Since the passage of the Gramm-Leach-Bliley Act in 1999 and its ensuing regulations (“GLBA”), financial institutions have become well-versed in how to identify and safeguard protected personal information (“PPI”). Over the past two decades, those institutions have developed training, security and audit programs that garner customer trust and meet regulator satisfaction. With the onset of COVID-19 and the corresponding government mandates, the number of work-from-home or teleworking employees has dramatically increased. Roles traditionally performed and managed in-house are now, suddenly, performed from remote residences not designed for such activity. Financial institutions are now confronted with how to manage and oversee security concerns that their risk management programs likely did not envision. This article will examine the gap between those programs and the reality, and propose solutions to mitigate the new and higher risks to business.
Working remotely is hardly an original concept. But, the option to work remotely usually has typically been viable only for a limited number of trusted industry professionals, such as loan officers and underwriters, or legal and compliance resources. Until recently, a significant percentage of a financial institution’s workforce, particularly those employees who require more managerial oversight, had no other place to work than from the office. Institutions built their risk management programs around this set of facts, but well-established controls became outdated almost overnight.
To date, regulators have provided little guidance on safeguarding PPI during this pandemic. Regulators also are likely struggling with work from workforces. On May 8th, the Consumer Financial Protection Bureau (“CFPB”) posted a statement saying “While the Bureau is mindful of challenges faced by institutions, we will not hesitate to take public enforcement action when appropriate against companies or individuals that engage in unfair, deceptive, or abusive acts or practices, discriminate, or otherwise violate Federal consumer financial protection laws, in order to profit from the COVID-19 pandemic.” We can logically assume that PPI protection is still a vital legal and business concern, yet the CFPB is not offering any safe harbor to institutions. It is simply up to the financial institutions to quickly adopt new security control measures that meet state and federal regulatory standards. Implementing new controls not only helps ensure GLBA compliance, but also protects against all types of information theft or misuse, thereby protecting an institution’s trade secrets.
Companies are responding as best they can, and we are seeing a set of best practices coming into focus. Loosely divided into three groups – Information Technology, Policies, Procedures & Training, and Liability Insurance – some of the more prevalent steps are:
- Ensure the institution’s networks, Virtual Private Networks (“VPNs”) and other IT resources are in place to support the entire workforce. VPNs afford greater security protocols than the average personal wireless network
- Ensure access to an entity’s systems is limited to authorized users only. Configure access carefully, use firewalls, include additional authentication requirements such as two-factor authentication, and/or robust password standards
- Obtain and use only employer-owned hardware. Financial institutions may have to invest in new hardware, such as laptops and cell phones
- Ensure all hardware includes current security software. Institutions also may have to invest in more technical resources to deploy anti-virus patches, etc
- Limit the type of remote connections used by employees, and prohibit working from public sites, like coffee shops
- Invest in data loss prevention software
- Make sure information is encrypted before transmitted.
Policies, Procedures & Training
- Review and revise all policies and procedures relevant to roles that access PII to account for the new remote working environment. For example, desktop work procedures should include prohibitions on printing PPI remotely
- Train managers on the new procedures, including ways to effectively manage remote teams
- Consult with legal counsel experienced with GLBA to determine and mitigate new data privacy legal considerations
- Consult with legal counsel with employment law expertise to review monitoring policies to avoid or limit discrimination claims
- Train teleworkers on new security awareness issues, i.e., deploy their own “clean desk” or privacy measures. Those include common sense ideas: lock doors to the residence when not in use, lock screens when away from the desk, and never print
- Ban flash drives and similar external hard-drive devices
- Avoid use of speaker phones and beware of “smart speakers” such as Alexa, or home surveillance tools like Ring
- Remind employees that applicable confidentiality policies are still in place. Educate employees about improving their online and work-from-home habits
- Consider implementing or enhancing a teleworker policy and corresponding agreement with the employees. Work with legal counsel and ensure the agreement:
- Sets expectations of possible home office audits, perhaps via Zoom, Facetime, or written questions
- States that the employer may discontinue the arrangement at any time with or without advance notice in the employer’s sole discretion
- Considers who will be providing the equipment, preferably the employer. If it is the employer, then specify that the property is the employer’s and is to be used only for business purposes
- Sets forth expectations regarding coming to office on occasion and maintaining high level of performance
- Requires the employee to take reasonable steps to protect the company’s confidential and proprietary information.
- Consult with insurance brokers and review liability coverages to counter higher information security risks. The application process alone can serve as a mini-risk assessment
- Discuss cyber exposure and adequately insure against cyber liability policies
- Review employment practices liability insurance coverages to address the scenario of an employer having to furlough or terminate employees who cannot adequately meet the employer’s work- from-home standards
- Consider wage and hour insurance. For companies with a business surge, employers must be sure to compensate lawfully, including overtime wages. With all employees working remotely, increased disputes may arise over hours actually worked
- Examine worker’s compensation insurance, as the employer no longer has direct control over the work environment. Employers may face novel legal challenges due to employee accidents/injuries in a home office.
Unquestionably, the current pandemic has significantly changed the work environment from office to home, but the PPI risks remain. These risks are further complicated now that employers allow ALL employees, including those hired with the intent of being supervised daily, to work remotely. As we stand today, it is difficult to say when things will return to “normal.” The suggestions put forth above require a significant amount of effort, but in light of the risk, the measures have mer
This article was originally published in the July issue of Mortgage Banker magazine.
Michael Wade is a partner in Newbold Advisors, LLC, Clearwater, Florida. Michael has more than 30 years of mortgage industry experience serving in senior management positions in loss mitigation, origination underwriting, repurchase management, operational risk management, credit policy, and counter-party risk. The author can be reached at firstname.lastname@example.org.