(Originally published in the October 2015 issue of The National Notary.)
The threat to all our identities and sensitive financial information is very real and growing.
Consider that more than 121 million consumer records were compromised in the first seven months of 2015, according to the Privacy Rights Clearinghouse (PRC). That’s nearly double the total for all of 2014. And several recent cybersecurity reports predict that the global cost of cybercrime will jump from more than $400 billion in 2013 to $2.1 trillion in 2019.
In fact, in the past decade, government agencies, schools, hospitals and private companies in the U.S. have suffered 4,575 data breaches in the U.S. involving 858 million records, according to PRC. That’s 2.7 records for every man, woman and child in America.
While those numbers are staggering, they come from the countless daily activities of people doing business, sending and receiving emails, sharing documents and accessing databases of consumer or client information. And cybercriminals see all of it as fair game.
Apart from the fact that there’s a very good chance cybercriminals have your personal information, why does this matter to you?
For decades, a Notary's responsibility for protecting consumer information meant little more than keeping your Notary journal locked away when not in use. But that is no longer the case. Protecting the personal, non-public identity and financial information of consumers has become a global imperative, and Notaries in all walks of life are being asked to enter the fray.
At NNA 2015, leaders in the mortgage finance industry impressed upon Notaries the growing urgency to protect sensitive consumer information in loan closings — deals that amount to a trillion dollars in transactions each year.
“Notaries are representing all of us in the mortgage industry when handling borrowers’ information,” said Sally Freudenberg, Vice President of the Home and Consumer Finance Group at Wells Fargo. “We all need to work together to protect this information and keep our customers, and their transactions, secure.”
Whether you work in a photocopy store or a large office, or you run your own mobile Notary business, your duties often include handling sensitive consumer information. That makes you a potential target of cybercriminals and identity thieves.
A Notary’s data breach could start with something as simple as a lost journal, a stolen mobile device or computer used for business, mislaid loan documents or an unencrypted email. Any of those incidents could cost you as well as
your clients.
Small Businesses Are The Largest Targets
Even though massive data breaches at large organizations such as the Office of Personnel Management, eBay and Anthem grab the headlines, they are unusual cases. A recent study by Verizon estimated that 72 percent of cyberattacks targeted small- and medium-sized businesses.
“Small business owners are entrepreneurs,” said Andi Baritchi, Global Managing Principal of Payment Security and PCI Compliance Consulting Services for Verizon Enterprise Solutions. “They understand how to run their business, but they are not cybersecurity experts. Hackers know that.”
According to the 2015 Internet Security Threat Report from Symantec, many small businesses “are still not adopting basic best practices. This puts not only the businesses, but also their business partners, at higher risk.”
Baritchi pointed to the way small businesses process credit card payments as a potential weakness. “Are they doing it through phone systems or swiping them into a computer? That’s a threat, because it can be hacked.”
The same holds true for sharing information. How many of us use smartphones, mobile devices and home computers to check work emails or exchange documents?
Mobile Notaries, for example, depend on their smartphones and tablets to get borrower information, receive loan packages and even store client account information.
“Mobile devices are computers masquerading as phones,” Baritchi noted. “And just like computers, they always have a vulnerability.”
One of the more common tactics hackers use is phishing. This scheme typically involves bogus emails often purporting to be from a legitimate business or government agency asking you to confirm your identity and account information. By now, most of us have come across some of the more obvious phishing schemes. But the ones supposedly from your bank or the IRS can be trickier to detect.
A refinement of that tactic is called spear phishing, which targets a specific person by sending emails supposedly from a friend, relative or business the individual knows. This has proven to be a highly effective tactic, according to the Symantec report.
Another area of concern is unencrypted data — a particular risk for Notaries who work at home or share devices. Do your children share the computer you use for business? Do they know your passwords? If they do, they can read all your files unless they’re encrypted.
Unencrypted emails may be an even greater risk.
“Unencrypted email is like putting a postcard in the mail box,” Baritchi said. “Everybody can read it.”
Illustrating this point, escrow officers in California noted that there have been numerous instances this year alone in which unencrypted emails containing wiring instructions for real estate transactions were intercepted and the funds diverted to the hackers.
Similar vulnerabilities exist for other small businesses that often employ Notaries, such as insurance agencies, car dealerships and photocopy shops.
Small businesses lag behind in cybersecurity because they have not been subjected to the rigorous compliance oversight that large organizations face, Baritchi said.
That is changing, particularly in financial industries.
The Consumer Protection Mandate
Major financial institutions have long been subject to extensive consumer protection laws and regulation. Now the Consumer Financial Protection Bureau is holding lenders responsible for everything that happens in the mortgage origination process — down to the signing table, according to mortgage industry executives who took part in a panel discussion at NNA 2015.
Panelist Ray Callahan, Chief Compliance Officer of Prospect Mortgage, LLC., described the need to keep borrowers’ information out of the wrong hands as “all important” and noted that every loan package an NSA gets is loaded with non-public personal information.
Consequently, lenders are requiring the settlement services they hire to have written consumer protection policies, and settlement services soon may require the same from NSAs.
Apart from following the data security practices present in most industries, Notary signing agents have some special requirements because of the nature of loan-signing assignments.
A quick way to start drafting a policy is to ask three basic questions, said Michael Kaiser, Executive Director of the non-profit National Cyber Security Alliance.
- What data do I have?
- Where is it located on my various technology devices and elsewhere?
- What am I doing to protect it, and is it enough?
“The first element of cybersecurity is identifying the critical information you have that needs to be protected,” Kaiser says.
For Notaries, that includes all the paper you handle, such as journals and loan documents.
To help Notaries meet the requirements of the mortgage industry, the National Notary Association has developed a comprehensive Self-Assessment to use in evaluating their data security practices.
The Assessment is similar to one created by the American Land Title Association for its members, and could be very helpful to show hiring companies that you are taking steps to protect consumer information — and your clients’ interests.
The Assessment also could be used by Notaries in other businesses to check their practices.
Data Security Practices
Protecting consumer information generally is a matter of taking commonsense precautions, such as always encrypting digital files and emails, and keeping printed documents secure until they are sent back, Callahan said.
Data security experts recommend a number of essential steps.
Update your security applications: Most of us have some type of protective software — such as an anti-virus application — loaded on our computers and mobile devices. But cybercriminals are constantly changing their viruses and other malware. So make sure your subscription is active and you have turned on your auto-update function. That way, whether you use McAfee, Norton, Kaspersky or another product, you’ll have the latest updates to fend off the newest hack attacks.
Here's a guide to some common technical terms used in data security protection.
Encrypt everything: Every expert agrees that encryption is essential. Every document containing confidential information should be encrypted, wherever it is stored. The same goes for every hard drive, even if it is in a device that stays at home.
Always install the latest operating system version: Whether you’re Mac or PC, iPhone or Android, you get regular notices about updates to your operating system. While they can seem like a nuisance, the updates contain fixes to fend off the latest hack attack efforts.
Use strong passwords: Many companies already require employees and users alike to create passwords with a combination of upper and lowercase letters, numbers and symbols. That should be standard practice for everything, and use different passwords for every account and website. Most people use one or two passwords, noted Baritchi but if one website gets hacked, it opens the door to your other accounts. Use a password software program to generate strong passwords for your online accounts and keep them secure. There are several free or low-cost options you can choose from.
Use passcodes and touch IDs on mobile devices: Both will help if your smartphone or tablet is lost or stolen. Stephen Pao, General Manager of Security at Barracuda Networks, Inc., also recommends installing an app that can locate and wipe your device.
Avoid public WiFi: It might be nice to spend an hour at your local coffee house, perusing email or checking Twitter, but using public WiFi to access a consumer's personal information opens the door to your device, and anyone could walk in.
Don’t keep unnecessary data: Delete, shred or otherwise get rid of any information you do not need. “That goes for absolutely any confidential document — email, paper, whatever,” Baritchi said. “If you do not need it, keeping it creates a risk.” After combing your computer, check the file cabinet you have for any unnecessary paper records.
These tips might seem to be basic, but failing to follow robust consumer protection practices could have serious consequences — for you as well as your clients.
“I don’t think any (NSA) wants to call their hiring firm and say, ‘My car was broken into, and the loan file was stolen along with my laptop that was not encrypted,’” Callahan said.
Baritchi also pointed out that small businesses advertise through word of mouth, and a data breach could be devastating. In fact, a 2013 report from Experian found that 60 percent of small businesses that suffered a data breach closed their doors within six months.
On the other hand, if your clients know you follow strong data security practices, they will be more inclined to do business with you.
At the end of the day, data security is simply a fact of business life.
Michael Lewis is Managing Editor of member publications for the National Notary Association.
Related Articles
MBA Report: Protecting Consumer Information Never More Important