201 CMR 17 Mortgage Brokers Checklist! Are you in compliance?

If you are a mortgage broker or mortgage mover doing business in Massachusetts, you need to understand how MGL93H and Regulation 201.CMR.17 influence how you need to handle personal information and manage your business in the future. Effective March 1, 2010, mortgage brokers are responsible for the safety and security of all personal information of Massachusetts residents you collect, process, or store by them or your staff. Your mortgage business must have a written plan, known as the WISP "Written Information Security Plan" that is implemented and followed, to not only protect the security and security of your clients' personal information, but also to protect your business. Below is a checklist to help you get organized and develop a plan you'll need to complete.

The Massachusetts Commonwealth has enacted MGL 93H, which defines the security breaches and regulations to protect the personal information of any Massachusetts resident of the Commonwealth. Regulation 201 CMR 17.00 implements the provisions of the law and describes what you need to have in order to achieve compliance.

What does 201 CMR 17 mean for my mortgage business?

201 CMR 17.00 sets minimum standards for the protection of personal information of any Massachusetts resident. It doesn't matter if this personal information is stored in an archiving cabinet, desk drawer or your online database, you are responsible for its security and safety as stated in 201 CMR 17. Massachusetts, like many states, responds to the growth of identity theft and places a responsibility on those companies (such as a mortgage broker) to follow a series of requirements to effectively protect personal information from those who might use it inappropriately or illegally. As a mortgage broker, these regulations affect your business and who you do business with. If your originals, processing staff, or even others who may be involved in a loan transaction, such as a lawyer, real estate agent, or credit bureau, have access to or store personal information about your borrowers or potential clients (resident in Massachusetts), such as their name, together with:

  • Address
  • Social security number
  • Credit card number
  • Driver's license information
  • Other government-issued identification information

then these regulations will affect them and you are responsible for taking steps to control the collection, handling, storage and distribution of this personal information. This means that you need to protect yourself and your business and only share personal information with companies you check to be in compliance with 201 CMR 17.

This regulation does not only apply to customers and customers. If you are in the Commonwealth of Massachusetts and have Massachusetts resident employees holding employment applications, a copy of your driver's license, personal file or payroll information of 201 CMR 17 applies to you.

So, what steps do I need to take to be consistent?

The key to CMR 201 17.00 is the development, implementation, maintenance and oversight of a comprehensive written information security plan (WISP). This WISP is intended to address the handling and storage of all records containing personal information. In addition to creating and maintaining WISP, you will also need to identify program components. These include:

  • Designate one or more employees to maintain wISP.
  • Identify and evaluate understandably foreseeable internal and external risks to the security and confidentiality of all personal information you handle your trade
  • Develop security policies and procedures for employees and the handling of personal information.
  • Limit the amount of personal information collected to what is necessary to complete the transaction.
  • Identify all areas, storage and devices used to store personal information and develop a plan for its security.

201 CMR 17.00 goes further to address the security requirements of the computer system. The Massachusetts community has come up with technological requirements to make it compliant. These requirements should be discussed with an IT professional. They affect not only your server but also desktops, laptops, network scanners and photocopiers. Things to talk about include:

  • Provide protocols for user authentication
  • Provide access control measures that restrict access to documents as well as password and user management.
  • Encrypt data during transmission as well as any data on mobile devices such as laptops and PDAs.
  • Ensure that there are current versions of security software such as antivirus software.
  • Employee information security training

The media has been widely publicized in connection with the theft of personal data from laptops. Personal data can be compromised and stolen while stored on computers or transmitted electronically, but this critical data can also be stolen while sitting at a desk or in an unlocked paper file cabinet. Even as you dispose of this information, it is important to take this into account, because you are also responsible for what you throw in the trash. Cutting and disposal services are key components of any effective WISP mortgage company. The goal of MA MGL 93H and 201 CMR 17.00 is to change the way a business views personal information and the important steps that need to be taken to properly collect, use, store, transport and destroy it.

Protecting your personal information not only protects your clients, but also your business from fines and lawsuits, and ensures that 201 CMR 17 is complied with and develop and implement the WISP mortgage company immediately.