Massachusetts Data Protection Updates
Mortgage Industry Insight: One of the great things about SCA is the range of issues we get to see, and the wealth of knowledge we get to tap into while working with dozens of clients on a monthly basis. Today, we'll share some important information about Data Protection.
By Gregg Oberg:
Data protection is a huge topic in most industries today. From Facebook to Equifax, Target, and more…the scrutiny on failures to protect our customers’ data is not new. Today the risk of data breaches and other cybersecurity failures is much greater than reputational. Numerous jurisdictions worldwide have passed increasingly stringent consumer protective acts aimed at forcing business entities to protect the personal data of their customers.
Massachusetts passed “An Act Relative to Consumer Protection from Security Breaches” in January, enacting additional requirements applicable to entities which experience data breaches compromising personal information of Massachusetts residents. Importantly, the Act’s key provisions apply only post-breach, and don’t (at least not directly) create any new duties to MA consumers in absence of a breach.
Background: What 93H Requires
The Act amends MA 93H, a consumer protection cousin of the dreaded 93A, which generally requires certain impacted consumer and state regulator notifications of data breaches. While this article doesn’t outline every change, a few key amendments relevant to community lenders are highlighted below.
Changes: Information Required to Be Disclosed
First the Act adds a requirement to notify affected customers of their right to place a security freeze on their credit reports at no charge. Exactly who is required to make the notification would depend the circumstances and type of personal information compromised.
Second, companies suffering breaches must now disclose more specific information to regulators around types of personal information was compromised.
Third, and potentially the most impactful change, is a new requirement on companies to certify whether a Written Information Security Program (WISP) was in place at the time of the breach. This will serve as an event-driven trigger for regulatory enforcement. (NOTE-if you don’t have a WISP, GET ONE! It’s required…even if you never have a breach)
Companies Must Provide Free Credit Monitoring
MA joined a handful of other states (Including CT and DE) in requiring no charge credit monitoring for affected customers when social security numbers are compromised. MA will require a minimum of 18 months credit monitoring be provided to such customers.
Two brief points on timing. First, as noted above, the Act became effective as of April 11, 2019. Any breach occurring after this date will be examined against the now current rules.
Second, the Act also addressed a gray area relating to whencompanies suffering a breach are required to make the mandated notifications. Although the Act does not provide bright line timing requirements (blessing or curse?), the notifications must be made “as soon as practicable and without unreasonable delay.”
What that means in practice may vary from case to case, but the strength of that standard certainly necessitates involving counsel immediately if you even suspect a breach.
A Final Note
Adequately measuring and mitigating the risks inherent to storing, using, or otherwise transferring personal data requires detailed understandings of the how your institution uses data. It may feel like a patchwork of unrelated regulation at the moment, but I promise you this isn’t going away.
These things are complicated, and I think it’s fair to say the level of complexity in community banking technology is not world beating. The technological competence of institutions varies widely, and not all institutions have the in-house IT capabilities to fully assess the risks faced by financial institutions in a rapidly changing regulatory landscape.
This is even more obvious in non-depositories. In my experience, the sheer complexity of depository operations necessitates at leastthe elements of a WISP do effectively conduct business. But many small broker shops or lenders run much less sophisticated processes, and often have “bare bones” or “off the shelf” WIPSs. Add that to the relative dearth of examination topics as compared to a depository examination, and I think it’s fair to say non-depositories should be focusing on the WISP ahead of any expected DOB Examination.
My bold prediction—you’ll see a lot less slack given to “off the shelf” or unreasonably basic WISPs during your next DOB exam. Are you ready?
Spillane Consulting Associates has served the residential mortgage lending business since 1991. We have specialized in mortgage banking consulting services and provided quality control reviews, risk management and process consulting and employee training to credit unions, community banks and non-depository institutions. We are a thought leader on the strategic growth of residential mortgage lending. You can learn more by visiting our website, or scheduling a meeting with me or one of my colleagues.
SCA Compliance Hotline: Need a question answered quick?
Thanks so much for reading our weekly newsletters. We're not always going to be perfect, but because we always do our best and try not to overpromise, we hope that we're always going to be trustworthy. Your calls and e-mails are very helpful - please keep contributing.