|
|
|
|
An Internet Management & IT Infrastructure
Research Consulting Firm
A Chicago Based Consulting Firm
|
|
|
Mortgage Company Concerns
The Challenges ahead
Critical Examination of FTC (SR) Enforcement
In the Matter of Superior Mortgage Corp.,
The Risk Assessment Issue
|
Revised: 5:57 PM 1/4/07
(Part I) (The Document)
What we can Learn
from the FTCs (2005) Action against Superior Mortgage Corp.,
(to assess compliance with the GLBAs Safeguards Rule)
To examine FTC's first cases enforcing the Safeguards Rule.
GLBA = Gramm-Leach-Bliley Act (of 1999)
SR = Safeguards Rule (a component of GLBA [TITLE 5 Sec. 501(b)])
FTC = Federal Trade Commission (Governmental Enforcement Agency)
Company Charged: Superior Mortgage Corp.,
Time Period: September 2005
(Part II) (The Issues/Complaints)
Reason for Non-Compliance and Administrative Action:
"FTC Alleges Customer Data Was Not Secure"
"The FTC complaint alleges that Superior violated
the Safeguards Rule because it:"
"Failed to assess risks to its customer information until more than a year after the Safeguards Rule took effect;"
Under GLBAs SR certain type of Companies
(such as Mortgage Companies) should:
a.)"assess" the risks to sensitive customer information and
b.) implement safeguards to control these risks.
Comments:
(The "Time Frame" Issue)
Taking focus on the above statement, the very "sticky" part is the "Risk Assessment" time frame issue of "more than a year".
In this case the very strong "implication" set forth in the FTC statement is that the Risk Assessment had to have been done at some "earlier" point in time (less than one year or so) after the GLBA SR was enforce.
(Done or Not Done in a "Timely Manor")
The implication also is that Superior Mortgage Corp., had at the time of the FTC Action a proper "Risk Assessment" in place (note the word ..."until" more than a year..) but did not have it in a timely manor.
Certainly any Company (which is covered by the SR) that presently has no "Risk Assessment" in place is "obviously" in violation of the SR but what is troubling is the implication that any Company that did not have it in place at a "particular" point in
the past (12 to 15 months or so after the implementation of the SR) may presently be (and most likely is) in violation of the SR even if they have it fully and correctly implemented now.
In other words the implication of the language is that If any "included" Company did not have a viable "Risk Assessment" in place at some "determined" point in the past they can "potentially" have FTC Action taken against them even if they are "presently" 100% in Compliance with the GLBA SR.
This is obviously very problematic in that "theoretically" a non-compliant company (by late action) can never become "Truly Compliant" if past non-compliance equates into automatic and perpetually sustaining future non-compliance.
*****************************************************
On balance it is the opinion of the author that the FTC has been exceptionally fair, balanced and even handed in these first cases on almost every point but we as citizens must remain watchful and our Government Agencies must remain open to improvements and corrections to better serve the greater public good.
*****************************************************
(Part III) (SR in part)
The Safeguards Rule:
Implements the security requirements of the GLB Act,
requires financial institutions to have reasonable policies and
procedures to ensure the security and confidentiality of customer information.
The Rule requires financial institutions to implement a written information security program
that is appropriate to the company's size and complexity,
the nature and scope of its activities,
and the sensitivity of the customer information it handles.
As part of its program, each financial institution must also:
(1) assign one or more employees to oversee the program;
(2) conduct a risk assessment; ****
(3) put safeguards in place to control the risks identified in the assessment and
regularly test and monitor them;
(4) require service providers, by written contract, to protect customers'
personal information; and
(5) periodically update its security program.
Example of Companies covered:
* Payday Lenders,
* Check-Cashing Businesses,
* Professional Tax Preparers,
* Auto Dealers (engaged in financing or leasing),
* Electronic Funds Transfer Networks,
* Mortgage Brokers,
* Credit Counselors,
* Real Estate Settlement Companies, and
* Retailers (that issue credit cards to consumers).
Information from:
http://www.ftc.gov/opa/2005/09/superior.htm
Next Issue to be placed under Examination:
Non-Ecrypted Email ****
(Transfer of Customer's Sensitive Data)
|
|
|
|
CLICK HERE