As concern about information security grows, NorthMarq is taking steps to actively protect the sensitive information of our lender and borrower customers. In the course of servicing each commercial mortgage loan, NorthMarq receives, stores, and transmits sensitive information related to borrowers and lenders—such as taxpayer identification, personal addresses and financial statements. Improper disclosure of such information, whether accidentally or intentionally, could seriously compromise an affected borrower and, by extension, the borrower’s lender.
We have adopted a framework for information security established by the International Organization for Standardization (ISO) called ISO 27001. As 2016 comes to a close, we have implemented all of the policies and procedures in the ISO 27001 protocol and executed our first round of internal reviews. By following these standards, we can also ensure we are properly protecting sensitive information through independent audits—the first of which we currently preparing for.
Implementation of these information security measures requires NorthMarq’s employees to receive, store and transmit this sensitive information in a uniform, consistent manner. Uniformity and consistency guard against both inadvertent disclosure and malicious hacking of sensitive information. The protocol also facilitates NorthMarq’s responses to a variety of audits—internal, external, and special requests from lenders.
How Will This Affect You?
The biggest change you will see concerns transmission to NorthMarq of “Red” data—i.e., data that is sensitive because it contains any of the following: 1) Personally Identifiable Information (PII); 2) healthcare information (HIPAA); or 3) bank account/routing information. We have been training our team to identify Red data and protect its transmission. Whether sent to NorthMarq or sent by NorthMarq, Red data will be encrypted using ShareFile. See the related article about ShareFile in this issue for more information about what it is and how it works.
Red/Yellow/Green: How Data Is Classified
All types of information can be put into one of three categories:
|Type of data||What falls into this category||Specific examples|
Can be shared through regular communication channels
|Information available to the public without any special restrictions||Address or phone numbers listed in a public directory; information from a public web site|
Will likely be communicated through secure channels
|Information that belongs to the company and is not to be disclosed to the public||Customer or vendor information; information from a credit report or background check|
Should always be communicated through secure channels
|Any information that has restricted access for any reason. This includes any personally identifiable information||Social Security Number or taxpayer identification number; bank account and routing numbers; any information covered under HIPAA|
Monitoring for “Red” Data
In addition to sending data through encrypted channels, we are also implementing a Data Loss Prevention (DLP) tool. This tool will help us protect our customers’ data by monitoring data movement. Specifically, it will watch how our employees handle Red data and prompt them to use secure channels (like ShareFile) if sensitive information is included in data leaving our network.
We believe every individual has a role to play in information security, and we ask for your cooperation as we implement these new tools and procedures to protect sensitive data. If you have any questions or concerns, please contact us at firstname.lastname@example.org.