the complete guide to cfpb compliance for realtors · pdf fileto cfpb compliance for realtors:...
TRANSCRIPT
The Complete Guide to CFPB Compliance for Realtors:Protecting your clients and their sensitive information
The Complete Guide to CFPB Compliance for Realtors:Protecting your clients and their sensitive information
In this guide:
I. Your Clients’ Data
is Their Future
II. Simple Client-Side
Encryption:
The Key to CFPB
Compliance
III. More Information
on CFPB Compliance
in the Cloud
The Complete Guide to CFPB Compliance for Realtors 1
I. Your Clients’ Data is Their Future
The Complete Guide to CFPB Compliance for Realtors 2
Real estate agents help clients accomplish their greatest goals, whether it’s finding the perfect home or building a business empire. But poor data security can rob your clients of their future. If hackers get ahold of your client’s financial data, they can steal their identities, trash their credit or even trick them out of their mortgage closing funds, turning great investments into financial disasters.
The Consumer Financial Protection Bureau
(CFPB) was formed to protect consumers from
unscrupulous business practices — a goal most
people in the real estate business support. But
many realtors and mortgage brokers who are
otherwise careful about their business practices
put clients in danger with inadequate cloud and
email security. And with CFPB compliance efforts
increasingly focusing on data security practices,
it’s not just their customers who are at risk.
The Complete Guide to CFPB Compliance for Realtors 3
What is the CFPB?
The 2007-08 financial crisis and subsequent
Great Recession showed the need for increased
government oversight as well as consumer and
investor protection. The 2010 Dodd-Frank Act
enacted sweeping reforms and commissioned
the creation of the Consumer Financial Protection
Bureau to “protect consumers from unfair,
deceptive, or abusive practices and take action
against companies that break the law.” Consumer
financial enforcement and education duties that
had been spread between seven financial agencies
were unified under the CFPB.
The CFPB was given broad power to supervise
and enforce compliance for realtors, mortgage
brokers and other Non-Bank Financial Institutions
(NBFIs), and it has used this power to toughen
regulations significantly. Although the main role of
CFPB enforcement was to protect consumers from
deceptive and confusing business practices, its
mandate also includes the protection of Nonpublic
Personal Information (NPI).
Your organization needs to make their privacy
policy available to customers, explaining how you
share NPI with third-parties, and giving customers
the option to opt out. There are some exceptions
— you can share information with your lawyer, or
when it’s essential for your business, for example
— but generally, CFPB compliance requires you to
keep information about a client confidential.
What CFPB Requirements Affect Email and
File Sharing?
The CFPB is not primarily a data security
organization, but many of its laws affect data
security. Disclosure rules like GLBA and FCRA don’t
just govern intentional disclosure of data — they
govern any disclosure of data. In other words, if
you inadvertently share a client’s confidential data
through inadequate security, you could be subject
to a CFPB penalty.
GLBA is especially strong on information security
requirements. Although GLBA was targeted towards
banks, the Federal Trade Commission (FTC)
explicitly claims the power to enforce it for “real
estate settlement services,” mortgage brokers and
other financial institutions.
Under the Gramm-Leach
Bliley Act (GLBA) and the Fair
Credit Reporting Act (FCRA),
NPI includes any personally
identifiable information
customers give to you, unless
it’s publicly available. This
includes information about:
Identity — name, address,
Social Security number
Background — court records,
consumer credit reports
Transactions — account
balance, payment history,
credit card number
The Complete Guide to CFPB Compliance for Realtors 4
Under the Safeguards Rule, financial institutions
must create information security plans showing
how they protect customer NPI. They need
to conduct a risk analysis, create a program
that protects against both anticipated threats
and unauthorized access to NPI, and securely
dispose of customer information once it’s no
longer needed.
Access control is especially important. Companies
need procedures and tools in place to prevent
unauthorized individuals from receiving sensitive
information, and to restrict access to stored
information — be it on a hard drive, in a filing
cabinet or in the cloud. This access control needs
to be backed up by monitoring and employee
screening to safeguard NPI from improper access.
Unfortunately, the way the average real estate
agency or mortgage broker uses technology
does not comply with GLBA or other CFPB rules.
Realtors use email and file sharing services with
inadequate or non-existent encryption, potentially
allowing hackers to intercept customer NPI while
it’s traveling across the Internet.
They rarely use sufficient access control within the
organization either; many companies use a cloud
storage drive that everyone can access — even
employees who don’t need the data and haven’t
gone through adequate background checks. This
creates an unacceptable risk of breaching NPI and
facing a CFPB enforcement action.
What Makes CFPB Compliance so Difficult?
CFPB compliance penalties for poor data security
used to be a theoretical risk, but the organization
has recently started enforcing security standards.
The CFPB penalized online payment company
Dwolla for “falsely claiming its data security
practices ‘exceed’ or ‘surpass’ industry security
standards” and “falsely claiming its ‘information
is securely encrypted and stored.’”
Dwolla was hit with a $100,000 penalty, ordered
to fix its security system and publicly exposed
as an unsafe vendor — despite not having a data
breach. It’s almost certain that there will be more
(and higher) penalties in the future, and the industry
is simply not ready. Here are a few of the largest
roadblocks the industry faces today:
1. CFPB compliance isn’t the only thing to
worry about. Organizations face a maze of
federal, state and local data rules, which often
apply different standards. Some states define
security standards in technologically neutral
ways, while others mandate specific controls
like encryption. Breaches, breach notifications,
and citizens privacy rights vary from state to
state as well.
Real estate organizations don’t have the
expertise or the time to keep up with dozens
of different compliance regimes, in addition
to CFPB rulemaking and enforcement actions.
Dwolla was hit with a $100,000 penalty, ordered to fix its security system and publicly exposed as an unsafe vendor…
The Complete Guide to CFPB Compliance for Realtors 5
And with many of these laws being
relatively new and untested, even figuring
out issues like applicability, enforcement
risk and jurisdiction can be a challenge.
2. You can’t control where NPI data goes
in the cloud. When you upload a file
to cloud storage or send an email, the
data travels through multiple servers
before it reaches its destination. All you
know is that the data is going to end up
on the service provider’s server, not
how it gets there.
Most cloud file storage and email apps do
encrypt, using point-to-point encryption
protocols such as TLS. Data is encrypted
in your computer and sent to your local
server, which decrypts it, re-encrypts
and sends it on to the next server, until it
reaches its destination. The problem with
this type of encryption is that it depends
on the server’s security. If a server doesn’t
support up-to-date encryption standards
or has been compromised, a hacker
could breach your NPI, and you’d never
even know.
3. Everyone has their own way of doing
things. Your mortgage broker may store
information in the cloud, or on-premises;
your lawyer may use paper records,
electronic records or both; the company
running your background checks might
communicate with secure portals or
email; they may use their own encryption,
or no encryption at all.
You get the idea — there are hundreds
of different ways of transferring and
processing data, and they’re not
compatible. If you’re a real estate
agent working with different mortgage
brokers and lawyers who each have their
own portals, there’s no good way to
communicate with everyone securely.
And furthermore, your customers and
partners may not be able to figure
out complex security tools like secure
portals. Even if you’re doing everything
right, a customer sending their mortgage
application over an unencrypted email
can still breach NPI.
Encrypted Content
Sender Recipient(Only interaction)Mail Client Sender’s
Mail ServerRecipient’s Mail Server
Encrypted Content
Encrypted Content
Encrypted Content
The Goal: Keep NPI Encrypted the Entire Time
The Complete Guide to CFPB Compliance for Realtors 6
4. Real estate deals involve a lot of information
transfer between multiple parties. Real estate
agents, sellers, mortgage brokers, lawyers,
lenders and credit agencies are all involved
in the process, sending documents back
and forth. And CFPB rules have enforced
standardized paperwork requirements that can
make the process even more complicated.
For example, TILA-RESPA Integrated Disclosure
(TRID) enforces the three day rule. The Lender
can’t complete the transaction unless they’ve
provided a closing disclosure at least three
business days before. If the APR is changed by
more than 0.125%, the loan product is changed
or a prepayment penalty is added, they have
to wait another three days.
Similarly, the loan estimate has to be delivered
to the consumer within three days of receiving
the consumer’s application.
If half of the people involved in transactions
are using mail, and the other half are using a
wide variety of incompatible electronic tools,
both delivering the right forms at the right time
and maintaining adequate records become
much more difficult. These complex paperwork
requirements also dramatically increase the
chance of accidentally sending NPI to the
wrong person, potentially creating a breach.
More companies are turning to data loss prevention rules to
automatically secure sensitive messages
The Complete Guide to CFPB Compliance for Realtors 7
II. Simple Client-Side Encryption: The Key to CFPB Compliance
The Complete Guide to CFPB Compliance for Realtors 8
In a 2016 Sans Institute whitepaper on encryption compliance,
Technical Director Dave Shackleford emphasized the importance
of encryption across regulatory regimes:
“Most of today’s standards and compliance regulations are
concerned largely with the protection of private data at rest,
during transactions, and while it traverses network connections.
Some of these regulations make specific recommendations
or require particular technologies for compliance. For all of
them, however, encryption can be employed to satisfy the
protection requirements. By determining what data you are
required to protect, locating the data at rest and in transit, and
implementing the appropriate encryption technologies, you
can significantly improve your overall security posture while
complying with any number of data privacy regulations.”
Unfortunately, the difficulty of many encryption solutions often
prevents people in the real estate industry from securing NPI. A
recent study found that 7 in 10 mortgage lenders let applicants send
unencrypted emails containing applications, and only 12% even
provided a secure email option. When asked why, lenders stressed
the fact that customers were most comfortable with email. One
survey respondent said this:
“ Oftentimes it was easier to have my clients send documents
like W-2s through email because everyone has access to an
email account. Most [lenders] don’t want to take the time to
explain what a secure portal is and how to use it. Everyone
understands email.”
It’s not enough for encryption to be technologically secure — it
also has to integrate easily and intuitively with the email customers
are most comfortable using, or else they won’t adopt it.
7 in 10 mortgage lenders let applicants send unencrypted emails containing applications
The Complete Guide to CFPB Compliance for Realtors 9
Introducing Virtru Client-Side Email Encryption for CFPB Compliance
Virtru Pro is a plugin browser extension that adds user-friendly encryption to Google Apps, Gmail,
Microsoft Office 365, and Outlook. It installs in seconds, providing complete client-side encryption, along
with valuable features to give you more control over your email. Here’s how Virtru supports complete
CFPB cloud compliance:
A seamless dashboard
experience lets you
manage both users
and content
The Complete Guide to CFPB Compliance for Realtors 10
1. Virtru Pro meets or exceeds both CFPB
requirements and state compliance regimes.
While CFPB compliance rules don’t explicitly
mandate encryption, many federal, state and local
compliance regimes do. Virtru provides military-
grade encryption for business and government
organizations across industries. It’s designed
to go beyond CFPB requirements, meeting the
most stringent data security regimes. That means
you can conduct business anywhere, without
worrying about whether inadequate email and
file encryption makes you non-compliant.
2. Virtru uses client-side encryption.
Cloud storage, email providers and portals use
point-to-point encryption, leaving your message
vulnerable if it passes through an unsecured server.
Virtru uses superior client-side encryption, which
secures your NPI before it leaves your computer
and only decrypts it when it reaches the recipient.
If an email or file passes through a compromised
server your data will be safe, as it will still be
encrypted.
And hackers can’t break the encryption by guessing
or bruteforcing the key, either. Virtru uses 256-
bit AES encryption, which has so many possible
combinations that it would take a supercomputer
longer than the age of the universe to guess all
the possible codes.
3. Virtru email encryption is compatible with
all of your partners.
Virtru Pro works with all major email services,
including Gmail, Outlook and other common
webmail applications. With one click, you can
encrypt emails and attachments to business
partners, clients or anyone else — even if they
don’t have Virtru installed. This allows real estate
agents, mortgage brokers and other industry
professionals to send messages and financial
documents with one single system, simplifying
communication and reducing the chances of
CFPB compliance breaches.
Virtru Pro works with all major email services, including Gmail, Outlook and other common webmail applications.
The Complete Guide to CFPB Compliance for Realtors 11
4. Virtru Pro protects against accidents and
records if a message has been opened.
Virtru Pro read receipt automatically displays which
recipient (or recipients) have opened a message.
This allows you to ensure that mandatory notices —
such as those required by TRID — are received by
the proper person within the mandated timeframe.
Virtru Pro provides additional protection against
breaches. If you accidentally send a message to
the wrong recipients, you can revoke it with a click,
then check for a read receipt to see if it has been
opened. If you revoke before the recipient reads
it, you’ll have documentation that a breach was
reverted. But even if it has been opened, revoking
it will prevent future access, decreasing exposure
of NPI.
Virtru Pro can even disable forwarding to prevent
recipients from sharing sensitive communications,
or set time limits, after which the message will
no longer be available.
Virtru DLP provides further protection against
inadvertent breaches, by automating CFPB
compliance rules for your office. Using fully
customizable rules, it scans the emails and
attachments for sensitive information, such as
Social Security or account numbers, words like
“mortgage” and email addresses. It then triggers
compliance actions, such as encrypting the
message, stripping attachments, warning the
user or sending a copy to a supervisor.
Disable
forwarding and
revoke access
Recall emails
you’ve already
sent
Set DLP rules
related to CFPB
The Complete Guide to CFPB Compliance for Realtors 12
As both a real estate brokerage service and
lending and title insurance provider, Baird &
Warner has always taken security seriously.
The Chicago-based company implemented
a secure portal for transmitting NPI, but
employees still needed to send emails
— often with sensitive information. With
no email encryption in place, they risked
exposing customer names, bank account
and Social Security numbers. As Mark
Steward, VP of Technology
put it, “that’s how identity
theft happens.”
Additionally, the real estate
brokerage firm understood
the importance of meeting CFPB compliance
requirements for secure NPI transmission —
particularly with increasing enforcement. The
company could no longer afford the risks
of unencrypted email, and neither could its
customers.
Baird & Warner investigated other email
encryption products, but Virtru was the only
one that was easy for both the recipient and
the sender. The firm loved having the ability
to encrypt messages with a single click, and
the ease with which customers could read
and securely reply to emails — even if they
hadn’t installed the software. Baird & Warner
were able to train staff in just a few minutes,
and let Virtru’s short instructional videos
handle the training for anyone who missed
the initial meeting.
The real estate brokerage service
also valued Virtru’s customer
service in meeting their complex
licensing and access needs.
We worked closely with them
to ensure that they had the right
access level for each user at the right price,
ensuring that Virtru Pro and Virtru DLP could
completely meet their needs.
Baird and Warner sets high standards for
their company and their customer security —
According to Steward, anything below “100%
compliance” is “too big a risk.” Virtru provided
the technology, training and customer
service to meet that goal.
A Customer Success Story: Baird & Warner
“…anything below 100% compliance is too big a risk.”
The Complete Guide to CFPB Compliance for Realtors 13
III. More Information on CFPB Compliance in the Cloud
The Complete Guide to CFPB Compliance for Realtors 14
Webinar: NPI Security – Why Email
Encryption is Your Secret Weapon
Article: How Encryption Can Help with CFPB
Compliance
Article: 6 Common Ways Employees
Compromise Enterprise Data Security
(And What You Can Do About It)
Webinar: Securing Gmail and Drive: Security
Tips from Google and Virtru
Article: Journey of an Unencrypted Email
Webinar: Data Security Essentials: Strategies
to Protect Non-public Personal Information
eBook: The Complete Guide to Email
Encryption for Google Apps Administrators
eBook: Client-Side Data Protection with
Virtru Encryption as a Service (EaaS)
Short Video: Virtru for Business: The Easiest,
Most Secure Way to Share Data
Short Video: Introduction to Virtru DLP
The CFPB has considerable freedom to
set its own enforcement policies and
compliance priorities, and it seems to be
gearing up for an increasing focus on NPI
security. As consumers and businesses
continue to give input, the organization
will continue to evolve.
Here are some resources to help you stay ahead of CFPB requirements.As consumers and businesses continue to give input, the organization will continue to evolve.
The Complete Guide to CFPB Compliance for Realtors 15
CFPB Compliance Checklist
While CFPB compliance contains many rules unrelated to security and electronic communication, email
and file sharing pose some of the biggest risks of NPI breaches. Therefore, it’s crucial to evaluate your
organization’s data security practices to make sure your team is sending NPI safely.
The following checklist will help you determine your organization’s email and file encryption needs, and
choose the appropriate CFPB compliance solutions.
Requirement Yes or No?
Do any of the employees in your organization have access to NPI?
If yes, do you conduct background checks before giving employees access to NPI?
Do you have security measures in place to prevent unauthorized employees from improperly accessing NPI?
Do your employees use email or a file sharing service (such as Google Drive or Dropbox) to share or access NPI?
If yes, does that service have client-side encryption?
Do you have a written privacy and information security Policy?
If Yes, does that policy ensure that your employees only use secure methods to deliver NPI?
Does that information security policy prevent unencrypted storage and transmission of NPI (e.g. on a thumb drive or personal device)?
Does your policy establish a secure way to dispose of NPI when it’s no longer needed?
The Complete Guide to CFPB Compliance for Realtors 16
Requirement Yes or No?
Does your company train, supervise and audit employees in compliance with your information security policy?
Do you ever share NPI outside of your organization?
Do you know how your recipients protect the NPI you exchange with them?
Do you have a way to verify that NPI was received?
Could you rescind NPI if you sent it to the wrong organization?
Make CFPB Compliance as Easy as Sending an Email
The cloud has been a boon to the real estate industry, allowing realtors to communicate, share
information and even finalize transactions online. But that ease has created new risks of data theft and
CFPB compliance violations. Virtru’s CFPB compliance solution allows you to use the email and file
sharing apps that make your job easier, without the risks of unencrypted data. Learn if Virtru is the CFPB
solution for your organization:
Download Virtru secure email for free, or contact us to find out more.