If you are a mortgage broker or mortgage originator doing business in Massachusetts, you should understand how MGL93H and Regulation 201.CMR.17 affect the way you handle personal information and run your business. in the future. As of March 1, 2010, Licensed Mortgage Brokers are responsible for the safety and security of all personal information of residents of Massachusetts that is collected, processed or retained by you or your staff. Your mortgage business should have a written plan, known as the WISP & # 39; s "Written Information Security Plan", in place and followed, not only to protect the safety and security of your personal information. customers, but also to protect your business. Below is a checklist to help you get organized and develop the plan you will need to stick to.
The Commonwealth of Massachusetts enacted MGL 93H which defines security breaches and regulations for the protection of the privacy of any resident of the Commonwealth of Massachusetts. Regulation 201 CMR 17.00 implements the provisions of the law and describes what you need to put in place to comply.
What does 201 CMR 17 mean for my mortgage business?
201 CMR 17.00 establishes the minimum standards for the protection of personal information of any resident of Massachusetts. It doesn't matter whether this personal information is stored in a filing cabinet, desk drawer, or on your network's database, you are responsible for its safety and security as outlined in 201 CMR 17. Massachusetts, like many states, responds to the growth of identity theft and incurs the responsibility of those companies (such as a mortgage broker) to follow a set of requirements in order to effectively protect the personal data of those who might use it inappropriately or illegal. As a mortgage broker, these regulations affect the way you do business and who you do business with. If your originators, processing staff, or even other people who may be involved in a loan transaction, such as a lawyer, real estate agent, or credit bureau, have access to or store personal information on your borrowers or prospects (who reside in Massachusetts), as their name, as well as:
- Social Security number
- Credit Card Number
- Driver's license information
- Other identifying information issued by the State
then these regulations will affect them as well and you are responsible for taking measures to comply with and control the collection, storage management and distribution of this personal information. This means that you need to protect yourself and your business and only share personal data with companies that you verify are 201 CMR 17 compliant.
This regulation does not only concern customers and customers. If you are located in the Commonwealth of Massachusetts and you have employees who reside in Massachusetts and you keep job applications, a copy of a driver's license, a personal file or pay information relating to them beyond 201 CMR 17 applies to you and you must comply.
So what steps do I need to take to be in compliance?
The key to CMR 201 17.00 is the development, implementation, maintenance and monitoring of a Comprehensive Written Information Security Plan (WISP). This WISP is intended to process and store all records containing personal information. In addition to creating and maintaining a WISP, you will need to identify the components of the program. This includes:
- Designation of one or more employees to manage the wISP.
- Identify and assess reasonably foreseeable internal and external risks to the security and privacy of any personal information you handle in the store
- Develop security policies and procedures for employees and the handling of personal information.
- Limit the amount of personal information collected to what is necessary to complete the transaction.
- Identify all areas, storage, and devices used to store personal information and develop a plan for their security.
201 CMR 17.00 goes further to meet IT system security requirements. The Commonwealth of Massachusetts has set the technology requirements in order to be compliant. These requirements should be discussed with an IT professional. They impact not only your server, but also desktops, laptops, network scanners, and copiers. Things to discuss include:
- Securing User Authentication Protocols
- Secure access control measures such as restricting access to recordings and managing passwords and users.
- Encrypt data during transmission as well as all data on mobile devices such as laptops and PDAs.
- Make sure there are current versions of security software such as antivirus on systems.
- Train employees on information security
Much of the publicity regarding the theft of personal information has been linked to laptops by the media. Personal information can be compromised and stolen while being stored on computers or transmitted electronically, but this critical data can also be stolen while sitting on a desk or in an unlocked filing cabinet in paper form as well. Even how you dispose of this information is important to consider, because you are responsible for even what you throw in the dumpster. Shredding and a disposal service are key parts of any successful mortgage company WISP. The goal of MA MGL 93H and 201 CMR 17.00 is to change the way a business views personal information and the important steps that must be taken for its proper collection, use, storage, transportation and destruction.
Securing personal information not only protects your customers but also your business against fines and lawsuits and make sure you are in compliance with 201 CMR 17 and develop and implement a mortgage company WISP now.