Guest Column by Justin Beadle,
Mortgage Underwriter, Fisgard Capital Corporation
The speed at which mortgage brokers have adopted a networked, online lifestyle has been impressive. I would say 95 per cent of the deals I do are processed via email or Skype.
What’s more, we receive electronic correspondence from brokers virtually 24/7—an indication that business hours are changing.
Unfortunately, being networked is not without risks.
Back in May, I attended an industry trade show in Vancouver and witnessed something disturbing.
The Fisgard team had wrapped up Day 1 of the trade show at 11 p.m. on May 7, 2012. When I returned to my hotel room, I started up my laptop and was dismayed by what I saw.
There were no less than 20 personal computers on the hotel Wi-Fi network, available for me to access.
I am talking about shared hard drives.
In layman’s terms, shared hard drives let you make data on your computer publicly accessible. This is useful for people like teachers, for example, who have documents they want to share with students in a classroom. It’s a serious danger, however, for business owners who have not properly configured their “public” settings. Leaving a shared drive exposed means that anyone on the network can access it.
Back in the hotel room, my curiosity got the better of me and I decided to open the first shared drive in the list. My intention was to see if the owner was practicing safe networking.
As suspected, he was not. There was no security in place to keep me or anyone else from accessing the entire contents of his computer – family photos, home budgets, calendars, e-mails, etc. But it gets worse.
Viewing the main directory of his computer yielded hundreds of files prefixed with “EXPERT.” I recognized this naming convention from the Filogix Expert applications I receive electronically as an underwriter at Fisgard. I double-clicked and confirmed my fear. A client’s complete mortgage application popped up on my screen.
There were literally hundreds of mortgage applications on this computer, all with the same originator’s contact information. I later confirmed on FICOM’s website that the owner of the computer (whom I contacted to warn of this breach) is a Designated Individual of a franchised brokerage.
The computer remained accessible all night and into the next morning, a critical privacy breach.
Mortgage brokers collect large amounts of personal information and my hotel Wi-Fi experience highlighted a major issue—the responsibility to protect personal information—not just your own personal data, but the personal data of others that you are entrusted with.
My investigation turned up a total of 11 computers connected to the hotel network that were unknowingly sharing mortgage applications, credit bureau reports, personal notes, employee files, family photos and a plethora of other sensitive data with the general public.
The mortgage brokers in this case did not fulfill their obligations under the B.C. Personal Information Protection Act (PIPA), which sets the ground rules for how private sector businesses collect, store, use and disclose personal information. (There is also federal legislation to consider. More on that below.)
Any time personal client information is disclosed, brokers can be held responsible for any losses that an individual may incur as a result of the data breach.
Anybody in that hotel with a laptop could have accessed the valuable data contained in those mortgage applications – social insurance numbers, credit cards numbers and expiry dates, and all of the other elements a malicious person would need to fake an identity for the purpose of fraud.
Many don’t know this, but an online black market exists where thieves trade with data buyers to the tune of billions of dollars each year. Valid credit card numbers will sell for up to $20 each and bank accounts or other pieces of sensitive data may sell for thousands. Today’s pickpockets only need a laptop and a public Wi-Fi network to collect the informational equivalent of 100 wallets.
Most provinces currently have no provincial requirement for businesses to report privacy breaches (Alberta is a notable exception), but that could very well change. Elizabeth Denham, Information and Privacy Commissioner for British Columbia, has called for an amendment to PIPA that will compel B.C businesses to publically disclose breaches like the ones that took place in my hotel.
Moreover, Bill C-12 will amend the federal Personal Information Protection and Electronic Documents Act (PIPEDA) and force the private sector to notify Canada’s privacy commissioner of privacy breaches involving personal information.
In terms of the incident above, Scott Hutchinson from the Office of the Privacy Commissioner of Canada (OPC) said this:
“PIPEDA requires organizations to use appropriate safeguards to protect personal information…from unauthorized access. In general, we advise that people pay attention to whether and how shared resources are configured on laptops when they travel. Shared resources should be turned off when a laptop is taken out of the office. As an additional precaution, shared resources should be configured to require a username and password.”
See the OPC’s website for more details: http://www.priv.gc.ca/information/guide_e.asp
Mortgage brokers across Canada must be proactive in preparing for upcoming regulatory requirements. Good faith efforts by our industry to secure personal information will encourage Privacy commissioners, who have the authority to drop the hammer on brokers if they sense a consumer’s privacy is not being respected.
Our clients must be similarly assured. If they’re not, it could irreparably harm the reputation of our industry.
Let’s work towards industry excellence by fully adopting privacy protection in all its forms; on our personal computers, smart phones, tablets and networks. It’s good business, and it’s the law.
By Justin Beadle