Why Cybersecurity Is an Important Employment Law Issue

In its complaint in Orange County, CA, Superior Court, Irvine-based MOMC said the defendants ' four former employees and Chicago-based Guaranteed, one of the largest mortgage companies in the country ' engaged in “corporate espionage.” The former employees were accused of taking confidential borrower information, including tax returns, Social Security numbers, pay stubs, names and addresses, and sending it to Guaranteed for the purpose of directing MOMC customers to Guaranteed.

The complaint outlines this scenario: The fraud was discovered only after one of the employees, a licensed loan officer and star producer, was terminated and immediately joined Guaranteed. A routine examination of his computer that the company does when an employee is terminated revealed that he had deleted all of his files and e-mails. MOMC's IT department restored the lost data and discovered that over a one-month period in 2014, the former employee had sent to himself at a secret e-mail address nearly 900 e-mails containing confidential borrower information. Over a nearly three-and-a-half-month period, he sent 385 e-mails to Guaranteed, many of them containing confidential information. In total, the employee diverted more than five gigabytes of MOMC's proprietary and personal information to Guaranteed. The complaint alleged breach of contract, breach of fiduciary duty and fraud, and violations of the section of the California Penal Code that covers theft of computer data.

Following a seven-week trial, the jury returned a verdict for MOMC on all counts. Guaranteed denied the allegations, both before and after the trial, and said it was not involved in any fraudulent scheme.

The case is Mount Olympus Mortgage Company v. Benjamin Anderson, No. 30-2014-00729438-CU-BT-CJC (Orange County Superior Court).

The Repercussions Are Real

Setting aside the actions of Guaranteed, its executives and the loan officers, the real question is what steps, if any, could have been taken within MOMC to avoid the harm suffered in the first place. The harm is not just lost revenue. In cases like this one, MOMC had to, and will continue to, deal with the reputational repercussions, increased future litigation risk and possible increased compliance risk when it goes through its next regulatory exam.

For instance, in addition to Gramm-Leach-Bliley Act (GLB Act) requirements imposed on financial institutions to notify individuals of certain “misuse of its information,” California law requires a business to notify any California resident whose unencrypted personal information was acquired by an unauthorized person (a version of this law exists in 47 states). Further, any person or business that is required to issue a notification to more than 500 California residents as a result of a single breach of its security system will be required to electronically submit a single sample copy of that security breach notification to the attorney general. This sample is then posted on a searchable database on the California AG's website. Many AGs have similar requirements and require notice in advance to an AG regardless of the number of individuals affected.

The reputational cost of issuing these letters and publishing a sample with the AG can be significant. The letter may suggest weaknesses in the security of the company's data and may well sway a customer's opinion when it comes time to obtain another mortgage loan.

Customers who receive such letters may also blame the data breach for any issues they face with identity theft as well as any credit issues in the months and years following the breach, unfounded or not. This can result in significant legal expenses, as a lender will have to defend against any increased litigation as result of a breach.

Notably, a breach can spur a spike in consumer complaints, which also account for very real costs to staff and respond to each grievance.

Finally, the Consumer Finance Protection Bureau (CFPB) has stated that it monitors lawsuits and customer complaints, and utilizes the data as a factor for exam prioritization. Exam prioritization by the CFPB is governed by risk prioritization, and the risk associated with a data breach is an outsized one.

The Federal Financial Institutions Examination Council (FFIEC), of which the CFPB is a member, is a formal interagency body empowered to prescribe uniform principles for the federal examination of financial institutions. The FFIEC has stated that an institution should take a “comprehensive approach to maintain the security and resilience of its technology infrastructure including the establishment of a robust cybersecurity framework.” The FFIEC recommends the establishment of “robust governance policies and risk management strategies” and to “commit sufficient resources including expertise and training,” as well as the establishment of “an enterprise-wide approach to manage cyber risks with a strong cybersecurity culture as its foundation.”

As the CFPB is a member of the FFIEC, it would be wise to heed the FFEIC guidance.

Data Security Deficiencies

The CFPB has also shown its ability to bring enforcement actions where it has identified data security deficiencies. Although the CFPB lacks authority under the GLBA to enforce any of GLBA's data security provisions, the agency recently utilized its authority under Dodd-Frank's Unfair Deceptive Abusive Acts and Practices clause (UDAAP) to bring an enforcement action against Dwolla, Inc. (a company that operates an online payment platform) for issues with Dwolla's data security policies and procedures. In the matter against Dwolla, there was no preceding breach. When there is a breach that can be publicized as it was in the MOMC matter, the publicity can then, too, carry a risk if a regulator takes note.

Mitigate Risk

Cybersecurity is becoming a larger threat with each passing day. Companies would be best served to review their data privacy and information security programs to ensure they are employing standards and technologies that protect business, mitigate risks and address any process breaks that are identified. When conducting a review of relevant data security procedures, be certain to include a security system risk analysis that considers both external and internal risks and any efforts to mitigate those risks.

Work closely with IT to answer the following questions: Are you controlling access to your origination platform to the positions that actually require access to process your pipeline? Are all writable drives removed from your terminals? Are e-mail attachments sent from your servers scrubbed for non-public personal information (NPPI)? Does your institution have and enforce a “clean desk policy?” Do you have proper controls over your network access? Do you have filters to catch and deny any NPPI being electronically sent outside of your company improperly? Are controls in place to prevent any information from being saved on removable drives?

These are questions you should be asking immediately and they are steps your company can take today to guard against data theft. In addition, these steps should bolster your internal controls and enhance the effectiveness of your compliance management program when it comes time for your next audit. Regular training is also recommended for anyone who handles customer information to remind them of the risk of a data breach and the penalties associated with the misuse of consumer's NPPI. When it comes to privacy and data protection, the best defense is a proactive offense.

Conclusion

In the MOMC matter, the loan officers were accused of taking the data to process the borrowers for home loans at Guaranteed. The data breach could have been much worse if the information had been taken by a loan officer or processor and simply used as a commodity for sale with the borrower's NPPI utilized for more nefarious purposes, such as identity theft. In that case, the potential liability of the breached entity can be astronomical, if not devastating ' effectively leaving no one to sue to recover a portion of the damages like MOMC did with Guaranteed. The precautions referenced above may sound like an expensive step to take, but the cost is dwarfed by the price associated with the risks.

Craig Nazzaro and Tracy Weir are attorneys at Baker Donelson. Nazzaro represents clients involved in matters before the Consumer Financial Protection Bureau (CFPB) and Weir is a member of the firm's Privacy and Information Security Practice. Nazzaro, of counsel in Baker Donelson's Atlanta office, may be reached at [email protected]. Weir, a shareholder based in Washington, DC, may be reached at [email protected].