In 1999, Congress passed the Gramm-Leach-Bliley Act which required all mortgage brokers (as well as other "financial institutions") to do three things: (1) they had to securely store the private information that they received from their customers; (2) they had to provide notice to their customers that described their policies about sharing individuals' personal information with third parties; and (3) they had to provide a mechanism (an "opt-out") by which the customer could restrict the mortgage broker from sharing his personal data. The size of the company did not matter. Even a tiny mortgage broker was subject to compliance with this law.
So, you started sending out privacy notices with the Good Faith Estimates and thought you were done with compliance of the Gramm-Leach-Bliley Act. But those privacy notices were only the first of two regulatory schemes that the Federal Trade Commission was required to implement. The next set of regulations has been issued and is effective on May 23, 2003.
How do you comply with the Safeguard Rule? You must develop, implement and maintain a written security program to safeguard your applicants' personal information. Here's what you need to do:
- Assign one person to be in charge of the information safeguard program in your company.
- Identify foreseeable risks
to the security and confidentiality of applicants' private information to prevent the misuse, theft or disclosure of that information.
- Assess the safeguards
you have already implemented to control the risks to security. Look at your company's employee training, storage of information, destruction of information, prevention of hacking into your computers and system failures.
- Design and implement information safeguards to limit the risks you have identified in all areas of your operations.
- You must test your safeguards to ensure that they work properly.
- Use only those suppliers that also maintain proper safeguards for your customers' private information.
- Put all of the safeguards you have implemented into a written plan.
The plan does not have to be complex, especially if you are a small company. The requirements are a little bit flexible.
Compliance with the Safeguard Rule isn't only the law. It's good business sense. Identity theft is a huge problem and growing larger every day. Consumers will only want to deal with those companies who can promise that their confidential personal information will be kept safe.
