Data Security & Privacy Breaches: What Mortgage Brokers Need to Know!
February 20, 2020
Mortgage Brokers are among the most valued members of the financial services industry. That’s good news. The bad news is that cybercriminals target the financial services industry more than any other. Why? You either have the type of personal information that fraudsters crave, or you represent a doorway to it. A breach is all but inevitable; it’s just a matter of how soon it happens. In 2019, 88% of Canadian businesses experienced at least one cyber attack, collectively impacting 75% of the population.
The Top Three Sources of Risk:
Mortgage Brokers are prime targets for cybercriminals due to the sensitive nature of your client data. Financial information’s proprietary and privileged characteristics offer a great opportunity for identity theft.
Mortgage Brokers can also serve as a conduit to larger institutional lenders, credit agencies, and more. Even the most sophisticated financial institutions, like Equifax, are vulnerable to cybercriminals. Unfortunately, the very public cyber breaches of global firms are showing that these security measures are often not enough anyway. Regardless, the smaller firm can represent an easier point of entry for attack.
A 2020 US-based study conducted by Secure Insight found:
The typical mortgage brokerage has a fast-paced, entrepreneurial culture. While this environment is conducive to sales, it poses a threat to data security.
Why? To close a deal quickly, your employees and subcontractors may bypass security rules. This includes actions—like using a personal email to send private client information, or by improperly accessing data that resides with your cloud services provider—putting you at risk of a data breach.
Many entrepreneurs falsely believe that doing business with a major cloud service provider such as Amazon or Apple, or even a credit agency like Equifax, absolves them from privacy breach liability.
Unfortunately, the Equifaxes and Amazons of the world have ironclad contracts that say that the business owner is responsible for their own data, even if the cloud or the agency is the one experiencing the breach. And we’ve seen that even the most secure organizations are not immune to a cyber attack.
You are legally obligated to protect your clients’ data every step of the way, including when it’s in the cloud or when you are running a credit check.
What are the consequences?
Any Canadian private-sector organization that collects, uses or discloses personal information must conform to the Digital Privacy Act. Organizations must notify the Privacy Commissioner and affected individuals any time a breach occurs.
Then, the Privacy Commissioner will determine whether the organization had “reasonable safeguards” in place, took “reasonable measures” to investigate the breach, and notified clients in “a reasonable amount of time”.
And how does the Privacy Commissioner define “reasonable”? Well, that’s up to interpretation. And yet, despite the unclear compliance requirements, an organization could be fined up to $100,000 per violation and even scarier: directors may be held personally liable.
Don’t forget the cost of the investigation, the interruption of your business, the client notification fees, legal defense costs and more.
What can you do?
The reality is: you’re not going to stop using the cloud, or third-party agencies, or sub-contractors, because of all of the associated productivity benefits. And even if you implement state-of-the-art security measures, it’ll be an arms-race between you and the fraudsters.
So how can you balance working in a digital world, where you are legally obliged to safeguard your client data, knowing there is no true way of ensuring that you will never have a breach?
Easy. By preparing for it. Data Security & Privacy Breach Insurance is relatively inexpensive and offers many benefits. In addition to funds to cover your legal liability, you also get access to a legal breach coach, a consulting team to assist with public relations, IT network forensic specialists, funds to cover client notification costs, and more.
PROLINK’s blog posts are general in nature. They do not take into account your personal objectives or financial situation and are not a substitute for professional advice. The specific terms of your policy will always apply. We bear no responsibility for the accuracy, legality, or timeliness of any external content.