Bank Lawyer's Blog

Luke Mullins, associate editor at US News & World Report and author of the blog "The Collar," had a post Thursday about a disturbing letter that former Lending Tree mortgage customers received this week. According to Lending Tree, "several former employees may have helped a handful of mortgage lenders gain access to Lending Tree's customer information by sharing confidential passwords with the lenders." Those lenders used that information to gain access to the customers' loan request forms and to use the information from those forms to make their own loan solicitations to the customers.

The letter helpfully suggests that the customers get a free copy of their own credit report and, if they see any suspicious activity, to contact the credit bureau themselves and to consider filing a fraud alert with all of the credit bureaus. Lending Tree states that "we don't believe any identity theft or fraudulent financial activity resulted from this situation," although, of course, it can't be certain, can it? It may very well be that the former employees and miscreant lenders are willing to engage in such nefarious activities simply to solicit mortgage loans, but it's not beyond the pale to imagine that they're capable of worse.

Nowhere in the letter does Lending Tree offer to pay for any peace of mind, such as a year's worth of credit report monitoring. From a cost/benefit standpoint, that may make sense unless there's some evidence of identity theft or other fraudulent use of the information obtained. From a public relations standpoint ("reputational risk"), however, that's not exactly going the extra mile. Then again, it's not my money.

Luke quotes security expert Brian Cleary, who points out an obvious chink in Lending Tree's information security armor.

These are former employees—how can those user accounts to critical customer data still be active? Those should be shut down. So, their access to all of the information and resources should be revoked on the day of their termination.

Yep.

Cleary also emphasizes a point that I tell banks and other businesses all the time: "you can have policies, but if the policies live in a three-ring binder, and they are not put into practice as daily operating procedures—through some degree of automation—the chances of things like this occurring are pretty high." In other words, policies work only if you have procedures in place to ensure that they're enforced consistently.

In this case, the access termination procedures were deficient. I recently went through the development of a statement of work and negotiation of a services agreement with a vendor on behalf of a commercial bank client, to automate the process by which authorization (and termination of authorization) of access to the bank's network is effected. There are solutions in the marketplace to accomplish this, and their implementation decreases the chances that a human being, asleep at the switch, will fail to terminate the access of former employees. If you're going to rely primarily on human beings to implement the policies, then you'd better make sure that those human beings are themselves subject to checks and reviews to make certain that they're following the policies.

Otherwise, you might find your bank the subject of "The Collar."