While working from home is very common today and provides both the employer and the employee with many benefits, we need to make sure security protocols are put in place and followed. Identity theft is the largest financial crime in this country and a mortgage application provides everything an identity thief would need. With that being said, the following security measures need to be taken in home offices while working remotely.
- Physical Locks. The door to the home office needs to have a keyed lock. This door is to be locked during non-working hours (nights, weekends, etc.) No physical documents are allowed to be maintained in a home office. These documents contain sensitive borrower information including SSN’s, DOB’s, bank account numbers, and credit card numbers and must be secured in the company office.
- Electronic Locks. All computers, desktops or tablets that access the company network must be locked while not in use and password protected. In addition, any smart phones that access the company network i.e. check email, must also automatically lock when not in use and be password protected.
- Security Software. Any electronic devices that connect to the company network must have the most up-to-date Anti-Virus software. This includes desktops, laptops, tablets, and cellphones.
Management reserves the right to come to the home office and check to insure that these security measures are in place. Any employee found to have not instituted these security measures or found to be not following the security protocols will be terminated.
Internet & Data Security
Employees may have access to confidential information contained in the company’s customer data base. This information belongs to US Mortgage Lenders LLC and may not be shared with anyone. We require the consumer sign a Consumer Privacy Notice, whether or not an application is taken.
All loan originators, processors and other staff-members referencing file documents from former customers for the purposes of evaluation and processing and application shall adhere to the policies set forth regarding use and re-use of consumer information and information-sharing. For direct marketing to prior customers, the consumer may be unaware of what information, and the extent of information, that has been made available to the company representative, who may be a different loan originator. In these cases, caution must be exercised to assure the borrower that access to their information was duly authorized and in compliance with privacy regulations.
Email is a critical mechanism for business communications. Nevertheless, we live in a world that requires security to protect us, both in physical and in electronic forms. Thousands of people attempt to obtain your digital footprint, and our client’s digital footprint, every single day. It’s imperative that we don’t allow this to happen; and by following some simple steps, we can minimize the chances of clients’ data falling into the wrong hands.
Phishing is the attempt to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication. Communications purporting to be from popular social web sites, auction sites, banks, online payment processors or IT administrators are commonly used to lure the unsuspecting public. Phishing emails may contain links to websites that are infected with malware. Phishing is typically carried out by email or instant messaging, and it often directs users to enter details into a fake website, whose look and feel are almost identical to the legitimate one. If you come across an email or instant message that you are unsure of, DO NOT OPEN & DO NOT CLICK ON HYPERLINKS. Do not forward the email either, as it could contain malware; have your manager review the email to make a determination if it’s legitimate or a phishing attempt. Remember that phishing can extend to social media, so be vigilant on Facebook and LinkedIn as well.
Spyware is software that enables a user to obtain covert information about another’s computer activities by transmitting data covertly from their hard drive. Spyware is mostly classified into four types: system monitors, trojans, adware and tracking cookies. While the term “spyware” suggests software that monitors a user’s computing, the functions of spyware can extend beyond simple monitoring. Spyware can collect almost any type of data, including personal information like internet surfing habits, user logins, and bank or credit account information. Spyware can also interfere with user control of a computer by installing additional software or redirecting web browsers. Some spyware can change computer settings which can result in slow internet connection speeds, unauthorized changes in browser settings, or changes to software settings. To combat the threat that spyware poses, our network and any connected devices must be protected by anti-virus and anti-spyware software. We’ve chosen Norton Security as our system.
A general policy for safeguarding consumer information is to mark all emails and correspondence with “Confidential.” For purposes of this policy, confidential information includes, but is not limited to:
- Information regarding personnel who are currently or formerly employed by the company
- Procedures for computer access and passwords of US Mortgage Lenders LLC employees and system
- Any information pertaining to mortgage borrowers who have closed loans with the company.
- Any information regarding mortgage applicants whose loans were closed for being incomplete, withdrawn, denied or counter-offer not
- Prospect information concerning potential customers of the
- Any other information relating to the company’s research, marketing, operations, investors, warehouse lenders and secondary marketing
US Mortgage Lenders LLC provides every employee with electronic access to all employees that handle loan origination, closing and post-closing information. Personnel are assigned an email address, a network connection and internet access. This policy governs all use of the company’s network, internet access, and email system at all company locations and offices. This policy includes, but is not limited to, electronic mail, chat rooms, the internet, news groups, electronic bulletin boards, the company’s VPM/intranet and all other company electronic messaging systems. This policy governs the information security for all documentation utilized by the company and its affiliates, whether the communication is made by telephone, mail, facsimile, courier or any electronic system.
Network and Internet Policy
Network configurations enable loan processors, originators, closing coordinators and administrative staff to access certain files. All rules and policies with respect to consumer information apply to files accessed among network users. Safeguarding confidential information involves local area network (LAN) and wide area network (WAN) configurations. US Mortgage Lenders LLC requires all users having access to networked information comply with the safeguarding of confidential information. In addition, we reserve the right to suspend access at any time, without notice for technical reasons, suspected policy violations, or other security concerns.
All computers and laptops must have an internet security program installed prior to connecting to US Mortgage Lenders’s network. If employees wish to check their email on handheld devices, they need to show proof to management that Norton Mobile Security or a comparable security program has been installed, before network access will be permitted. All devices used to check email or utilize company servers must be password-protected.
Monitoring and Confidentiality
The email systems and services used at US Mortgage Lenders LLC are owned by the company, are its property and are intended for business purposes only. When using our computers, electronic equipment and the company’s email system (whether to send, receive, store, or delete e-mails), employees have no right to privacy, and shall not expect privacy. The company reserves the right to review, monitor and disclose any and all email traffic passing through its system.
US Mortgage Lenders LLC also specifically reserves the right to monitor electronic messages and email sent or received with personal, password-protected, web-based email accounts when company computers and other electronic equipment are used, or when employees send or receive electronic messages and e-mail accessing the company’s servers remotely using any personal computer, smartphone or similar electronic device.
This monitoring may include, but is not limited to, review by our attorneys during the e-mail discovery phase of litigation, observation by management in cases of suspected abuse or to monitor employee efficiency. US Mortgage Lenders LLC further reserves the right to forensically retrieve such electronic messages which have been deleted from a company computer or other electronic equipment.
Use extreme caution when communicating confidential or sensitive information via e-mail. Keep in mind that all email messages sent from the company become the property of the receiver. Demonstrate particular care when using the “Reply” or “Reply to all” command during email correspondence, to ensure the resulting message is not delivered to unintended recipients. Federal regulations require that when sending confidential, sensitive or private information, including but not limited to: D.O.B, SSN’s, bank statements, pay stubs, tax returns, consumer credit or account numbers etc., that the email must be either (A)encrypted; or (B) password-protected. If using password protection for an email, the password must be sent to the recipient in a separate email; you must not include the password in the original.
Authorized Use of Software
US Mortgage Lenders LLC purchases, leases or maintains site licenses for computer software applications from a variety of commercial manufacturers. To ensure compliance with software license agreements, the company’s security policy, and to prevent identity theft resulting from shared, copied or unauthorized downloading of software programs, applications and data, all employees must adhere to the following:
- Software must be used in accordance with the manufacturer’s license Employees acknowledge that they do not own the Loan Origination System (LOS), Desktop Originator, Loan Prospector, or other mortgage pre-qualification programs used in connection or as an adjunct to the firm’s LOS system that are supplied by the company.
- Employees may not make additional copies of any software, unless expressly authorized by the company and software publisher.
- Any employee who knowingly makes, acquires or uses unauthorized copies of computer software licensed to the company, or who places or uses unauthorized software on the company premises or equipment shall be subject to disciplinary action or
- Employees must obtain permission from the Security Officer prior to installing personal software onto the company’s computer system. Employees are not permitted to copy software from the company’s computer system for installation on home or other computers without prior
- In cases that require an employee to use software at home, the company will purchase an additional copy or license. Employee acknowledges that any additional copies or licenses purchased for home use are the property of the Employees who are required to use software at home should consult with the Security Officer to determine if appropriate licenses allow for home use.
- Employees who suspect or become aware of software misuse by any employee are required to notify the Security Officer in confidence.
Administrative Access Control
The Security Officer shall maintain confidential passwords and access codes for technology on a corporate-wide level. The company president and key personnel shall have copies of access code information. Changes in personnel, termination, extended leave, etc. shall warrant changes in passwords or other access codes. All changes must be documented by memorandum, and placed as an addendum to this policy manual.
It’s important to remember that physical data, i.e. paper, needs protection just as digital data does. Employees are expected to keep sensitive and private data secure at all times. After the retention periods have been met and physical data needs to be destroyed, it must be done on site. This means that all shredding either done in-house or by an outside party must be done at our main office, documents may not be sent out or picked up to be destroyed offsite. This includes credit reports, mortgage applications, financial statements, tax returns, paystubs, W-2’s and any other income or asset documentation. Any lost or misplaced confidential documents must be reported to management immediately.
General Expectations of End Users
Email users are responsible for mailbox management, including organization and cleaning. If a user subscribes to a mailing list, he or she must be aware of how to unsubscribe from the list, and is responsible for doing so in the event that their current email address changes. US Mortgage Lenders LLC email users are responsible for honoring any requests for “do-not-send” or “opt-out” from e-mail recipients. Email users are expected to remember that email sent from the company’s accounts reflects on the company. Please comply with normal standards of professional and personal courtesy and conduct.
Email use at US Mortgage Lenders LLC must comply with all applicable laws, all company policies and all company contracts. Email users should have no expectation of privacy in any emails sent or received, saved or deleted, regarding any matter over the company email system or while using company computers.
The following activities are deemed inappropriate uses of the company’s email systems and services, and are strictly prohibited:
- Use of email for illegal or unlawful purposes, including: copyright infringement, obscenity, libel, slander, fraud, defamation, plagiarism, harassment, intimidation, threats, forgery, impersonation, soliciting for illegal pyramid schemes or computer tampering (e.g. spreading of computer viruses).
- Use of email for inappropriate content, either embedded within a message or within a link, including but not limited to: sexual, pornographic, racist or other offensive materials.
- Forwarding any business-related email to an external, personal or other email account. This includes misappropriation of confidential and proprietary company information, and/or trade secrets.
- Sending or forwarding messages containing borrower consumer credit, confidential information or account numbers without using proper encryption.
- Sending or forwarding messages that disclose information without company authorization. This shall include accessing, transmitting, receiving or seeking confidential information about borrowers or mortgage transactions without authorization.
- Use of email in any way that violates US Mortgage Lenders LLC policies, rules or federal regulations.
- Use of company email systems and services for mass mailings, distribution or marketing of any type without prior management approval.
- Viewing, copying, altering or deleting email accounts or files belonging to US Mortgage Lenders, or another individual, without authorized permission.
- Opening email attachments from unknown or unsigned sources. Attachments are the primary source of computer viruses, and should be treated with extreme caution.
- Sharing email account passwords with another person, or attempting to obtain another person’s email account password. Email accounts are only to be used by the registered user.
- US Mortgage Lenders LLC prohibits personal use of its e-mail systems and services for unsolicited mass mailings, non-company commercial activity, political campaigning, dissemination of chain letters and use by non-employees, and for any use prohibited in this policy. Please note that personal emails will be considered the same as personal Users should not use company email to send messages that the user wishes to remain private.
Users are responsible for saving all email communications in conjunction with loan production, applicant, client, customer and borrower communications. All aforementioned communications shall be kept for a period of twenty-four months.
Failure to Comply
US Mortgage Lenders LLC assumes no liability for direct or indirect damages arising from the use of the company’s email system and services. Users are solely responsible for the content they disseminate.
Violations of this policy will be treated like other allegations of wrongdoing at US Mortgage Lenders. Allegations of misconduct will be investigated according to established procedures. Consequences for inappropriate use of the company’s email systems and services may include, but are not limited to, one or more of the following:
- Temporary or permanent revocation of e-mail access;
- Probationary action according to applicable policies;
- Termination of employment; and/or
- Legal action according to applicable laws and contractual
Incident Response and Preparedness
US Mortgage Lenders LLC must respond to information security incidents to ensure the protection of confidential consumer information. The federal Anti-Cybersquatting Consumer Protection Act (ACCPA) allows the company to initiate immediate action in federal district court under section 43(d) of the Lanham Act, 15 USC 1125(d). The following resources can be used to disable a spoofed website, recover customer information and mitigate other types of security threats:
- A complaint can be filed with the Internet Fraud Complaint Center, a partnership of the FBI and the National White Collar Crime Center at: http://www.ifccfbi.gov/
- The Uniform Domain Name Dispute Resolution Process (UDRP) resolves disputes for names or trademarks that have been illegally infringed The company is to take action against domain name registrars to stop a spoofing incident. Information is explained at: http://www.icann.org/udrp/udrp-policy
- Digital Phishnet is a joint initiative of industry and law enforcement designed to support apprehension of perpetrators of phishing-related crimes, including spoofing. The FTC, FBI, Secret Service and other electronic crimes tasks forces assist financial institutions in identifying persons involved in phishing-type crimes. http://www.digitalphishnet.com/ .