The Federal Trade Commission (FTC), Consumer Financial Protection Bureau (CFPB) and other agencies are pressuring lenders and their service providers to beef up efforts to protect sensitive data. However, crafting and implementing a data security plan may seem like a daunting task, especially for smaller service providers.
Data security was the topic of a June 12 session at the 2013 National Settlement Services Summit in Cleveland. Paul Schwartz, a law professor at Berkeley Law School and director of the Berkeley Center for Law and Technology, urged service providers to embrace a higher standard of data security best practices. He also suggested five things service providers can do enhance their data security:
- Map data flows and assess the company’s risk profile;
- Develop and post privacy and security policies;
- Educate the company’s workforce;
- Secure the company’s data flows; and
- Develop an incident response plan.
Schwartz said enhanced data security standards can help a company distinguish itself from its competitors.
“It’s a way of making your lenders happy,” Schwartz said. “You should be getting prepared if you have to face regulators and lender banks if they knock at your door.”
But how robust do companies’ data security measures need to be?
Jon Miller Steiger, director of the FTC’s East Central Region, said his agency doesn’t expect small companies to employ the same data security standards and technologies as the big guys.
“The message that I would reinforce is: don’t let the perfect be the enemy of the good,” Steiger said. You don’t need to have everything locked up tight. And certainly we take into account how big the company is [and] what kind of information they’re dealing with when we’re looking at an incident.
“You need to be sure that you have that written policy. You need to be sure that your employees know about the written policy,” Steiger continued.
The data security cases the FTC has pursued recently have involved flagrant violations. For instance, he said the agency just settled a case involving a payday lender that was disposing of loan applications in the dumpster behind the store.
“Don’t be that company,” Steiger said.
Audience members asked about the resources that are available to companies seeking to develop their own data security plans. Steiger noted that his agency has a special website, business.ftc.gov, dedicated to helping companies meet their FTC compliance obligations. The website includes materials on data security that businesses can download. Materials can also be bulk ordered from the FTC free of charge.
Chris Gulotta, founder of Real Estate Data Shield, a company that offers a suite of products designed to help real estate settlement services providers understand and meet their data security obligations, said the FTC’s materials are extremely helpful. He also noted that his company developed a compliance management platform that includes guidelines and policy templates that businesses can use as a starting point for their own data security policies.
Gulotta also suggested that companies would be well served to review the FTC’s recent investigations.
“Look at the questions they asked. Look at the findings,” Gulotta said. “Look at what they look for because, more than anything we say, what they find in their decisions tells you where they’re going and what they look for and what we should be doing.”