Transmission Of Background Check Information: Are You ISO Compliant?

I received a call yesterday from a Client I had helped in the past with respect to the handling of the transmission of Background Check Information to their Client(s) whom require possession of such. This unique situation is one of the latest issues we have been Consulting upon to ensure Companies do not run afoul of the plethora of State and Federal Laws pertaining to Sensitive Data and the Electronic Transmission of such.

Here’s the facts: Unless you are a Financial Institution, you cannot afford to be unaware of the veritable tsunami of Regulation coming in January. You need to get your Firm into Compliance TODAY or you will not be around tomorrow! The obvious reality is that when your colleagues have a question, where do they go first? That’s right. They pick up the phone and call Foreclosurepedia.

Data privacy is not highly legislated or regulated in the U.S.. In the United States, access to private data contained in for example third-party credit reports may be sought when seeking employment or medical care, or making automobile, housing, or other purchases on credit terms. Although partial regulations exist, there is no all-encompassing law regulating the acquisition, storage, or use of personal data in the U.S. In general terms, in the U.S., whoever can be troubled to key in the data, is deemed to own the right to store and use it, even if the data were collected without permission. For instance the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Children’s Online Privacy Protection Act of 1998 (COPPA), and the Fair and Accurate Credit Transactions Act of 2003 (FACTA), are all examples of U.S. federal laws with provisions which tend to favor information flow efficiencies and operational profits over the rights of individuals to control their own personal data.

The Supreme Court interpreted the Constitution to grant a right of privacy to individuals in Griswold v. Connecticut. Very few states, however, recognize an individual’s right to privacy, a notable exception being California. An inalienable right to privacy is enshrined in the California Constitution‘s article 1, section 1, and the California legislature has enacted several pieces of legislation aimed at protecting this right. The California Online Privacy Protection Act (OPPA) of 2003 requires operators of commercial web sites or online services that collect personal information on California residents through a web site to conspicuously post a privacy policy on the site and to comply with its policy.

The safe harbor arrangement was developed by the United States Department of Commerce in order to provide a means for U.S. companies to demonstrate compliance with European Commission directives and thus to simplify relations between them and European businesses.

HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) was enacted by the U.S. Congress in 1996. HIPAA is also known as the Kennedy-Kassebaum Health Insurance Portability and Accountability Act (HIPAA-Public Law 104-191), effective August 21, 1996. The basic idea of HIPAA is that an individual who is a subject of individually identifiable health information should have:

  • Established procedures for the exercise of individual health information privacy rights.
  • The use and disclosure of individual health information should be authorized or required.

One difficulty with HIPAA is that there must be a mechanism to authenticate the patient who demands access to his/her data. As a result, medical facilities have begun to ask for Social Security Numbers from patients, thus arguably decreasing privacy by simplifying the act of correlating health records with other records. The issue of consent is problematic under HIPAA, because the medical providers simply make care contingent upon agreeing to the privacy standards in practice.

FCRA

The Fair Credit Reporting Act applies the principles of the Code of Fair Information Practice to credit reporting agencies. The FCRA allows individuals to opt out of unwanted credit offers:

  • Equifax (888) 567-8688 Equifax Options, P.O. Box 740123 Atlanta GA 30374-0123.
  • Experian (800) 353-0809 or (888) 5OPTOUT P.O. Box 919, Allen, TX 75013
  • Trans Union (800) 680-7293 or (888) 5OPTOUT P.O Box 97328, Jackson, MS 39238.

Because of the Fair and Accurate Credit Transactions Act, each person can obtain a free annual credit report

The Fair Credit Reporting Act has been effective in preventing the proliferation of specious so-called private credit guides. Previously, private credit guides offered detailed, if unreliable, information on easily identifiable individuals. Before the Fair Credit Reporting Act salacious unsubstantiated material could be included, in fact gossip was widely included in credit reports. EPIC has a FCRA page. The Consumer Data Industry Association, which represents the consumer reporting industry, also has a Web site with FCRA information.

The Fair Credit Reporting Act provides consumers the ability to view, correct, contest, and limit the uses of credit reports. The FCRA also protects the credit agency from the charge of negligent release in the case of misrepresentation by the requester. Credit agencies must ask the requester the purpose of a requested information release, but need make no effort to verify the truth of the requester’s assertions. In fact, the courts have ruled that, “The Act clearly does not provide a remedy for an illicit or abusive use of information about consumers” (Henry v Forbes, 1976). It is widely believed that in order to avoid the FCRA, ChoicePoint was created by Equifax at which time the parent company copied all its records to its newly created subsidiary. ChoicePoint is not a credit reporting agency, and thus FCRA does not apply.

The Fair Debt Collection Practices Act similarly limits dissemination of information about a consumer’s financial transactions. It prevents creditors or their agents from disclosing the fact that an individual is in debt to a third party, although it allows creditors and their agents to attempt to obtain information about a debtor’s location. It limits the actions of those seeking payment of a debt. For example, debt collection agencies are prohibited from harassment or contacting individuals at work. The Bankruptcy Abuse Prevention and Consumer Protection Act of 2005 (which actually gutted consumer protections, for example in case of bankruptcy resulting from medical cost) limited some of these controls on debtors.

ECPA

The Electronic Communications Privacy Act (ECPA) establishes criminal sanctions for interception of electronic communication. However, the loopholes are so large as to render the Act effectively meaningless. For example, consent can be implied to any reading of electronic communications by accepting employment with an organization that practices surveillance against its employees.

Computer Security, Privacy and Criminal Law

The following summarized some of the laws, regulations and directives related to the protection of information systems:

In the US additional statutes cover various types of private information. For example, the Family Educational Rights and Privacy Act (FERPA), enacted in 1974, requires parent or adult student consent to access student records for most purposes.

Several US federal agencies have privacy statutes that cover their collection and use of private information. These include the Census Bureau, the Internal Revenue Service, and the National Center for Education Statistics (under the Education Sciences Reform Act). In addition, the CIPSEA statute protects confidentiality of data collected by federal statistical agencies.

The issue that confronts the business owner, in attempting to comply with the Draconian demands from the Members of the National Association of Mortgage Field Services, is that while there may not be laws with specificity to what may be delivered electronically, there are laws which determine the liability of Party(s) whom breach common protocols.

White & Case have a pretty good Treatise on the International Aspects which are included in our ISTAR Subscription with other Documents in today’s discussion.

PrivacyRights.org has a good overview on the Privacy Act of 1974. This is really where the rubber hits the road.

When we think about data breaches, we often worry about malicious-minded computer hackers exploiting software flaws or perhaps Internet criminals seeking to enrich themselves at our expense. But the truth is more complicated than that.Hardly a day goes by without a news story about some company or government agency losing control over vast quantities of customer or client information. In fact, the Privacy Rights Clearinghouse reports that over half a billion personal records have been improperly exposed since 2005. www.privacyrights.org/ar/ChronDataBreaches.htm

So what is causing this massive, unauthorized release of personal records? In many cases, it’s “shortcomings in people, process and policy” as well as flaws in technology, according to one top security-industry official. www.appsecinc.com/news/pr/2006_12_14_100MILLION.shtml

Thus, a critical starting point for preventing future data breaches (and the identity theft that can follow) is developing ironclad policies and practices for handling personal information from within the workplace. In the past, security often was dealt with by trying to protect sensitive data from outside intrusion. However, that leaves far too much room for internal errors, carelessness, and wrongdoing by those who handle personal information.  Responsible data-handling practices begin with the development of workplace privacy policies and the implementation of regular training programs for employees.

The Federal Trade Commission offers a 20 minute interactive tutorial called “Protecting Personal Information: A Guide for Business” at http://www.ftc.gov/bcp/edu/multimedia/interactive/infosecurity/index.html. The tutorial explains why safeguarding sensitive data is good business and how to implement steps to protect personal information.

The Internal Revenue Service has a “Facility Security Survey Checklist” in Section 10.2.3.8 of the Internal Revenue Manual.  The checklist is available at http://www.irs.gov/irm/part10/irm_10-002-003.html#d0e248.

A Business Issue

The proliferation of office printers, copiers, fax machines, email, laptop computers, personal digital assistants (PDAs), smartphones, and portable storage devices has allowed for dissemination — accidental or intentional — of information in quantities never before imagined. Thus, the challenge for organizations is not just in keeping track of the ever-growing mountain of new information being produced each year, but also monitoring and managing the archives. Putting clear policies in place and effectively enforcing them are essential.

Privacy is increasingly becoming an important business issue. Nearly every state in the U.S. has enacted a data breach notification law.  These laws require businesses to notify consumers of breaches of security.  Many of these laws may impose additional obligations upon businesses.  Data breaches can cost companies millions of dollars per incident in direct costs, such as notifying victims.  In addition, the public relations fallout from a data breach can be significant. Corporate reputations  can suffer tremendously. Twenty percent of data-breach victims cut ties with institutions that compromised their privacy, according to one study by the Ponemon Institute.  www.ponemon.org

Furthermore, lawsuits against firms for negligent handling of personal information are becoming more common. Some states have passed laws allowing individuals to sue organizations that fail to safeguard their private data. Federal statutes and regulations also permit government agencies to sue organizations over data breaches and other failures.  Even if your organization prevails, litigation costs can be substantial.

Many employers are imposing new restrictions on who can take confidential records out of the office and are providing special training on how to keep data secure. Workers found violating security policies are being disciplined, or even dismissed. So whether or not a company is cracking down on computer security, employees should consider protecting themselves. Experts say it’s wise to check your company’s policy or urge such policies be adopted or clarified.

Companies using outside vendors to collect, store, process, transmit, or destroy their data should investigate their vendor’s privacy and security policies and practices, delineate the vendor’s specific obligations (rather than simply stating that the vendor will comply with all applicable laws), and perform privacy audits on vendors.

Using This Checklist

This checklist provides an overview of key points to consider when preparing information-handling policies and conducting privacy audits within your organization. The checklist can be used by private, public and not-for-profit organizations alike. Not all points will be relevant to your organization.

Some situations may require you to take more stringent steps than those listed here. For example, medical records may necessitate extraordinary steps.

The checklist is divided into two sections. Section I suggests issues to consider when drafting privacy principles to safeguard the personal information of your clients and customers. Section II concerns privacy policies affecting your employees, such as personnel records, electronic monitoring, and email.

Understand that this is not an issue you can address once and have solved forever. Threats will change, technology will change, and employees will change. So your plans and processes should change along with them. Updates are crucial.

No one is immune. While some companies have data collection as their core business, all firms collect information on their clients, customers, and employees. Don’t wait until a computer goes missing to think about what actions to take. Develop a complete checklist now.

Section I. DEVELOPING PRIVACY POLICIES TO GUIDE CUSTOMER / CLIENT RELATIONS

A. Organizational Policies

Does your organization have policies that outline its privacy practices and expectations for handling the personal information of its clients, customers, users, members and/or listees?

Are your organization’s privacy policies communicated regularly? Opportunities include in employees’ initial training sessions, in regular organization-wide training programs, in employee handbooks, on posters and posted signs, on company intranet and Internet Web sites, in brochures available to clients.

Are all employees who handle personal information included in the training programs, including temporary employees, back-up personnel, and contract staff?

Is your organization familiar with and has it adopted International Standards Organization (ISO) security standards, known as ISO 27001? www.iso.org  For a guide to ISO 27001, visit www.iso27001security.com/index.html . The Web site for the ISO 27001 User Group is www.17799.com . The progress of the 27000 standards is being tracked at the Web site of the ISO 27001 and ISO 27002 Directory: www.27000.org .

B. Privacy Principles

The major components of effective privacy policies are listed below, adapted from the fair information practices developed by the Organisation for Economic Cooperation and Development (OECD). www.oecd.org   Another useful compendium is the Canadian Privacy Code under the federal law, Personal Information Protection and Electronic Documents Act (PIPEDA).  http://laws-lois.justice.gc.ca/eng/acts/P-8.6/index.html  Although designed to guide the development of national privacy legislation, these principles are also appropriate for organizations.

Openness. A general practice of openness about practices and policies should exist. Means should be available to establish the existence and nature of personal information and the main purposes of its use.

Purpose specification. The purpose for collecting personal information should be specified at the time of collection. Further uses should be limited to those purposes.

Collection limitation. Personal information should be collected by lawful and fair means and with the knowledge and consent of the subject. To the greatest extent possible, companies should employ principles of data minimization, that is, collecting only data that is actually necessary to conduct their business, and collecting such information only for the stated purpose.

Use limitation. Personal information should not be disclosed for secondary purposes without the consent of the subject or by authority of law.

Individual participation. Individuals should be allowed to inspect and correct their personal information. Whenever possible, personal information should be collected directly from the individual.

Quality. Personal information should be accurate, complete and timely, and be relevant to the purposes for which it is to be used.

Security safeguards. Personal information should be protected by reasonable security safeguards against such risks as loss, unauthorized access, destruction, use, modification or disclosure. Access to personal information should be limited to only those within the organization with a specific need to see it.

Accountability. Someone within the organization, such as the chief privacy officer or an information manager, should be held accountable for complying with its privacy policy. Privacy audits to monitor organizational compliance should be conducted on a regular basis, as should employee training programs.

There are many variations of fair information principles (FIPs). For an overview of FIPs, read our guide, http://www.privacyrights.org/ar/fairinfo.htm See also Web site “seal” programs such as TRUSTe at www.truste.com, and BBB Accredited Business Seal at http://www.bbb.org/us/bbb-online-business/

C. Data and Network Security

Security of personally identifiable information—whether stored in electronic, paper or micro-graphic form—is covered in many websites, books, journals, trade magazines, and conferences. Only the major points are listed here. Several professional associations are listed in the Resources section at the end of this guide.

Do you have staff specifically assigned to data security?

Do staff members participate in regular training programs to keep abreast of technical and legal issues?

Have you developed a security breach response plan in the event that your company or organization experiences a data breach?

Have you developed security guidelines for laptops and other portable computing devices when transported off-site?

Is physical access restricted to computer operations and paper/micrographic files that contain personally identifiable information?

Do you have procedures to prevent former employees from gaining access to computers and paper files?

Are sensitive files segregated in secure areas/computer systems and available only to qualified persons?

Are filing cabinets containing sensitive information locked?  Are computers, laptops, and networks password protected?

Do you have audit procedures and strict penalties in place to prevent telephone fraud and theft of equipment and information?

Do all employees follow strict password and virus protection procedures?

Are employees required to change passwords often, using “foolproof” methods?

Is encryption used to protect sensitive information (a particularly important measure when transmitting personally-identifiable information over the Internet)?

Do you regularly conduct systems-penetration tests to determine if your systems are hacker proof?

If your organization is potentially susceptible to industrial espionage, have you taken extra precautions to guard against leakage of information?

D. Some Additional “Common Sense” Security Practices

Case: A medical office photocopied more of a car accident victim’s record than necessary and released extremely sensitive but irrelevant information to the insurance company. Information about the woman’s child, given up for adoption 30 years ago, eventually became part of the court record, a public document.

When providing copies of information for others, do employees make sure that nonessential information is removed and that personally identifiable information that has no relevance to the transaction is either removed or masked?

Are employees trained never to leave computer terminals unattended when personally identifiable information is on the screen? Do you use password-activated screen-saver programs?

Are all employees who handle personal information—including temporary, back-up and contract staff—trained to detect when they are being “pumped” for personal information by unauthorized and unscrupulous persons? “Pretext” interviews are more common than might be expected and are the stock in trade of persons bent on finding out confidential personal information to which they are not entitled.
Do you perform background checks on prospective employees who will have access to personal information of customers, clients, or employees? (See our guide, “Small Business Owners Background Check Guide,” at http://www.privacyrights.org/fs/fs16b-smallbus.htm)

Have employees been instructed on what might constitute inappropriate use of social networking sites?  Employees must be made aware of the privacy pitfalls inherent in social media.  “Twittering” or “Facebooking” about sensitive work issues can have adverse consequences far beyond a simple conversation.

Have you inventoried the various types of data being stored and classified it according to how important it is and how costly it would be to the organization if it were lost or stolen?

E. Records Retention and Disposal

Case: An automobile dealer did not shred loan applications before tossing them into the garbage. A “dumpster diver” retrieved one and used the financial information to commit thousands of dollars of fraud against someone who had applied for a car loan.

Does your organization have a records retention/disposal schedule for personally identifiable information, whether stored in paper, micrographic or electronic (computer) media?

Customer records stored electronically or in paper files are a company asset, just like the furniture or the computers. Not only that, but customers’ personal information, unlike the furniture, is subject to a myriad of laws that dictate privacy protections, safeguarding measures, and proper disposal. Even in hard times, when a company has to close its doors, customer data should never be abandoned or left at the curb for the trash collector. Such actions could subject owners, even of a defunct business, to unwanted lawsuits by customers and government regulators.

When disposing of computers, diskettes, magnetic tapes, CD-ROMs, hard drives, memory sticks, mother boards, and any other electronic media which contain personally identifiable information, are all data rendered unrecoverable by either physically destroying the device or by over-writing the data sufficiently to ensure destruction?

If you use third-party services for computer recycling or destruction, have you selected a service that provides a certificate of destruction? Does it dispose of toxic materials properly?

As an asset, customer data may be up for sale in the case of bankruptcy. However, all parties to a bankruptcy should be familiar with the Federal Trade Commission’s lawsuit brought against ToySmart under Section 5 of the Federal Trade Commission Act (“FTC Act”), 15 U.S.C. § 45(a), for disclosing, selling or offering for sale personal customer information, contrary to the terms of the company’s privacy policy that personal information would never be disclosed to third parties. For more on this case, see www.ftc.gov/os/2000/07/toysmartconsent.htm.

Many states have enacted data disposal laws requiring proper disposal of records containing personal information.  For a list of such laws, see  http://www.ncsl.org/issues-research/telecom/data-disposal-laws.aspx.
When disposing of waste and recycling paper, are all documents that contain personally identifiable information placed in secure padlocked containers or shredded? (Shredding should be cross-cut, diamond-cut, or confetti-cut shredding, not simply continuous [single-strip] shredding, which can be reconstructed.) Does your recycling company certify its disposal/destruction methods? Is it bonded?

When engaging an external business to destroy records or electronic media, do you check references? Do you insist on a signed contract spelling out the terms of the relationship? Do you visit the destruction site and require that a certificate of destruction be issued upon completion?

When dealing with another company or government agency, do you ask about its security protocol regarding personal information? Do you inquire whether it shares that information with anyone? Do you find out if it does background checks on employees with access to your personal information.
Contracts with outside service providers as well as employee agreements should specify that customer data is the company’s exclusive property and should only be used as necessary to carry out contractor or employment duties. Such contracts and agreements should also incorporate the company’s privacy and data security policies. Contracts should also delineate the service provider’s specific obligations, rather than simply stating that the contractor will comply with all applicable laws.

F. Facsimile Transmission

Case: A medical doctor, who was filing for bankruptcy, faxed a financial document to his attorney. He entered the wrong telephone number, and the document was instead transmitted to the local newspaper.

Is the fax machine in a supervised area, off-limits to unauthorized persons? Is use restricted to authorized personnel only?

Is the fax machine used exclusively for sending nonconfidential materials?

When sending documents, do all users complete a cover sheet that indicates the sender’s and receiver’s names, addresses and telephone numbers?

When confidential materials are sent, is notice of their confidential nature indicated on the cover sheet?

Do users always check the receiver’s telephone number before transmitting documents? Do they compare the number displayed with number being called to check for errors? Do they check the transmission report after the fax has been sent?

When transmitting confidential materials, is the recipient notified in advance that the document is being sent? Does the sender check with the receiver to make sure the document has been received?

For additional tips, read Guidelines for Facsimile Transmission Security, by the Information and Privacy Commissioner of Ontario. Web: www.ipc.on.ca/images/Resources/fax-gd-e.pdf

G. Copiers, Printers and Fax/Multifunction Machines

Case:  Four used copiers purchased from an office supply warehouse for about $300 each contained a gold mine of personal data.  Using a forensic software program available free on the Internet, tens of thousands of documents were downloaded.  Some of the data available included 95 pages of pay stubs with names, addresses and Social Security numbers; 300 pages of individual medical records; detailed domestic violence complaints and a list of wanted sex offenders; and a list of targets in a major drug raid.

 When copiers, printers, or fax/multifunction machines are repaired or disposed of, do you consider the digital data that is likely to be present in the equipment’s hard drive?  Digital copiers, printers, and fax/multifunction machines represent one of the most important and least understood opportunities for data leaks. They are a virtual digital time bomb containing a wide variety of sensitive information.

Most of these types of equipment manufactured since 2002 contain hard drives that store digital images. These machines are capable of storing an image of every document that has been copied, scanned, printed, emailed, or faxed.  Although it may be stored in a proprietary language or encrypted, a hacker can easily gain access to years of sensitive data.  Some machines don’t even require hacking because they may allow jobs to be reprinted from a printed job list.  Sophisticated copiers may contain a list of user’s email addresses, outgoing fax numbers, and contact names. All of this information can easily be transferred from the copier to a hacker’s laptop.  Accordingly, simply disposing of this equipment presents a significant opportunity for a security breach.

While much of the hard drive space in many machines is used for processing, the drive may also store thousands of pages of information. Once the hard drive memory has been exceeded, files are automatically overwritten. “Cap points” limit the number of pages stored to hard drives, and the cap limitation will vary in each make and model.  Depending on the type of machine, information from small print jobs may be stored in random access memory (RAM) only, and the files may be overwritten with each new print request, or lost when the machine is powered off.

Most major manufacturers now offer security or encryption packages to help protect against this problem.  However, many businesses fail to pay for this protection.  If your equipment does not have this protection, you should erase or remove the copier’s hard drive, clear its memory, and change the copier’s passcodes.

Does your organization have security procedures in place for deleting digital data from copiers, printers and fax/multifunction machines?

Does your organization recycle or resell copiers, printers or fax/multifunction machines to wholesalers or refurbishers?  If so, does your organization take steps been taken to remove any data history?

The Federal Trade Commission’s Copier Data Security: A Guide for Businesses provides a information about digital copier operation, lifecycles, encryption, overwriting, and security measures.  The guide is available at http://business.ftc.gov/documents/bus43-copier-data-security

The Federal Deposit Insurance Corporation (FDIC) has issued guidance describing the risk posed by sensitive information stored on these types of devices and how financial institutions can mitigate that risk. The FDIC requires financial institutions to implement written policies and procedures to ensure that a hard drive or flash memory containing sensitive information is erased, encrypted or destroyed prior to the device being returned to the leasing company, sold or otherwise disposed of.  http://www.fdic.gov/news/news/financial/2010/fil10056.html .

H. Answering Machines and Voice Mail Systems

Case: Message left on the wrong answering machine when the phone number was misdialed: “Hello, Mrs. Weaver. This is Judy from the County Parole Office. You called earlier about your daughter Crystal? She has already been taken to the California Youth Authority [juvenile detention center].”

Are precautions taken in situations where confidential and highly sensitive messages are expected to be left on answering machines or voice mail systems? Is the number of the call recipient verified for accuracy? Is permission asked of the intended call recipient to leave confidential messages? Are non-specific messages left when prior permission has not been obtained from the call recipient?

I. Wireless Communications

Case: As people stood in line to enter the theater, the cellular phone conversation of one theatergoer was overheard by those nearest her. It soon became obvious that the woman was a medical doctor talking about the care of a patient.

Are employees properly trained to make sure that all data is properly encrypted and that encryption is not either accidentally or intentionally disabled?

While organization policies should emphasize the importance of encryption, these policies may be ignored by careless users, particularly if non-compliance does not result in adverse consequences.

Many organizations remain overly dependent upon encryption solutions to protect sensitive data on their laptops. Companies relying solely on encryption cannot be sure whether stored data has actually been encrypted, if it has been compromised, or even which files have been accessed. Corporations should take a layered approach to security, making encryption but one layer of their approach to data security.

Are employees trained in techniques to spot suspicious activity, including signs that a computer has been infected with malware?

Does the organization have policies, procedures and training programs that emphasize responsible information-handling practices?

Is the network connection between home and work secure?

Do laptops containing sensitive information have a “kill-switch,” that is, remotely-enabled software that can disable lost or stolen laptops?  The loss or theft of laptops is one of the most common ways that the security of corporate data is compromised.

J. Social Security Numbers (SSNs) and the Use of Personal Identifiers

Case: The supervisor of a unit within a large state government agency sent an electronic mail message to every employee that listed all their names and Social Security numbers, disregarding the privacy and fraud implications of releasing that information.

The use of SSNs for record-keeping purposes and personal identifiers should be strongly discouraged, and, preferably, prohibited. Proliferation of SSNs puts customers and employees at risk of allowing unscrupulous persons to obtain the number for fraudulent purposes, for example, obtaining credit card accounts in another person’s name. (See the Privacy Rights Clearinghouse identity theft publications. Web: www.privacyrights.org/identity-theft-data-breaches.   See also Recommended Practices for Protecting the Confidentiality of Social Security Numbers. Web: http://www.oag.ca.gov/sites/all/files/pdfs/privacy/protecting_ssns.pdf?.

If the organization uses the SSN as a record-keeping number, does it offer its clients and/or employees the option of using an alternative number?

Does the organization have a strict policy prohibiting the display of SSNs on any documents that are widely seen by others—for example, time cards, parking permits, employee rosters, mailing labels, paycheck stubs, health insurance cards?

If the organization requires an access code for certain transactions (e.g., ATM cards, computer access, phone banking, security system codes, building access cards, passwords), does it prohibit the use of SSNs, or any part of the SSN such as the last four digits, as personal identifier numbers?
Is the organization aware of states which have enacted laws that place restrictions on the display and transmission of SSNs? Such states include California and New York.

K. Guidelines for Security of Lists

Case: Before departing the singles dating-service office, a fired employee stole a computer disk containing the supposedly confidential mailing list of all its clients. He sold the list to other dating services in the area.

Does your organization maintain information on clients, customers, potential customers, users, and/or members? Does it make those lists available to other entities by selling, renting, or exchanging them? If so, the Direct Marketing Association (DMA) recommends that the following guidelines be practiced. These are adapted from DMA’s “Guidelines for Ethical Business Practice” and a previous publication, “Fair Information Practices Checklist.” The use of the word “customer” below can be altered to fit your specific situation, such as “client,” “member” or “user.”  Web: www.dmaresponsibility.org/guidelines/

1. Opt-out program

a. Does your organization offer its customers name-removal options? Are those options effectively communicated?
b. Do you subscribe to the DMA’s name-removal services, the Mail Preference Service (MPS), and/or its E-mail Preference Service (EMPS)? Web: www.the-dma.org. Are MPS and EMPS names removed prior to renting or exchanging lists?
c. If you are a telemarketer, do you subscribe to the Federal Trade Commission’s Do Not Call (DNC) Registry?  Are DNC numbers removed prior to renting or exchanging lists? Web: https://telemarketing.donotcall.gov .

2. Security practices

a. Is someone in your organization responsible for list security? Is someone responsible for keeping up to date on current laws and regulations regarding fair information practices?
b. Are your lists physically secure?
c. Are there sufficient restrictions—such as audit trails and strict penalties for violation—on your employees to protect against unauthorized access?
d. Does your organization instruct its employees in initial employee orientations and ongoing training programs that customer data are confidential?
e. Does the organization have adequate security to prevent remote computer access to your lists?
f. Does your organization ensure that list recipients employ sufficient safeguards? Does it make sure security measures are in place during the transfer of lists? Do you ensure the secure and timely return or destruction of lists used by other entities? Do you use a monitoring system to track list usage, such as the use of decoy names, called “seeding”?

3. Useof marketing data

a. Is your organization collecting only those consumer data that are pertinent and necessary for the purpose at hand?
b. Are you sensitive to a consumer’s expectation that some personal information may be considered confidential and should not be used for marketing?
c. If your organization contributes customer data to a cooperative database, are you satisfied about the database’s security?

4. Data accuracy

a. Does your organization have the means to update its customer data?
b. Are customer data reviewed/revised by your organization on a regular basis?
c. Are customer inquiries regarding data accuracy answered promptly and to the customer’s satisfaction?

5. Additional tips

The Privacy Rights Clearinghouse suggests these additional security guidelines:

a. Do you disclose up-front the intended uses of the data that are collected?
b. Do you allow the data subjects to inspect and correct data held about them?

Section II. DEVELOPING PRIVACY POLICIES FOR EMPLOYEE RELATIONS

A. In-house Privacy Policies

Does your organization have policies for handling the personal information of your employees? Such policy statements typically concern hiring procedures, personnel records, medical records, discipline procedures, email usage, electronic monitoring, and Internet access.

B. E-Mail and Voice Mail Systems

Case: Charles was absent from work for a month on disability leave. Upon his return, he was shocked to discover that his supervisor had changed his password and listened to his voice mail messages.

Does your organization have a policy regarding the privacy expectations of its employees and any third party users (i.e., clients, customers), who use the email and/or voice mail systems? Are those policies effectively communicated to all employees and third-party users?  Points to include in your policy:a. the purpose for which the system is to be used (business only? personal matters allowed? no trade secrets discussed?)
b. penalties for misuse
c. who is authorized to access e-mail/voice mail messages; the disposition of email/voice messages when the employee is on temporary but extended leave;
d. the retention/purge schedule for files, including retention procedures for possible use as legal evidence
e. expectations for privacy (none? only in files marked “private”?)
f. password creation/change procedures
g. the use of encryption (prohibited? allowed? required for sensitive communications?)
h. safeguards concerning copying and forwarding messages, especially messages containing personally identifiable data
i. how the policy is communicated, such as employee notice and training programs.

C. Electronic Monitoring

In addition to email monitoring, an increasing number of employers use a variety of employee-monitoring practices, such as telephone systems that allow supervisors to listen to telephone calls, computer keystroke monitoring systems that can determine work productivity, web-surfing monitoring, video monitoring systems, and locational detectors.

Does your organization have a communications policy governing the use of employer-provided equipment?  A written policy can help protect employers and minimize the possibilities that employees will misuse company technology.

Does the organization have a policy that states the types of monitoring being conducted and the uses made of monitoring data?

Does the policy include procedures to safeguard sensitive personal information encountered in the process of monitoring?

Is this policy communicated to all employees at time of hiring, as well as other times, at least annually?

Does the policy include provisions for employees to appeal adverse decisions based on data collected by the monitoring system?
If telephone monitoring is being conducted, does the organization provide telephones that are not monitored and can be used for personal calls (at least pay phones)?
The Fordham Law Review has a pretty good primer which was a Proposal on the further scope of precisely what is going on and how Society is moving towards a comprehensive set of guidelines on what is and is not kosher with respect to information and the need to protect the rights of the individual.
The reality is that each and every Company is different and unique. This requires a special examination of the Manuals and Protocols in place. Even the lawyers within the Property Preservation Industry are not aptly equipped to deal with the latest onset of Regulatory Demands under Dodd – Frank and other requirements as, to date, the Members of the National Association of Mortgage Field Services have been unregulated and existing in a Wild West setting.
Safeguard Properties and their DOS 3.0 setup is a prime example when you look at Bank of America‘s inability to interface electronically during the transition.
To ensure that your Firm is compliant with all aspects of how you are transmitting Sub Contractor information; to ensure that you are not sitting at the Defendant’s Table under a Civil Rights Complaint, why not reach out TODAY and have us take a look at your setup. The reality is that many Members of the National Association of Mortgage Field Services rely upon us for both Regulatory Insight and Compliance daily. With respect to Dodd – Frank Provisions, we are bar none the Leader.
Ask around, your colleagues will tell you when they need answers they call Foreclosurepedia.

Search

Click To Advertise

Click To Apply

Credible Application

You must be logged in to post a comment Login