I’m not a lawyer, and I don’t play one on AG.
That said, while at GE I was pummeled with information security policies. Non compliance was not an option and even the tiniest of infraction, even assumed, was taken seriously. If, for example, during the nightly after-hours security inspection, a Post it was on a desk (or under a keyboard, mouse pad, phone, etc.) or in the trash with something resembling a password, it was reported, escalated and the offender counseled. No matter that there was no indication what the alleged password may be to – information security was a top priority. All documents were to be locked up or shredded before leaving for the day.
I appreciated that. As a victim of identity theft years ago I have experienced the pain and hassle of clearing it up. Now, with current economic woes, I think we will see instances of identity theft escalate. What better place to shop for a top notch identity than among home buyers.
Are you protecting your client’s identity?
You’re probably aware of the Gramm-Leach-Bliley Act (GLB) formally known as the Financial Modernization Act of 1999. I’ve read numerous opinions on how exactly it applies to Realtors® and agents, and I’m not an expert in that area. That said, here are some basic provisions regarding protecting a customers’ non-public information in a GLB compliant manner.
In a nutshell GLB is aimed at financial institutions and is enforced by eight separate federal agencies and the states. GLB provides for a fairly broad interpretation of the phrase “financial institution” and not only affects banks, insurance companies, and security firms, but also brokers, lenders, tax preparers, and real estate settlement companies, among others.
A few things to know:
- Data should be encrypted in storage and in transit.
- Both non-public & public information must be protected.
- Compliance is not limited to IT.
- Annual privacy policy information should include more than a Web page.
- Businesses must keep tabs on third-party providers.
- Data you don’t need should be destroyed.
Financial institutions are responsible for:
- Insuring the security and confidentiality of customer records and information.
- Protecting against any anticipated threats or hazards to the security or integrity of all records.
- Protect all information against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer.
The following is considered personal information (in paper or electronic form – list non-exhaustive):
- Names
- Addresses
- Phone numbers
- Bank and credit card account numbers
- Income and credit histories
- Social Security Numbers
- Phone numbers
- Other financial and tax information
Data in motion
Data should be encrypted in storage and in transit. “In transit” means email and instant messaging. Both are easy ways for confidential information to leave the organization in an unsecured manner. If a customer experiences identity theft, you could be at risk if you (or anyone involved in the transaction on your behalf) are sending non-public personal information in an email, or as an attachment to an email.
Penalties for Non-Compliance
Violation of GLBA may result in a civil action brought by the U.S. Attorney General. The penalties include those for the company of up to $100,000 for each violation. In addition, “the officers and directors of the financial institution shall be subject to, and shall be personally liable for, a civil penalty of not more than $10,000 for each such violation”. Criminal penalties may include up to 5 years in prison.
How will they know?
If a customer experiences or suspects identity theft and retains a lawyer in to find the responsible party, the lawyer will typically hire forensic computer experts who comb through huge volumes of e-mails looking for a smoking gun, in the form of certain words and phrases. They can find it, even if you’ve deleted it.
Consult an expert
Take a walk around your office after most people have left. If you see files on desks, that’s a sign a check-up is in order. An information security consultant or expert should be able to review your processes and systems to ensure information security.
What are you doing to ensure your clients’ identities remain safe under your watch?
