel file or payroll information on them than 201 CMR 17 applies to you and you must comply.
So What Steps Do I Take To Be in Compliance?
The key to CMR 201 17.00 is the development, implementation, maintenance and monitoring of a comprehensive written information security plan (WISP). This WISP is meant to address handling and storage of any records containing personal information. In addition to creating and maintaining a WISP, you will need to identify the components of the program. This includes:
- Designation of one or more employees to maintain the wISP.
- Identify and assess reasonably foreseeable internal and external risks to the security and confidentiality of any personal information you handle of store
- Develop security policies and procedures for employees and the handling of personal information.
- Limit the amount of personal information collected to what is necessary to perform the transaction.
- Identify all areas, storage and devices used to store personal information and develop a plan for its security.
201 CMR 17.00 goes further to address Computer System Security Requirements. The Commonwealth of Massachusetts has outlined technology requirements in order to be compliant. These requirements should be discussed with an IT professional. They impact not only your server, but desktop computers, laptop computers, network scanners and copiers. Things to discuss include:
- Securing user authentication protocols
- Securing access control measures such that restrict access to records as well as manage passwords and users.
- Encrypting data during transmission as well as any data on mobile devices such as laptops and PDAs.
- Ensuring that there are current versions of security software such as anti-virus on systems.
- Training employees about information security
A lot of publicity regarding the theft of personal information has been linked to laptop computers by the media. Personal information can be compromised and stolen while being stored on computers or transmitted electronically, but this critical data can also be stolen while sitting on a desk or in am unlocked file cabinet in paper form also. Even how you dispose of this information is important to consider, as you are responsible for even what you throw away into the dumpster. Shredding and a disposal service a key components of any effective Mortgage Company WISP. The goal of MA MGL 93H and 201 CMR 17.00 is to change how a business views personal information and important steps that need to be taken for its proper collection, use, storage, transport and destruction.
Securing personal information not only protects your clients, but also your business against fines and lawsuits and make sure you are in compliance with 201 CMR 17 and develop and implement a Mortgage Company WISP now.