SAFEGUARD RULE INFORMATION SECURITY PROGRAM
The FTC’s Safeguard Rule (the “Rule”) became effective on May 23, 2003. The Safeguards Rule (which applies to all financial institutions) implemented the privacy protection provisions of Gramm-Leach-Bliley Act (the “Act”). As of the effective date, virtually all financial institutions in United States were required to have in place specific safeguards to protect customers from identity theft, among other goals. A broad range of companies and institutions fall under the Act’s definition of “a financial institution”, as the term encompasses entities deemed to be significantly engaged in financial activities including, but not limited to, companies that originate residential and commercial loans, broker such loans, service such loans, and participate in debt collection.
The Act and the Rule incorporate the FTC’s enforcement mechanism, and contain substantial penalties for failure to adhere to their requirements. Further, the Act and the Rule set forth specific actions companies must take to prevent the inadvertent or intentional disclosure of customers’ nonpublic personal information (“NPI”). NPI consists of:
- any information an individual provides to us to obtain a financial product or service (i.e., name, address, income, Social Security number, or other information on an application);
- any information about an individual resulting from a transaction involving our financial products or services (i.e., the fact that an individual is our consumer or customer, account numbers, payment history, loan or deposit balances, and credit or debit card purchases); or
- any information obtained about an individual in connection with providing a financial product or service (i.e., information from court records or from a consumer report).
Such information includes customers’ social security numbers, credit card account information and credit history – information typically obtained by financial institutions in the normal course of obtaining financing for a customer. Client’s credit reports should also be treated as confidential material. In fact, NPI is defined as any information not available to the public, and would include such information as credit scores, unlisted telephone numbers and the interest rate and APR for which a customer qualified. NPI does not include information that is “publicly available”. Information is publicly available if an institution has a reasonable basis to believe that the information is lawfully made available to the general public from government records, widely distributed media, or legally required disclosures in the public domain (i.e., information in a telephone book or a publicly recorded document, such as a mortgage or securities filing).
This Safeguard Plan contains the following critical pieces:
- A Corporate Safeguard Rule Policy;
- A sample of the employee manual regarding the safeguard rules;
- Risk assessment worksheets that should be completed quarterly; and
The following details the specific individuals and procedures that are followed:
Compliance Officer: Responsible for overseeing and taking responsibility for the overall privacy and Safeguard Rule compliance at all locations. Currently this is Audra Hornig, Esq., General and Compliance Counsel.
Audit/Periodic Safeguards Compliance Audit: A review of all Safeguard Rule compliance policies, procedures and protocol conducted periodically to ensure that the Information Security program enacted by Nationwide Mortgage Bankers, Inc. (the “Company”) is effectively safeguarding customers’ nonpublic personal information and that all employees are abiding by its terms. The audit must include a physical inspection of the facility to ensure that proper locks and other physical controls are in place, functioning and in use; that no documents, files or electronic media containing customers’ nonpublic personal information is present in an unsecure area or visible or otherwise unsecured in a secure area; and that only individuals authorized to handle such information and enter secure document areas are doing so. The audit must also include a network vulnerability scan of Nationwide’s computer system(s) and verification that all Service Providers who Nationwide does business with have on file contract agreements or addenda requiring protection of customers’ nonpublic personal information. Audits should be conducted quarterly during the first year after the Information Security Program is enacted and semi-annually after the first full year of verified compliance. This is currently handled by Robert Altamore, the Company’s IT Manager.
Nationwide Mortgage Bankers’ Safeguard Policy: The written policy of Nationwide that protects the customers’ nonpublic personal information as required by the FTC Safeguard Rule. The policy is maintained by Audra Hornig.
Disposal Rule: A Regulation issued by the FTC (16 CFR 682, effective June 1, 2005) requiring the proper disposal and destruction of nonpublic personal information derived from customer reports. Nationwide’s policy is to have document destruction shredding bins in every office that conducts business. All Non Public Personal Information MUST be placed in the shredding bin which will then be disposed by a company that Nationwide contracts with for this specific purpose.
Information Security Program: The specific policies, procedures and protocol implemented by a company to protect the nonpublic personal information of its customers and potential customers. This is managed by Robert Altamore.
Network Vulnerability Assessment: The component of a Risk Assessment (below) that focuses on the risks to customers’ nonpublic personal information contained in, processed by, or transmitted through Nationwide’s computer network. The process includes a network vulnerability scan using specialized hardware and software to identify any vulnerabilities in a computer or computer network in order to determine the means by which that computer or network may be exploited or compromised. This is managed by Robert Altamore.
Nonpublic Personal Information (NPI): Any information about an individual that is not available to the public. This includes, but is not limited to, social security numbers, credit card account information, credit history, and proof of insurance, credit score, unlisted telephone numbers, the APR or interest rate for which one qualifies.
Risk Assessment: A detailed analysis of the natural flow of the customers’ nonpublic personal information through Nationwide Mortgage Bankers is designed to identify physical, procedural and electronic risks to customers’ nonpublic personal information. The results of this assessment will be used to indicate what policy, procedure or protocol could be enacted or applied to protect nonpublic personal information. This is performed by Robert Altamore.
Safeguards Agreement: An agreement between Nationwide Mortgage Bankers and a Service Provider with which it does business pursuant to an oral contract or course of dealing obligating the Service Provider to protect customers’ nonpublic personal information.
NATIONWIDE MORTGAGE BANKERS POLICY CONCERNING PROTECTION OF CUSTOMER INFORMATION
It is the policy of Nationwide Mortgage Bankers to take reasonable steps to protect the personal information of our customers. At minimum, we will comply with the FTC Safeguards Rule, implementing the provisions of the Gramm-Leach-Bliley Act as they pertain to mortgage companies.
The requirements of the Safeguards Rule and our policy with respect to each component follow below.
- Designate an employee or employees to coordinate the Information Security Program.
Nationwide Mortgage Bankers shall designate both a Compliance Officer and an Assistant Compliance Officer. The Compliance Officer and the Assistant Compliance Officer shall receive the same training (described below). In the event the Compliance Officer becomes unable or unwilling to continue serving in that capacity, the Assistant Compliance Officer shall assume the Compliance Officer’s duties until such time as a new Compliance Officer can be designated and trained. The Assistant Compliance Officer may be made the Compliance Officer, in which case a new Assistant Compliance Officer shall be designated and trained. It is the policy of Nationwide Mortgage Bankers to never be without a Compliance Officer.
The Compliance Officer shall be a management-level employee who has completed the requisite training and has never been convicted of a felony involving moral turpitude. The Compliance Officer must have the education, training and work experience necessary to reasonably execute the duties of that office.
In addition to the Compliance Officer and Assistant Compliance Officer, Nationwide Mortgage Bankers shall designate an overall Corporate Compliance Officer who shall be responsible for the oversight of Nationwide Mortgage Bankers’ Information Security Program at all locations. This individual is Chris Schiele/Chief Operating Officer. The Corporate Compliance Officer shall meet the same eligibility requirements as a Compliance Officer, as set forth above.
- Identify reasonably foreseeable internal and external risks to the security, confidentiality and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of such information and assess the sufficiency of any safeguards in place to control these risks. At a minimum, such a risk assessment should include consideration of risks in each relevant area of your operations, including:
(1) Employee training and management;
(2) Information systems, including network and software design and information processing, storage, transmission and disposal;
(3) Detecting, preventing and responding to attacks, intrusions or other systems failures.
- Store customer information securely
- All customer information is stored in a locked room, desk or filing cabinet;
- Servers are all stored in a secure data room.
The Compliance Officer shall work with the IT Manager to ensure the proper safeguards are in place relevant to Information Technology including but not limited to:
- Limiting access to customer information to employees who have a business reason to see it
- Requiring employees to use “strong” passwords that must be changed every 30 days. A duplicate password cannot be used for 12 months.
- Forcing computer screens to lock after 15 minutes of inactivity. Employee will be required to enter his/her password to gain access.
- Require VPN (Virtual Private network) technology for all remote users and offices to ensure proper encryption of data transmitted over the internet.
- Laptops, “smart” phones, PDA’s are to be stored in a secure location when not in a Nationwide Mortgage Bankers office location.
- An inventory is maintained off all electronic equipment including servers, computers, laptops, etc.
- All websites that gather potential customer data could be stored are removed from old computers and properly destroyed.
- Hard drives where potential customer data could be stored are removed from old computers and properly stored.
- All locations require a firewall which are maintained by the information Technology department and kept up date which the latest updates and software.
- Employee’s access credentials are immediately disabled upon termination from Nationwide Mortgage Bankers.
- Nightly backups maintained and stored off-site for disaster recovery.
- Proper server based virus protection software is kept up to date.
The Compliance Officer and or the Chief Information Officer shall conduct a risk assessment following the natural flow of customer information both inside and outside Nationwide Mortgage Bankers’ premises. The risk assessment shall identify how information is obtained from customers; how it is recorded; and how it is transmitted, used, stored and (ultimately) destroyed. For each of those stages in the information cycle, the risk assessment shall identify: (i) how unauthorized access to the information might occur; (ii) what steps Nationwide is currently taking to prevent such unauthorized access to customer information; (iii) what steps could be taken to prevent unauthorized access to customer information; and (iv) what level of safeguards training is necessary for each type of employee at Nationwide Mortgage Bankers. In addition, the initial risk assessment shall confirm the existence of or lack of a network intrusion detection system and modem access controls for all dial-up connections (such as to the DMS).
The initial risk assessment process shall include a network vulnerability assessment to scan for all known vulnerabilities.
(d) Design and implement information safeguards to control the risks identified through risk assessment and regularly test or otherwise monitor the effectiveness of the safeguards’ key controls, systems and procedures.
The Compliance Officer and the IT Manager shall be responsible for ensuring that site-specific safeguards are designed and implemented. The safeguards shall address, at a minimum, the following items:
- Creation of secure document areas and procedures;
- Establishment of secure storage facilities for customer information;
- Ensure disposal stations are adequate throughout the corporate and branch office.
- Acquisition of written agreements or contract addenda from lenders and vendors who have access to confidential customer information affirming compliance with the Safeguards Rule; and,
- Installation and implementation of computer network security equipment and procedures that regularly scan Nationwide Mortgage Bankers’ computer network for known vulnerabilities and viruses, properly configure and maintain firewalls, detect network intrusions, terminate attacks and secure all dial-up modems connected to Nationwide Mortgage Bankers’ internet providers. It is the policy of Nationwide to correct all serious vulnerabilities identified in any network vulnerability scan as soon as possible and to install all necessary security patches that address known vulnerabilities as soon as possible.
The Compliance Officer shall ensure that the information safeguards are audited no less than once per quarter during the first year after implementation (and semi-annually thereafter).
- Oversee Service Providers by:
- Taking reasonable steps to select and retain Service Providers that are capable of maintaining appropriate safeguards for the customer information at issue; and
- Requiring Service Providers by contract to implement and maintain such safeguards.
It is the policy of Nationwide Mortgage Bankers to contract only with outside vendors and other financial institutions (including appraisers, attorneys and title companies having access to customers’ nonpublic personal information – collectively, “Service Providers”) that are capable of ensuring the security of our customers’ personal information. To achieve that end, all Service Providers doing business with Nationwide Mortgage Bankers shall be required to (i) describe in writing the procedures they have in place to ensure the security of our customers’ personal information; and (ii) execute and return contract addenda that obligate them to adequately protect our customers’ personal information.
- Evaluate and adjust Information Security Program in light of the results of the testing and monitoring required by paragraph (c) of this section, any material changes to operations or business arrangements or any other circumstances that you know or have reason to believe may have a material impact on your Information Security Program.
With the passage of time and the employee turnover normal to this industry, it is possible that elements of this policy may fall out of practice. This must not be allowed to happen.
To prevent an erosion of the protection this policy seeks to create, the Compliance Officer and or the Chief Information Officer shall conduct an audit no less than once per quarter during the first year following implementation to determine the continued effectiveness and adherence to this policy.
After the first year, the Compliance Officer and or the IT Manager shall conduct an audit no less than semi-annually. Each such audit shall include a network vulnerability scan and a report of all corrective actions taken to cure any serious vulnerabilities identified by that network vulnerability scan. In addition, an audit shall be conducted in the event a new computer network is installed, a breach of information security is detected or other changed circumstances make such an audit appropriate.
CONCLUSION & ADOPTION
The procedures set forth in this Policy represent the minimum requirements under current applicable statutory and regulatory guidelines and wherever local regulations are stricter than the requirements set out in this Policy, the stricter standard shall be applied. This Policy will be reviewed at least annually.
This Protection of Customer Information Policy is adopted and made effective as of the date set forth below.
Nationwide Mortgage Bankers, Ltd.
Name & Title: Richard Steinberg, CEO