In 1999, Congress passed the Gramm-Leach Bliley Act which required all mortgage brokers and lenders (as well as other “financial Institutions”) to do three things: (1) they had to securely store the private information that they received from their customers; (2) they had to provide notice to their customers that described their policies about sharing individuals’ personal information with third parties; and (3) they had to provide a mechanism (an “opt-out”) by which the customer could restrict the mortgage broker/lender from sharing his personal data. The size of the company did not matter. Even a tiny company was subject to compliance with this law.
So, you started sending out privacy notices with the Good Faith Estimates and thought you were done with compliance of the Gramm-Leach-Bliley Act. But those privacy notices were only the first of two regulatory schemes that the Federal Trade Commission was required to implement. The next set of regulations became effective on May 23, 2003.
How do you comply with the Safeguard Rule? You must develop, implement, and maintain a written security program to safeguard your applicants’ personal information. Here’s what you need to do:
Assign one person to be in charge of the information safeguard program in your company.
Identify foreseeable risks to the security and confidentiality of applicants’ private information to prevent the misuse, theft or disclose of that information.
Assess the safeguards you have already implemented to control the risks to security. Look at your company’s employee training, storage of information, destruction of information, prevention of hacking into your computers and system failures.
Design and implement information safeguards to limit the risks you have identified in all areas of your operations.
You must test your safeguards to ensure that they work properly.
Use only those suppliers that also maintain proper safeguards for your customers’ private information.
Put all of the safeguards you have implemented into a written plan and review the plan periodically.
The plan does not have to be complex, especially if you are a small company. The requirements are a little bit flexible.
Compliance with the Safeguards Rule isn’t only the law. It’s good business sense. Identity theft is a huge problem and growing larger every day. Consumers will want to deal only with those companies who can promise that their confidential personal information will be kept safe.