Mortgage Broker is the magazine of the Canadian Mortgage Brokers Association and showcases the multi-billion dollar mortgage-broking industry to all levels of government, associated organizations and other interested individuals.
Issue link: http://digital.canadawide.com/i/675954
CMB MAGAZINE cmba-achc.ca spring 2016 | 33 datadefense A breach of personal information caused by not taking reasonable steps to protect this information can leave you facing lawsuits and regulatory action. You can be ordered to pay compensation to the victims and be made to cover the costs of protecting their credit. Depending on the type of personal information breached and the number of victims, your costs can cripple or destroy your business. Even if the breach does not involve personal information but rather only business information belonging to your organization or its business associates, the reputational damage can be very costly. Simply put, you need to protect the information held by your organization from those who would steal or compromise it. thE nEEd to PRacticE cyBERsEcuRity – e evolution of businesses storing their information on computer devices using electronic means is far from complete. Increasingly there is a move from a business storing all of its information on a single hard drive shared by the organization to instead storing it on the drive of a third party via the Internet; essentially this is a transition from local network storage to cloud computing or cloud storage. e mortgage brokering industry is part of this transition. ese changes can make it far more convenient for you to access and use your data no matter where you are at any given moment. Unfortunately, this convenience offers points at which the information becomes vulnerable to unauthorized access by others. Some of these vulnerabilities are created or amplified by this new technology, others are more generic to the computing world. To possibly avoid or at least minimize legal consequences, you need to have acted reasonably to protect the information from the unauthorized access. is requires you to have been reasonable in putting together, implementing and monitoring a cybersecurity plan. In effect, mortgage brokers need to understand and assess risks before changing their computer systems. Following are some suggestions as to what such a plan might include. thE PLan – Your strategy, at a minimum, needs to satisfy the privacy legislation requirements of your province. It needs to consider not just threats to your information from outside your organization but from inside as well. Disgruntled employees or an employee willing to sell your information for a profit can leave you very vulnerable. e plan needs to prohibit staff, unless authorized, from certain activities; it also needs to require other activities of them. Staff should be prohibited from using your equipment and information except for business purposes. ey should not be allowed to connect their own devices to your equipment. ey should be given access to only the programs and data they need to perform their job. ey should not be given access to add, remove or change the programs and settings on their computers. Staff should be required to lock their computer screens when unattended and items such as USB drives and passwords should not be le where they can be used or copied by others. Staff should be required to lock doors as needed, so as to not give unauthorized people access to the computers. Your policy should provide consequences for staff who do not follow it; staff should be advised of the possible consequences in advance. Your system should allow for operating system and program updates to be installed when they become available. Oen these updates take care of vulnerabilities that manufacturers have identified. Building/office access codes and computer passwords should be changed as needed, for example when there is a change of staff. Your information should be backed up to a safe location, which means it should be in a different location than is your business. You would not want a single disaster to take out both your primary and backup sources. Regardless of whether you choose the cloud or some other option, consider matters such as whether the data is encrypted, who else will have access to your information, and whether the backed-up data is itself backed up (for example, cloud backup servers generally are themselves backed up). No matter how careful you are in making your plan, there will always be some possibility that your information will be breached. Consider obtaining insurance to cover the possible costs and losses if this occurs. imPLEmEnting thE PLan – Install the equipment, programs and controls to put your cybersecurity plan into action. Give your staff a copy of the policies and provide them with training. Designate certain staff to monitor compliance with your policy. e monitoring should include periodic checks, spot checks and submitting incident reports. Periodically review the framework and policies and change as needed to meet new legal requirements, threats and technologies. If there is a breach of the framework or policies, act quickly to protect the information and minimize any losses. PaRting woRds – No amount of care is sufficient to absolutely protect your information. Making deliberate and reasonable decisions covering the needs of your organization can make it more likely that you can enjoy the conveniences of today's computer technologies without taking on avoidable risks. no matter how careful you are in making your plan, there will always be some possibility that your information will be breached. consider obtaining insurance to cover the possible costs and losses if this occurs. Continued from page 30