information security plan and identity theft prevention plan...information security plan and...
TRANSCRIPT
BD MORTGAGE GROUP LLC 1
Information Security Plan and Identity Theft Prevention Plan
Introduction
Information security is the protection of the data that we keep on our premises and systems in the normal course
of our business In addition to BD Mortgage Group LLCrsquos private company information there is the valuable
personal information of our customers borrowers and applicants We have an obligation under federal law to
keep that information safe
Our Information Security Plan and Identity Theft Plan has the following components
bull Securing Personal Information
bull Destruction of Secure Information and Records
bull Remediation in the Event of a Breach
Areas of Risk
The risk of large scale data theft is normally targeted towards larger institutions that may have a larger customer
base and consequently have a greater opportunity for reward Again the average credit card identity fraud theft
results in losses of less than $1000 Unfortunately mortgage offices while they offer smaller scale opportunities
for theft also represent financial assets of far greater value One theft can result in hundreds of thousands of
dollars of losses We require safeguards at all levels
Authorized Personnel
All staff members are required to complete an employment initiation process which includes background check
and education in the areas of general company policy regulations and information security Temporary staff
contractors and non-employee staff may not access customer information without clearance
Office Security
During hours of operation attended doors may be left open However should the door be unattended
replacement reception personnel must be arranged or the door must be locked and signage placed reading
ldquoReception Area Unattended please ring for entryrdquo Bonded cleaning crews may be allowed to clean the office
space after hours
Guests must be escorted by an employee at all times Guests must sign in at the reception area
Side doors and fire doors may not be propped open Signage must be in place that reads ldquoKEEP DOOR LOCKED
AT ALL TIMESrdquo
A person leaving his or her desk must replace all files and lock them in secure desk or filing cabinet drawers
Clean Desk Policy
BD MORTGAGE GROUP LLC 2
An effective clean desk effort involving the participation and support of all BD Mortgage Group LLC employees
can greatly protect paper documents that contain sensitive information about our clients customers and vendors
All employees should familiarize themselves with the guidelines of this policy
The main reasons for a clean desk policy are
A clean desk can produce a positive image when our customers visit the company
It reduces the threat of a security incident as confidential information will be locked away when unattended
Sensitive documents left in the open can be stolen by a malicious entity
Responsibility
All staff employees and entities working on behalf of company are subject to this policy
Scope
At known extended periods away from your desk such as a lunch break sensitive working papers are expected
to be placed in locked drawers At the end of the working day the employee is expected to tidy their desk and to
put away all office papers BD Mortgage Group LLC provides locking desks and filing cabinets for this purpose
Action
bull Allocate time in your calendar to clear away your paperwork
bull Always clear your workspace before leaving for longer periods of time
bull If in doubt - throw it out If you are unsure of whether a duplicate piece of sensitive documentation should be
kept - it will probably be better to place it in the shred bin
bull Consider scanning paper items and filing them electronically in your workstation
bull Use the recycling bins for sensitive documents when they are no longer needed
bull Lock your desk and filing cabinets at the end of the day
bull Lock away portable computing devices such as laptops or PDA devices
bull Treat mass storage devices such as CDROM DVD or USB drives as sensitive and secure them in a locked
drawer
Enforcement
Any employee found to have violated this policy may be subject to disciplinary action up to and including
termination of employment
BD MORTGAGE GROUP LLC 3
2-90-24 Password Security
We follow industry standards for access to secure systems to avoid compromising customer data and to thwart
attempts to illegally access our systems
bull Any system access software BD Mortgage Group LLC uses whether developed by BD Mortgage Group LLC
or purchased from a third-party vendor must have BD Mortgage Group LLC account number and password
hidden or embedded so that the password is known only to Authorized Employees
bull Password files must be encrypted (128-bit encryption or stronger)
bull Each Authorized Employee of BD Mortgage Group LLCrsquos system access software must then be assigned
unique log-ons and passwords
bull Password management conforms to the following best practices
bull Minimum 8 characters in length
bull Mix of alpha numeric and special characters
bull Passwords must expire every 90 days
bull No re-use of a password for 6 months
bull No automatic scripting of passwords
NEVER DISCLOSE YOUR PASSWORD TO ANYONE
Employees may never disclose their passwords even when requesting password resets or if a specific vendor
requests it
BD MORTGAGE GROUP LLC 4
Laptop Computers and Mobile Devices
This describes Information Security requirements for encrypting data at rest on BD Mortgage Group LLC mobile
devices
This policy applies to any mobile device issued by BD Mortgage Group LLC or used for BD Mortgage Group
LLC business which contains stored data owned by BD Mortgage Group LLC
All mobile devices containing stored data owned by BD Mortgage Group LLC must use an approved method of
encryption to protect data at rest Mobile devices are defined to include laptops PDAs and cell phones
Users are expressly forbidden from storing BD Mortgage Group LLC data on devices that are not issued by BD
Mortgage Group LLC such as storing BD Mortgage Group LLC email on a personal cell phone or PDA
Laptops must employ full disk encryption with an approved software encryption package No BD Mortgage
Group LLC data may exist on a laptop in cleartext
PDAs and Cell phones
Any BD Mortgage Group LLC data stored on a cell phone or PDA must be saved to an encrypted file system
using BD Mortgage Group LLC-approved software BD Mortgage Group LLC shall also employ remote wipe
technology to remotely disable and delete any data stored on a BD Mortgage Group LLC PDA or cell phone
which is reported lost or stolen
Keys
All keys used for encryption and decryption must meet 128 bit complexity requirements
Loss and Theft
The loss or theft of any mobile device containing BD Mortgage Group LLC data must be reported immediately
Enforcement
Any employee found to have violated this policy may be subject to disciplinary action up to and including
termination of employment
BD MORTGAGE GROUP LLC 5
Definitions
Term Definition
Cleartext Unencrypted data
Full disk encryption Technique that encrypts an entire hard drive including operating system and data
Key Phrase used to encrypt or decrypt data
PDA Personal Data Assistant
Remote wipe Software that remotely deletes data stored on a mobile device
BD MORTGAGE GROUP LLC 6
Desktop Security Policy
The purpose of this policy is to provide guidance for workstation security for BD Mortgage Group LLC
workstations in order to ensure the security of information on the workstation and information the workstation
may have access to
Scope
This policy applies to all BD Mortgage Group LLC employees contractors workforce members vendors and
agents with a BD Mortgage Group LLC-owned or personal-workstation connected to the BD Mortgage Group
LLC network
Policy
Appropriate measures must be taken when using workstations to ensure the confidentiality integrity and
availability of sensitivity information and that access to sensitive information is restricted to authorized users
Workforce members using workstations shall consider the sensitivity of the information that may be accessed
and minimize the possibility of unauthorized access BD Mortgage Group LLC will implement physical and
technical safeguards for all workstations that access electronic protected health information to restrict access to
authorized users
Appropriate measures include
bull Restricting physical access to workstations to only authorized personnel
bull Securing workstations (screen lock or logout) prior to leaving area to prevent unauthorized access
bull Enabling a password-protected screen saver with a short timeout period to ensure that workstations that were
left unsecured will be protected
bull Complying with all applicable password policies and procedures
bull Ensuring workstations are used for authorized business purposes only
bull Never installing unauthorized software on workstations
bull Storing all sensitivity information on network servers
bull Keeping food and drink away from workstations in order to avoid accidental spills
bull Securing laptops that contain sensitivity information by using cable locks or locking laptops up in drawers or
cabinets
bull Complying with the Portable Workstation Encryption policy
bull Complying with the Anti-Virus policy
bull Ensuring that monitors are positioned away from public view If necessary install privacy screen filters or
other physical barriers to public viewing
bull Ensuring workstations are left on but logged off in order to facilitate after-hours updates Exit running
applications and close open documents
bull Ensuring that all workstations use a surge protector (not just a power strip) or a UPS (battery backup)
bull If wireless network access is used ensure access is secure by following the Wireless Access policy
Enforcement
Any employee found to have violated this policy may be subject to disciplinary action up to and including
termination of employment
BD MORTGAGE GROUP LLC 7
Definitions
Workstations include laptops desktops PDAs computer based medical equipment containing or accessing
patient information and authorized home workstations accessing the BD Mortgage Group LLC network
Workforce members include employees volunteers trainees and other persons under the direct control of BD
Mortgage Group LLC
BD MORTGAGE GROUP LLC 8
Document Retention and Destruction
In accordance with the Sarbanes-Oxley Act which makes it a crime to alter cover up falsify or destroy any
document with the intent of impeding or obstructing any official proceeding this policy provides for the
systematic review retention and destruction of documents received or created by BD Mortgage Group LLC in
connection with the transaction of organization business This policy covers all records and documents regardless
of physical form contains guidelines for how long certain documents should be kept and how records should be
destroyed The policy is designed to ensure compliance with federal and state laws and regulations to eliminate
accidental or innocent destruction of records and to facilitate BD Mortgage Group LLCrsquos operations by promoting
efficiency and freeing up valuable storage space
Document Retention
BD Mortgage Group LLC follows the document retention procedures outlined below Documents that are not
listed but are substantially similar to those listed in the schedule will be retained for the appropriate length of
time
BD MORTGAGE GROUP LLC 9
General Records Retention Schedule
Corporate Records
Annual Reports to Secretary of StateAttorney General Permanent
Articles of Incorporation Permanent
Board Meeting and Board Committee Minutes Permanent
Board PoliciesResolutions Permanent
By-laws Permanent
Construction Documents Permanent
Fixed Asset Records Permanent
IRS Application for Tax-Exempt Status (Form 1023) Permanent
IRS Determination Letter Permanent
State Sales Tax Exemption Letter Permanent
Contracts (after expiration) 7 years
Correspondence (general) 3 years
Accounting and Corporate Tax Records
Annual Audits and Financial Statements Permanent
Depreciation Schedules Permanent
General Ledgers Permanent
IRS 990 Tax Returns Permanent
Business Expense Records 7 years
IRS 1099s 7 years
Journal Entries 7 years
Invoices 7 years
Sales Records (box office concessions gift shop) 5 years
Petty Cash Vouchers 3 years
Cash Receipts 3 years
Credit Card Receipts 3 years
Bank Records
Check Registers Permanent
Bank Deposit Slips 7 years
Bank Statements and Reconciliation 7 years
Electronic Fund Transfer Documents 7 years
Payroll and Employment Tax Records
Payroll Registers Permanent
State Unemployment Tax Records Permanent
Earnings Records 7 years
Garnishment Records 7 years
Payroll Tax returns 7 years
W-2 Statements 7 years
Employee Records
Employment and Termination Agreements Permanent
Retirement and Pension Plan Documents Permanent
Records Relating to Promotion Demotion or Discharge 7 years after termination
Accident Reports and Workerrsquos Compensation Records 5 years
Salary Schedules 5 years
Employment Applications 3 years
I-9 Forms 3 years after termination
Time Cards 2 years
Loan File Records
Loan Application Copy File 5 years after completion
Loan Servicing File 5 years after loan payoff
BD MORTGAGE GROUP LLC 10
BD MORTGAGE GROUP LLC 11
Electronic Documents and Records
Electronic documents will be retained as if they were paper documents Therefore any electronic files including
records of donations made online that fall into one of the document types on the above schedule will be
maintained for the appropriate amount of time If a user has sufficient reason to keep an email message the
message should be printed in hard copy and kept in the appropriate file or moved to an ldquoarchiverdquo computer file
folder Backup and recovery methods will be tested on a regular basis
See ndash E-SIGN Policy and Procedure
Emergency Planning
BD Mortgage Group LLCrsquos records will be stored in a safe secure and accessible manner Documents and
financial files that are essential to keeping BD Mortgage Group LLC operating in an emergency will be duplicated
or backed up at least every week and maintained off site
BD MORTGAGE GROUP LLC 12
Document Destruction
BD Mortgage Group LLCrsquos designated ldquoInformation Security and Red Flag ID Theft Planrdquo individual is
responsible for the ongoing process of identifying records which have met the required retention period and
overseeing their destruction Destruction of financial and personnel-related documents will be accomplished by
shredding
Document destruction will be suspended immediately upon any indication of an official investigation or when a
lawsuit is filed or appears imminent Destruction will be reinstated upon conclusion of the investigation
Compliance
Failure on the part of employees to follow this policy can result in possible civil and criminal sanctions against
BD Mortgage Group LLC and its employees and possible disciplinary action against responsible individuals The
chief financial officer and finance committee chair will periodically review these procedures with legal counsel
or the organizationrsquos certified public accountant to ensure that they are in compliance with new or revised
regulations
Onsite Records Storage Policy
Active closed or denied loan application copies exclusive of delivery file documentation subject to the Funding
Warehousing Delivery and Servicing Setup process will be stored in the branch These files will be indexed by
month and alphabetically by borrower last name File cabinets must be locked and keys are maintained by the
operations manager and may be accessed under supervision during business hours
Offsite Records Storage
If due to space concerns there is insufficient room in the branch location to provide file storage off-site records
storage may be utilized through a secure bonded professional records Management Company that is a member
of the American Business Records Management Association Records of each file box sent to Archive must be
maintained current by the operations manager and must be available for immediate inspection within 2 hoursrsquo
notice
The purpose of this policy is to ensure the proper use of BD Mortgage Group LLCrsquos email system and make users
aware of what BD Mortgage Group LLC deems as acceptable and unacceptable use of its email system The BD
Mortgage Group LLC reserves the right to amend this policy at its discretion In case of amendments users will
be informed appropriately
BD MORTGAGE GROUP LLC 13
Electronic Communication
Email is a business communication tool and users are obliged to use this tool in a responsible effective and lawful
manner Although by its nature email seems to be less formal than other written communication the same laws
apply Therefore it is important that users are aware of the legal risks of e-mail
By following the guidelines in this policy the email user can minimize the legal risks involved in the use of e-
mail If any user disregards the rules set out in this Email Policy the user will be fully liable and BD Mortgage
Group LLC will disassociate itself from the user as far as legally possible
The following rules are required by law and are to be strictly adhered to
bull It is strictly prohibited to send or forward emails containing libelous defamatory offensive racist or
obscene remarks If you receive an e-mail of this nature you must promptly notify your supervisor
bull Do not forward a message without acquiring permission from the sender first
bull Do not send unsolicited email messages
bull Do not forge or attempt to forge email messages
bull Do not send email messages using another personrsquos email account
bull Do not copy a message or attachment belonging to another user without permission of the originator
bull Do not disguise or attempt to disguise your identity when sending mail
Best Practices
BD Mortgage Group LLC considers email as an important means of communication and recognizes the
importance of proper email content and speedy replies in conveying a professional image and delivering good
customer service Therefore BD Mortgage Group LLC wishes users to adhere to the following guidelines
Writing emails
bull Signatures must include your name job title and BD Mortgage Group LLC A disclaimer will be added
underneath your signature (see Disclaimer)
bull Use the spell checker before you send out an email
bull Do not send unnecessary attachments Compress attachments larger than 200K before sending them
bull Do not write emails in capitals
bull Do not use cc or bcc fields unless the cc or bcc recipient is aware that you will be copying a mail to
himher and knows what action if any to take
bull If you forward mails state clearly what action you expect the recipient to take
bull Only send emails of which the content could be displayed on a public notice board If they cannot be
displayed publicly in their current state consider rephrasing the email using other means of
communication or protecting information by using a password (see confidential)
bull Only mark emails as important if they really are important
Replying to emails
Emails should be answered within at least 8 working hours but users must endeavor to answer priority emails
within 4 hours
Priority emails are emails from existing customers and business partners
BD MORTGAGE GROUP LLC 14
Newsgroups
Users need to request permission from their supervisor before subscribing to a newsletter or news group
Maintenance
Delete any email messages that you do not need to have a copy of and set your email client to automatically
empty your lsquodeleted itemsrsquo on closing
Personal Use
Although BD Mortgage Group LLC email system is meant for business use BD Mortgage Group LLC allows
the reasonable use of email for personal use if certain guidelines are adhered to
bull Personal use of email should not interfere with work
bull Personal emails must also adhere to the guidelines in this policy
bull Personal emails are kept in a separate folder named lsquoPrivatersquo The emails in this folder must be deleted weekly
so as not to clog up the system
bull The forwarding of chain letters junk mail jokes and executables is strictly forbidden
bull On average users are not allowed to send more than 2 personal emails a day
bull Do not send mass mailings
bull All messages distributed via the companyrsquos email system even personal emails are BD Mortgage Group
LLCrsquos property
Confidential Information
Avoid sending confidential information by e-mail If you do you must secure the information by including it in
a Microsoft Word Excel or PDF file and protect it with a password Then provide the recipient with the password
by means of other communication for instance by telephone
Disclaimer
The following disclaimer will be added to each outgoing email
lsquoThis email and any files transmitted with it are confidential and intended solely for the use of the individual or
entity to which they are addressed If you have received this email in error please notify the system manager
Please note that any views or opinions presented in this email are solely those of the author and do not necessarily
represent those of the company Finally the recipient should check this email and any attachments for the presence
of viruses The company accepts no liability for any damage caused by any virus transmitted by this emailrsquo
System Monitoring
You must have no expectation of privacy in anything you create store send or receive on the companyrsquos computer
system Your emails can be monitored without prior notification if BD Mortgage Group LLC deems this
necessary If there is evidence that you are not adhering to the guidelines set out in this policy the BD Mortgage
Group LLC reserves the right to take disciplinary action including termination andor legal action
BD MORTGAGE GROUP LLC 15
Secure Fax Transmission
The legacy of fax transmission in the mortgage industry is long The risk of using fax transmissions is that the
sender has no idea whether the recipient is attending to the machine while the document is being received printed
and then available for viewing In order to prevent the compromise of secure information never send information
to an unattended facsimile machine If you can confirm that the recipient is standing at the machine it is acceptable
to proceed with communications in this manner
Alternatively we can provide an ldquoE-faxrdquo account for individual users This allows the transmission of facsimiles
via e-mail to a secure login account
For transmitting paper documents always create a password protected document and deliver the password to the
recipient using a different method of communication such as the telephone
Secure Telephone Communications
Vishing is the criminal practice of using social engineering and Voice over IP (VoIP) to gain access to private
personal and financial information from the public for the purpose of financial reward The term is a combination
of voice and phishing Vishing exploits the publics trust in landline telephone services which have traditionally
terminated in physical locations which are known to the telephone company and associated with a bill-payer
The victim is often unaware that VoIP allows for caller ID spoofing inexpensive complex automated systems
and anonymity for the bill-payer Vishing is typically used to steal credit card numbers or other information used
in identity theft schemes from individuals
According to the FBIs Internet Crime Complaint Center (IC3) the number of vishing complaints received by
the center is increasing at what it calls an alarming rate Vishing and phishing are related and both rely on e-
mail as a means of delivering bait but the two use different hooks in order to snag user data
Vishing starts with an e-mail like phishing but requests that end-users contact a particular institution by phone
in order to resolve an issue or re-secure personal data People who call the provided number will be asked to
provide the same types of data phishers attempt to procure Ironically vishing e-mails may even attempt to
reassure recipients of their legitimacy by stating that the institution in question would never request customer
financial data via e-mail or IM
As always the best defense against phishing or vishing is a little common sense If your bank or other financial
institution with which you are affiliated contacts you requesting personal data hang up (or call them) using only
the number provided on the back of your card or official statement If you cant get confirmation that the request
is actually legitimate dont follow up on it
BD MORTGAGE GROUP LLC 16
Social Engineering Scams ndash Internal and External Prevention
One of the most prevalent forms of online scams is referred to as a seemingly benign term social engineering
This practice which is sometimes referred to as phishing refers to using trickery to get people to voluntarily
hand over critical information such as usernames or passwords
In many cases spam filters can easily detect the clumsier social engineering efforts and thus spare computer
users from grief However there are a growing number of sophisticated efforts that are crafted to circumvent the
spam filters - and unsuspecting customers that click into these cleverly disguised emails run the risk of facing
serious repercussions
Social engineering attacks mimic an email notification from a well-known and trusted source financial
institutions LinkedIn PayPal the Better Business Bureau Facebook and so forth The attackers create an email
that looks exactly like the normal system notices that are sent out by those entities but they change the links to
hit their own servers
The most classic example is an email that sends a dire notice with a link to login and check on a potential problem
When a person clicks on the link it takes him or her to a page on the cyber attackerrsquos servers that looks just like
the well-known entitys login page
When a person enters his or her username and password this information is stored in a database on the phony
server while an error box appears that says Invalid username or password please try again This error box
message comes with an OK button that when clicked redirects the person to the real login page
People may not realize there is a problem because passwords are obscured with asterisks so it is natural to assume
there was a typo during the initial password entry However the miscreants now have the persons username and
password
So what does this mean to mortgage bankers if someone gets tricked into thinking a social engineering scam
message really came from Facebook or LinkedIn Quite simply many people have the same usernames and
passwords for multiple websites Thus a person who has unwittingly surrendered his or her personal information
for a Facebook page might not realize that the social engineering scam artists could later use that information to
gain access to online mortgage banking accounts
BD Mortgage Group LLC needs to take a proactive approach in educating customers on how to identify potential
scams that pop up in their email in-boxes Here are some safety tips we send out to all customers
1 Dont click links from emails Instead open a Web browser and specifically go to the site in question and login
directly It is not common for financial institutions to have a click here to login link within their email
communications
2 Be suspicious of serious warnings and dollar amounts posted directly in emails Financial services companies
are not in the habit of sending customers panic-inducing messages of low account balances or other account
discrepancies with details plainly shown in the email Warnings are more discreet and merely direct the customer
to go log in for details
3 Use mouse-overs to view a link before clicking Although not all email software and hardware devices support
them a mouse-over can quickly and easily identify the links within an email message
4 Try not to use the same password at multiple sites Use a password program to store and remember online
access data
BD MORTGAGE GROUP LLC 17
5 Routinely update passwords Updating passwords even once a year is an easy way to stay one step ahead of
the social engineering scammers
Invite customers who are in doubt about the veracity of emails to forward them to BD Mortgage Group LLC for
verification Several sites that have been the subject of social engineering scams including eBay and PayPal have
special email accounts that receive review and keep track of these online frauds These spoof-checking efforts
will help empower the customer to ensure that BD Mortgage Group LLC does not become the victim of the next
big Internet fraud
BD MORTGAGE GROUP LLC 18
Data Breach Policy Implementation Guide
The response to any breach of personally identifiable information (PII) can have a critical impact on the BD
Mortgage Group LLCrsquos reputation and how trustworthy the public perceives the company Thus exceptional care
must be taken when responding to data breach incidents Not all incidents result in data breaches and not all data
breaches require notification This guide is to assist the Data Breach Team in developing an appropriate response
to a data breach based on the specific characteristics of the incident
Background
This Data Breach Policy Implementation Guide is based on the Presidentrsquos Identity Theft Task Force
recommendations that provide a menu of steps for the company to consider so that it may pursue a risk-based
tailored response to data breach incidents
Definition of Breach
A breach is a loss of control compromise unauthorized disclosure unauthorized acquisition unauthorized
access or any similar term referring to situations where persons other than authorized users and for an authorized
purpose have access or potential access to PII in usable form whether physical or electronic
Reporting Breaches and Breach Response Team
Breach is immediately reported to
bull Chief Privacy Officer (CPO)
bull Chief Information Officer (CIO)
bull Chief IT Security Office (ITSO)
bull Associate Director for Communications
bull Chief Office of Analysis and Executive Support (OAES)
bull As warranted
bull Chief Office of Security
bull General Counsel
bull Law Enforcement
Risk Assessment Process
Risk is a function of the probability or likelihood of a privacy violation and the resulting impact of that violation
To assign a risk score assess the probability of the event (data breach) occurring and then assess the impact or
harm caused to an individual and our organization in its ability to achieve its mission
BD MORTGAGE GROUP LLC 19
Likelihood Likelihood Definition
High (H) The nature of the attack and the data indicate that the motivation is criminal intent the security of the data and controls to minimize the likelihood of a privacy violation are ineffective
Medium (M)
The nature of the attack and data indicate that the motivation could be criminal intent but controls are in place that may impede success
Low (L) The nature of the attack and data do not indicate criminal intent and security and controls are in place to prevent or at least significantly impede the likelihood of a privacy violation
To assess likelihood of a breach occurring consider five factors
1 How the loss occurred
2 Data elements breached
3 Ability to access the data - the likelihood the personal information will be or has been compromised ndash made
accessible to and usable by unauthorized persons
4 Ability to mitigate the risk of harm
5 Evidence of data being used for identity theft or other harm
1 How Loss Occurred
H - Online system hacked
H - Data was targeted
M - Device was targeted
M - Device stolen
L - Device lost
2 Data Elements Breached
H - Social Security Number
H - Biometric record
H - Financial account number
H - PIN or security code for financial account
H - Health data
M - Birthdate
M - Government Issued Identification Number (drivers license etc)
L - Name
L - Address
L - Telephone Number
A combination of identifying information and financial or security information should always be considered a
high risk with high likelihood of harm occurring
3 Ability to access data
H ndash paper records or electronic records in a spreadsheet that is not password protected
M ndash electronic records that are password protected only
L ndash electronic records that are password protected and encrypted
4 Ability to mitigate the risk of harm
H ndash no recovery of data
M ndash partial recovery of data
L ndash recovery of data prior to use
BD MORTGAGE GROUP LLC 20
5 Evidence of data being used for identity theft or other harm
H ndash Data published on the web
M ndash Data accessed but no direct evidence of use
L ndash No tangible evidence of data use
After evaluating each factor and assigning an overall probability or likelihood of a breach occurring review and
assess the impact or harm to an individual or our organization
Impact Rating
Impact Definition
High Event (1) may result in human death or serious injury or harm to individual (2) may result in high costs to organization or (3) may significantly violate harm or impede an organizationrsquos mission reputation or interest
Medium Event (1) may result in injury or harm to the individual (2) may result in costs to the organization or (3) may violate harm or impede an organizationrsquos mission reputation or interest
Low Event (1) may result in the loss of some tangible organizational assets or resources or (2) may noticeably affect an organizationrsquos mission reputation or interest
The impact depends on the extent to which the breach poses a risk of identity theft or other substantial harm to an
individual such as embarrassment inconvenience unfairness harm to reputation or the potential for harassment
or prejudice particularly when health or financial benefits information is involved
Financial considerations can be factored in when determining the impact on our organization For instance credit
monitoring is generally estimated at $20 per year per case (individual) The costs associated with implementing
a call center including staff salaries may also be a factor Alternatively the cost of contracting for this service
could be a factor
BD MORTGAGE GROUP LLC 21
Assigning Risk Score
The risk score is determined by cross-referencing the likelihood score with the impact score
Likelihood Impact
Low Medium High
High Medium High High
Medium Low Medium High
Low Low Low Medium
Notification of Individuals
The risk score assigned will help determine if and when we should provide notification If the likelihood of risk
is low there could be more harm or impact on the individual if notification is provided due to the actions the
notified individual may take Thus notification must be weighed with the likelihood of risk No notification may
be required when the risk levels of each of the five factors is low If the likelihood of risk is high and the level of
impact or harm to the individual is medium notification and remedy may be required Alternatively if the
likelihood of risk is low and the level of impact or harm to the individual is high notification only may be required
If the five factors are considered appropriately it is more likely that notification will only be given in those
instances where there is a reasonable risk of harm and will not lead to the overuse of notification and thus the
associated further complications to the individual
Thus consideration should be given to all factors when determining final actions to take when addressing each
incident The table below should only be used as guide and conditions may warrant actions above or below those
associated with the final risk score
Risk Score Necessary Action
High Notify and provide remedy
Medium Notify only
Low Monitor only
Timing of Notification
Notice will be provided within a reasonable time following the discovery of a breach consistent with the legitimate
needs of law enforcement and any measures necessary for the Census Bureau to determine the scope of the breach
and if applicable to restore the reasonable integrity of the systemprocess that was compromised
In some circumstances law enforcement considerations may require a delay in notification if the investigation of
the breach or of an individual affected by the breach requires it and notification would seriously impede the
investigation The delay should not exacerbate risk or harm to any affected individual(s) or be tied to the
completion of the investigation but rather be based on whether it would seriously impede the investigation to
provide the notice promptly
Responsibility for Notification
The notice should come from a senior BD Mortgage Group LLC representative
BD MORTGAGE GROUP LLC 22
Content of Notification
The notice must be clear concise conspicuous easy-to-understand in plain language and should include the
following elements
bull A brief description of what happened including the date(s) of the breach and its discovery
bull A description of the types of personal information that were involved in the breach (eg full name Social
Security number date of birth home address account number disability code etc) to the extent possible
bull What steps if any an individual should take to protect himself from potential harm
bull What BD Mortgage Group LLC is doing if anything to investigate the breach to mitigate losses and to
protect against any further breaches
bull Who and how affected individuals should contact BD Mortgage Group LLC for more information including
a toll-free telephone number e-mail address and postal address
bull Direction to additional guidance available from the Federal Trade Commission at
httpwwwconsumergovidtheft
Minimizing your risk at httpwwwconsumergovidtheftcon_minimizehtm
Publications at httpwwwconsumergovidtheftcon_pubshtm
Method of Communication
Notice of the breach will be provided commensurate to the number of individuals affected by the breach and the
availability of contact information BD Mortgage Group LLC has for the affected individuals Correspondence
must be prominently marked on the exterior reflecting the importance of the communication to help ensure the
recipient does not discard or otherwise ignore the notification
In general the primary means of notification will be by first-class mail to the last known mailing address of the
individual based on BD Mortgage Group LLC records
Where we have reason to believe that the address is no longer current reasonable efforts will be made to update
the address using the US Postal Service National Change of Address (NCOA) database
Substitute notice may be made in instances where BD Mortgage Group LLC does not have sufficient contact
information for those who need to be notified In such instances notice may consist of a conspicuous posting of
the notice on the companyrsquos home page of its web site and include additional information in a Frequently Asked
Questions (FAQ)
BD MORTGAGE GROUP LLC 23
Process for Remediation of a Breach
Remedy is provided when the risk score is High
Credit Monitoring Data Breach Risk Packages (ie Lifelock)
Low Risk Package Low Risk Package Includes
1048707 Social Security Credit Card and 1 Bureau Credit Report Monitoring 1048707 3 Bureau Initial Fraud Alert 1048707 Credit Card Registry 1048707 Online Identity Theft Assistance 1048707 24 x 7 Customer Support
Medium Risk Package Medium Risk includes Low Risk benefits plus 1048707 Instant 1 Bureau Credit Report 1048707 Instant 1 Bureau Credit Score 1048707 Personal Information Directory Monitoring and Deletion 1048707 Identity Theft Consumer Guide 1048707 $25000 ($0 deductible) Identity Theft Insurance
High Risk Package High Risk includes Medium Risk benefits plus 1048707 3 Bureau Credit Report Monitoring 1048707 Instant 3 in 1 Credit Report 1048707 Instant 3 Bureau Credit Scores 1048707 Fraud Resolution amp Identity Restoration Specialist
BD MORTGAGE GROUP LLC 24
Reporting a Data Breach
Security Breach Notification Laws have been enacted in most US states since 2002 These laws were enacted in
response to an escalating number of breaches of consumer databases containing personally identifiable
information The first such law the California data security breach notification law was enacted in 2002 and
became effective on July 1 2003 As related in the bill statement law requires a state agency or a person or
business that conducts business in California that owns or licenses computerized data that includes personal
information as defined to disclose in specified ways any breach of the security of the data as defined to any
resident of California whose unencrypted personal information was or is reasonably believed to have been
acquired by an unauthorized person In addition the law permits delayed notification if a law enforcement
agency determines that it would impede a criminal investigation The law also requires any entity that licenses
such information to notify the owner or licensee of the information of any breach in the security of the data
The California law has been the model for the enactment of similar laws in other states The National Conference
of State Legislatures maintains a list of enacted and proposed security breach notification laws
BD MORTGAGE GROUP LLC 25
BD MORTGAGE GROUP LLC 26
2-90-29 - Information Security Audit
To ensure security of our systems and that we comply with rules for customer information security we conduct
an annual audit of our information technology systems A provider qualified to review our independent
information technology in conjunction with mortgage procedures must conduct this audit
Since we do not have any proprietary information technology but utilize software and services provided by
vendors exclusively we rely on the qualified audits of the technology provided by these vendors This is
conducted in conjunction with our annual vendor approval process
Vendor Category Vendor Name Information Tech Cert Date
Loan Origination System
E-Disclosure
Data Back-up
Web 1003 Application
Pricing and Eligibility
Document Management
E-Fax
Voice-MailTelephony
NetworkInternet Service
Office SupportCleanerLandlord
Courier
In addition we assume that other licensed entities with which we do business have had their plans reviewed and
found acceptable Consequently we do not audit our mortgage lender business partners
Internal Policies for Information Security Management
In addition to these procedures please refer to our internal Information Security Plan and Red Flags for our
ongoing Information Security procedures
BD MORTGAGE GROUP LLC 2
An effective clean desk effort involving the participation and support of all BD Mortgage Group LLC employees
can greatly protect paper documents that contain sensitive information about our clients customers and vendors
All employees should familiarize themselves with the guidelines of this policy
The main reasons for a clean desk policy are
A clean desk can produce a positive image when our customers visit the company
It reduces the threat of a security incident as confidential information will be locked away when unattended
Sensitive documents left in the open can be stolen by a malicious entity
Responsibility
All staff employees and entities working on behalf of company are subject to this policy
Scope
At known extended periods away from your desk such as a lunch break sensitive working papers are expected
to be placed in locked drawers At the end of the working day the employee is expected to tidy their desk and to
put away all office papers BD Mortgage Group LLC provides locking desks and filing cabinets for this purpose
Action
bull Allocate time in your calendar to clear away your paperwork
bull Always clear your workspace before leaving for longer periods of time
bull If in doubt - throw it out If you are unsure of whether a duplicate piece of sensitive documentation should be
kept - it will probably be better to place it in the shred bin
bull Consider scanning paper items and filing them electronically in your workstation
bull Use the recycling bins for sensitive documents when they are no longer needed
bull Lock your desk and filing cabinets at the end of the day
bull Lock away portable computing devices such as laptops or PDA devices
bull Treat mass storage devices such as CDROM DVD or USB drives as sensitive and secure them in a locked
drawer
Enforcement
Any employee found to have violated this policy may be subject to disciplinary action up to and including
termination of employment
BD MORTGAGE GROUP LLC 3
2-90-24 Password Security
We follow industry standards for access to secure systems to avoid compromising customer data and to thwart
attempts to illegally access our systems
bull Any system access software BD Mortgage Group LLC uses whether developed by BD Mortgage Group LLC
or purchased from a third-party vendor must have BD Mortgage Group LLC account number and password
hidden or embedded so that the password is known only to Authorized Employees
bull Password files must be encrypted (128-bit encryption or stronger)
bull Each Authorized Employee of BD Mortgage Group LLCrsquos system access software must then be assigned
unique log-ons and passwords
bull Password management conforms to the following best practices
bull Minimum 8 characters in length
bull Mix of alpha numeric and special characters
bull Passwords must expire every 90 days
bull No re-use of a password for 6 months
bull No automatic scripting of passwords
NEVER DISCLOSE YOUR PASSWORD TO ANYONE
Employees may never disclose their passwords even when requesting password resets or if a specific vendor
requests it
BD MORTGAGE GROUP LLC 4
Laptop Computers and Mobile Devices
This describes Information Security requirements for encrypting data at rest on BD Mortgage Group LLC mobile
devices
This policy applies to any mobile device issued by BD Mortgage Group LLC or used for BD Mortgage Group
LLC business which contains stored data owned by BD Mortgage Group LLC
All mobile devices containing stored data owned by BD Mortgage Group LLC must use an approved method of
encryption to protect data at rest Mobile devices are defined to include laptops PDAs and cell phones
Users are expressly forbidden from storing BD Mortgage Group LLC data on devices that are not issued by BD
Mortgage Group LLC such as storing BD Mortgage Group LLC email on a personal cell phone or PDA
Laptops must employ full disk encryption with an approved software encryption package No BD Mortgage
Group LLC data may exist on a laptop in cleartext
PDAs and Cell phones
Any BD Mortgage Group LLC data stored on a cell phone or PDA must be saved to an encrypted file system
using BD Mortgage Group LLC-approved software BD Mortgage Group LLC shall also employ remote wipe
technology to remotely disable and delete any data stored on a BD Mortgage Group LLC PDA or cell phone
which is reported lost or stolen
Keys
All keys used for encryption and decryption must meet 128 bit complexity requirements
Loss and Theft
The loss or theft of any mobile device containing BD Mortgage Group LLC data must be reported immediately
Enforcement
Any employee found to have violated this policy may be subject to disciplinary action up to and including
termination of employment
BD MORTGAGE GROUP LLC 5
Definitions
Term Definition
Cleartext Unencrypted data
Full disk encryption Technique that encrypts an entire hard drive including operating system and data
Key Phrase used to encrypt or decrypt data
PDA Personal Data Assistant
Remote wipe Software that remotely deletes data stored on a mobile device
BD MORTGAGE GROUP LLC 6
Desktop Security Policy
The purpose of this policy is to provide guidance for workstation security for BD Mortgage Group LLC
workstations in order to ensure the security of information on the workstation and information the workstation
may have access to
Scope
This policy applies to all BD Mortgage Group LLC employees contractors workforce members vendors and
agents with a BD Mortgage Group LLC-owned or personal-workstation connected to the BD Mortgage Group
LLC network
Policy
Appropriate measures must be taken when using workstations to ensure the confidentiality integrity and
availability of sensitivity information and that access to sensitive information is restricted to authorized users
Workforce members using workstations shall consider the sensitivity of the information that may be accessed
and minimize the possibility of unauthorized access BD Mortgage Group LLC will implement physical and
technical safeguards for all workstations that access electronic protected health information to restrict access to
authorized users
Appropriate measures include
bull Restricting physical access to workstations to only authorized personnel
bull Securing workstations (screen lock or logout) prior to leaving area to prevent unauthorized access
bull Enabling a password-protected screen saver with a short timeout period to ensure that workstations that were
left unsecured will be protected
bull Complying with all applicable password policies and procedures
bull Ensuring workstations are used for authorized business purposes only
bull Never installing unauthorized software on workstations
bull Storing all sensitivity information on network servers
bull Keeping food and drink away from workstations in order to avoid accidental spills
bull Securing laptops that contain sensitivity information by using cable locks or locking laptops up in drawers or
cabinets
bull Complying with the Portable Workstation Encryption policy
bull Complying with the Anti-Virus policy
bull Ensuring that monitors are positioned away from public view If necessary install privacy screen filters or
other physical barriers to public viewing
bull Ensuring workstations are left on but logged off in order to facilitate after-hours updates Exit running
applications and close open documents
bull Ensuring that all workstations use a surge protector (not just a power strip) or a UPS (battery backup)
bull If wireless network access is used ensure access is secure by following the Wireless Access policy
Enforcement
Any employee found to have violated this policy may be subject to disciplinary action up to and including
termination of employment
BD MORTGAGE GROUP LLC 7
Definitions
Workstations include laptops desktops PDAs computer based medical equipment containing or accessing
patient information and authorized home workstations accessing the BD Mortgage Group LLC network
Workforce members include employees volunteers trainees and other persons under the direct control of BD
Mortgage Group LLC
BD MORTGAGE GROUP LLC 8
Document Retention and Destruction
In accordance with the Sarbanes-Oxley Act which makes it a crime to alter cover up falsify or destroy any
document with the intent of impeding or obstructing any official proceeding this policy provides for the
systematic review retention and destruction of documents received or created by BD Mortgage Group LLC in
connection with the transaction of organization business This policy covers all records and documents regardless
of physical form contains guidelines for how long certain documents should be kept and how records should be
destroyed The policy is designed to ensure compliance with federal and state laws and regulations to eliminate
accidental or innocent destruction of records and to facilitate BD Mortgage Group LLCrsquos operations by promoting
efficiency and freeing up valuable storage space
Document Retention
BD Mortgage Group LLC follows the document retention procedures outlined below Documents that are not
listed but are substantially similar to those listed in the schedule will be retained for the appropriate length of
time
BD MORTGAGE GROUP LLC 9
General Records Retention Schedule
Corporate Records
Annual Reports to Secretary of StateAttorney General Permanent
Articles of Incorporation Permanent
Board Meeting and Board Committee Minutes Permanent
Board PoliciesResolutions Permanent
By-laws Permanent
Construction Documents Permanent
Fixed Asset Records Permanent
IRS Application for Tax-Exempt Status (Form 1023) Permanent
IRS Determination Letter Permanent
State Sales Tax Exemption Letter Permanent
Contracts (after expiration) 7 years
Correspondence (general) 3 years
Accounting and Corporate Tax Records
Annual Audits and Financial Statements Permanent
Depreciation Schedules Permanent
General Ledgers Permanent
IRS 990 Tax Returns Permanent
Business Expense Records 7 years
IRS 1099s 7 years
Journal Entries 7 years
Invoices 7 years
Sales Records (box office concessions gift shop) 5 years
Petty Cash Vouchers 3 years
Cash Receipts 3 years
Credit Card Receipts 3 years
Bank Records
Check Registers Permanent
Bank Deposit Slips 7 years
Bank Statements and Reconciliation 7 years
Electronic Fund Transfer Documents 7 years
Payroll and Employment Tax Records
Payroll Registers Permanent
State Unemployment Tax Records Permanent
Earnings Records 7 years
Garnishment Records 7 years
Payroll Tax returns 7 years
W-2 Statements 7 years
Employee Records
Employment and Termination Agreements Permanent
Retirement and Pension Plan Documents Permanent
Records Relating to Promotion Demotion or Discharge 7 years after termination
Accident Reports and Workerrsquos Compensation Records 5 years
Salary Schedules 5 years
Employment Applications 3 years
I-9 Forms 3 years after termination
Time Cards 2 years
Loan File Records
Loan Application Copy File 5 years after completion
Loan Servicing File 5 years after loan payoff
BD MORTGAGE GROUP LLC 10
BD MORTGAGE GROUP LLC 11
Electronic Documents and Records
Electronic documents will be retained as if they were paper documents Therefore any electronic files including
records of donations made online that fall into one of the document types on the above schedule will be
maintained for the appropriate amount of time If a user has sufficient reason to keep an email message the
message should be printed in hard copy and kept in the appropriate file or moved to an ldquoarchiverdquo computer file
folder Backup and recovery methods will be tested on a regular basis
See ndash E-SIGN Policy and Procedure
Emergency Planning
BD Mortgage Group LLCrsquos records will be stored in a safe secure and accessible manner Documents and
financial files that are essential to keeping BD Mortgage Group LLC operating in an emergency will be duplicated
or backed up at least every week and maintained off site
BD MORTGAGE GROUP LLC 12
Document Destruction
BD Mortgage Group LLCrsquos designated ldquoInformation Security and Red Flag ID Theft Planrdquo individual is
responsible for the ongoing process of identifying records which have met the required retention period and
overseeing their destruction Destruction of financial and personnel-related documents will be accomplished by
shredding
Document destruction will be suspended immediately upon any indication of an official investigation or when a
lawsuit is filed or appears imminent Destruction will be reinstated upon conclusion of the investigation
Compliance
Failure on the part of employees to follow this policy can result in possible civil and criminal sanctions against
BD Mortgage Group LLC and its employees and possible disciplinary action against responsible individuals The
chief financial officer and finance committee chair will periodically review these procedures with legal counsel
or the organizationrsquos certified public accountant to ensure that they are in compliance with new or revised
regulations
Onsite Records Storage Policy
Active closed or denied loan application copies exclusive of delivery file documentation subject to the Funding
Warehousing Delivery and Servicing Setup process will be stored in the branch These files will be indexed by
month and alphabetically by borrower last name File cabinets must be locked and keys are maintained by the
operations manager and may be accessed under supervision during business hours
Offsite Records Storage
If due to space concerns there is insufficient room in the branch location to provide file storage off-site records
storage may be utilized through a secure bonded professional records Management Company that is a member
of the American Business Records Management Association Records of each file box sent to Archive must be
maintained current by the operations manager and must be available for immediate inspection within 2 hoursrsquo
notice
The purpose of this policy is to ensure the proper use of BD Mortgage Group LLCrsquos email system and make users
aware of what BD Mortgage Group LLC deems as acceptable and unacceptable use of its email system The BD
Mortgage Group LLC reserves the right to amend this policy at its discretion In case of amendments users will
be informed appropriately
BD MORTGAGE GROUP LLC 13
Electronic Communication
Email is a business communication tool and users are obliged to use this tool in a responsible effective and lawful
manner Although by its nature email seems to be less formal than other written communication the same laws
apply Therefore it is important that users are aware of the legal risks of e-mail
By following the guidelines in this policy the email user can minimize the legal risks involved in the use of e-
mail If any user disregards the rules set out in this Email Policy the user will be fully liable and BD Mortgage
Group LLC will disassociate itself from the user as far as legally possible
The following rules are required by law and are to be strictly adhered to
bull It is strictly prohibited to send or forward emails containing libelous defamatory offensive racist or
obscene remarks If you receive an e-mail of this nature you must promptly notify your supervisor
bull Do not forward a message without acquiring permission from the sender first
bull Do not send unsolicited email messages
bull Do not forge or attempt to forge email messages
bull Do not send email messages using another personrsquos email account
bull Do not copy a message or attachment belonging to another user without permission of the originator
bull Do not disguise or attempt to disguise your identity when sending mail
Best Practices
BD Mortgage Group LLC considers email as an important means of communication and recognizes the
importance of proper email content and speedy replies in conveying a professional image and delivering good
customer service Therefore BD Mortgage Group LLC wishes users to adhere to the following guidelines
Writing emails
bull Signatures must include your name job title and BD Mortgage Group LLC A disclaimer will be added
underneath your signature (see Disclaimer)
bull Use the spell checker before you send out an email
bull Do not send unnecessary attachments Compress attachments larger than 200K before sending them
bull Do not write emails in capitals
bull Do not use cc or bcc fields unless the cc or bcc recipient is aware that you will be copying a mail to
himher and knows what action if any to take
bull If you forward mails state clearly what action you expect the recipient to take
bull Only send emails of which the content could be displayed on a public notice board If they cannot be
displayed publicly in their current state consider rephrasing the email using other means of
communication or protecting information by using a password (see confidential)
bull Only mark emails as important if they really are important
Replying to emails
Emails should be answered within at least 8 working hours but users must endeavor to answer priority emails
within 4 hours
Priority emails are emails from existing customers and business partners
BD MORTGAGE GROUP LLC 14
Newsgroups
Users need to request permission from their supervisor before subscribing to a newsletter or news group
Maintenance
Delete any email messages that you do not need to have a copy of and set your email client to automatically
empty your lsquodeleted itemsrsquo on closing
Personal Use
Although BD Mortgage Group LLC email system is meant for business use BD Mortgage Group LLC allows
the reasonable use of email for personal use if certain guidelines are adhered to
bull Personal use of email should not interfere with work
bull Personal emails must also adhere to the guidelines in this policy
bull Personal emails are kept in a separate folder named lsquoPrivatersquo The emails in this folder must be deleted weekly
so as not to clog up the system
bull The forwarding of chain letters junk mail jokes and executables is strictly forbidden
bull On average users are not allowed to send more than 2 personal emails a day
bull Do not send mass mailings
bull All messages distributed via the companyrsquos email system even personal emails are BD Mortgage Group
LLCrsquos property
Confidential Information
Avoid sending confidential information by e-mail If you do you must secure the information by including it in
a Microsoft Word Excel or PDF file and protect it with a password Then provide the recipient with the password
by means of other communication for instance by telephone
Disclaimer
The following disclaimer will be added to each outgoing email
lsquoThis email and any files transmitted with it are confidential and intended solely for the use of the individual or
entity to which they are addressed If you have received this email in error please notify the system manager
Please note that any views or opinions presented in this email are solely those of the author and do not necessarily
represent those of the company Finally the recipient should check this email and any attachments for the presence
of viruses The company accepts no liability for any damage caused by any virus transmitted by this emailrsquo
System Monitoring
You must have no expectation of privacy in anything you create store send or receive on the companyrsquos computer
system Your emails can be monitored without prior notification if BD Mortgage Group LLC deems this
necessary If there is evidence that you are not adhering to the guidelines set out in this policy the BD Mortgage
Group LLC reserves the right to take disciplinary action including termination andor legal action
BD MORTGAGE GROUP LLC 15
Secure Fax Transmission
The legacy of fax transmission in the mortgage industry is long The risk of using fax transmissions is that the
sender has no idea whether the recipient is attending to the machine while the document is being received printed
and then available for viewing In order to prevent the compromise of secure information never send information
to an unattended facsimile machine If you can confirm that the recipient is standing at the machine it is acceptable
to proceed with communications in this manner
Alternatively we can provide an ldquoE-faxrdquo account for individual users This allows the transmission of facsimiles
via e-mail to a secure login account
For transmitting paper documents always create a password protected document and deliver the password to the
recipient using a different method of communication such as the telephone
Secure Telephone Communications
Vishing is the criminal practice of using social engineering and Voice over IP (VoIP) to gain access to private
personal and financial information from the public for the purpose of financial reward The term is a combination
of voice and phishing Vishing exploits the publics trust in landline telephone services which have traditionally
terminated in physical locations which are known to the telephone company and associated with a bill-payer
The victim is often unaware that VoIP allows for caller ID spoofing inexpensive complex automated systems
and anonymity for the bill-payer Vishing is typically used to steal credit card numbers or other information used
in identity theft schemes from individuals
According to the FBIs Internet Crime Complaint Center (IC3) the number of vishing complaints received by
the center is increasing at what it calls an alarming rate Vishing and phishing are related and both rely on e-
mail as a means of delivering bait but the two use different hooks in order to snag user data
Vishing starts with an e-mail like phishing but requests that end-users contact a particular institution by phone
in order to resolve an issue or re-secure personal data People who call the provided number will be asked to
provide the same types of data phishers attempt to procure Ironically vishing e-mails may even attempt to
reassure recipients of their legitimacy by stating that the institution in question would never request customer
financial data via e-mail or IM
As always the best defense against phishing or vishing is a little common sense If your bank or other financial
institution with which you are affiliated contacts you requesting personal data hang up (or call them) using only
the number provided on the back of your card or official statement If you cant get confirmation that the request
is actually legitimate dont follow up on it
BD MORTGAGE GROUP LLC 16
Social Engineering Scams ndash Internal and External Prevention
One of the most prevalent forms of online scams is referred to as a seemingly benign term social engineering
This practice which is sometimes referred to as phishing refers to using trickery to get people to voluntarily
hand over critical information such as usernames or passwords
In many cases spam filters can easily detect the clumsier social engineering efforts and thus spare computer
users from grief However there are a growing number of sophisticated efforts that are crafted to circumvent the
spam filters - and unsuspecting customers that click into these cleverly disguised emails run the risk of facing
serious repercussions
Social engineering attacks mimic an email notification from a well-known and trusted source financial
institutions LinkedIn PayPal the Better Business Bureau Facebook and so forth The attackers create an email
that looks exactly like the normal system notices that are sent out by those entities but they change the links to
hit their own servers
The most classic example is an email that sends a dire notice with a link to login and check on a potential problem
When a person clicks on the link it takes him or her to a page on the cyber attackerrsquos servers that looks just like
the well-known entitys login page
When a person enters his or her username and password this information is stored in a database on the phony
server while an error box appears that says Invalid username or password please try again This error box
message comes with an OK button that when clicked redirects the person to the real login page
People may not realize there is a problem because passwords are obscured with asterisks so it is natural to assume
there was a typo during the initial password entry However the miscreants now have the persons username and
password
So what does this mean to mortgage bankers if someone gets tricked into thinking a social engineering scam
message really came from Facebook or LinkedIn Quite simply many people have the same usernames and
passwords for multiple websites Thus a person who has unwittingly surrendered his or her personal information
for a Facebook page might not realize that the social engineering scam artists could later use that information to
gain access to online mortgage banking accounts
BD Mortgage Group LLC needs to take a proactive approach in educating customers on how to identify potential
scams that pop up in their email in-boxes Here are some safety tips we send out to all customers
1 Dont click links from emails Instead open a Web browser and specifically go to the site in question and login
directly It is not common for financial institutions to have a click here to login link within their email
communications
2 Be suspicious of serious warnings and dollar amounts posted directly in emails Financial services companies
are not in the habit of sending customers panic-inducing messages of low account balances or other account
discrepancies with details plainly shown in the email Warnings are more discreet and merely direct the customer
to go log in for details
3 Use mouse-overs to view a link before clicking Although not all email software and hardware devices support
them a mouse-over can quickly and easily identify the links within an email message
4 Try not to use the same password at multiple sites Use a password program to store and remember online
access data
BD MORTGAGE GROUP LLC 17
5 Routinely update passwords Updating passwords even once a year is an easy way to stay one step ahead of
the social engineering scammers
Invite customers who are in doubt about the veracity of emails to forward them to BD Mortgage Group LLC for
verification Several sites that have been the subject of social engineering scams including eBay and PayPal have
special email accounts that receive review and keep track of these online frauds These spoof-checking efforts
will help empower the customer to ensure that BD Mortgage Group LLC does not become the victim of the next
big Internet fraud
BD MORTGAGE GROUP LLC 18
Data Breach Policy Implementation Guide
The response to any breach of personally identifiable information (PII) can have a critical impact on the BD
Mortgage Group LLCrsquos reputation and how trustworthy the public perceives the company Thus exceptional care
must be taken when responding to data breach incidents Not all incidents result in data breaches and not all data
breaches require notification This guide is to assist the Data Breach Team in developing an appropriate response
to a data breach based on the specific characteristics of the incident
Background
This Data Breach Policy Implementation Guide is based on the Presidentrsquos Identity Theft Task Force
recommendations that provide a menu of steps for the company to consider so that it may pursue a risk-based
tailored response to data breach incidents
Definition of Breach
A breach is a loss of control compromise unauthorized disclosure unauthorized acquisition unauthorized
access or any similar term referring to situations where persons other than authorized users and for an authorized
purpose have access or potential access to PII in usable form whether physical or electronic
Reporting Breaches and Breach Response Team
Breach is immediately reported to
bull Chief Privacy Officer (CPO)
bull Chief Information Officer (CIO)
bull Chief IT Security Office (ITSO)
bull Associate Director for Communications
bull Chief Office of Analysis and Executive Support (OAES)
bull As warranted
bull Chief Office of Security
bull General Counsel
bull Law Enforcement
Risk Assessment Process
Risk is a function of the probability or likelihood of a privacy violation and the resulting impact of that violation
To assign a risk score assess the probability of the event (data breach) occurring and then assess the impact or
harm caused to an individual and our organization in its ability to achieve its mission
BD MORTGAGE GROUP LLC 19
Likelihood Likelihood Definition
High (H) The nature of the attack and the data indicate that the motivation is criminal intent the security of the data and controls to minimize the likelihood of a privacy violation are ineffective
Medium (M)
The nature of the attack and data indicate that the motivation could be criminal intent but controls are in place that may impede success
Low (L) The nature of the attack and data do not indicate criminal intent and security and controls are in place to prevent or at least significantly impede the likelihood of a privacy violation
To assess likelihood of a breach occurring consider five factors
1 How the loss occurred
2 Data elements breached
3 Ability to access the data - the likelihood the personal information will be or has been compromised ndash made
accessible to and usable by unauthorized persons
4 Ability to mitigate the risk of harm
5 Evidence of data being used for identity theft or other harm
1 How Loss Occurred
H - Online system hacked
H - Data was targeted
M - Device was targeted
M - Device stolen
L - Device lost
2 Data Elements Breached
H - Social Security Number
H - Biometric record
H - Financial account number
H - PIN or security code for financial account
H - Health data
M - Birthdate
M - Government Issued Identification Number (drivers license etc)
L - Name
L - Address
L - Telephone Number
A combination of identifying information and financial or security information should always be considered a
high risk with high likelihood of harm occurring
3 Ability to access data
H ndash paper records or electronic records in a spreadsheet that is not password protected
M ndash electronic records that are password protected only
L ndash electronic records that are password protected and encrypted
4 Ability to mitigate the risk of harm
H ndash no recovery of data
M ndash partial recovery of data
L ndash recovery of data prior to use
BD MORTGAGE GROUP LLC 20
5 Evidence of data being used for identity theft or other harm
H ndash Data published on the web
M ndash Data accessed but no direct evidence of use
L ndash No tangible evidence of data use
After evaluating each factor and assigning an overall probability or likelihood of a breach occurring review and
assess the impact or harm to an individual or our organization
Impact Rating
Impact Definition
High Event (1) may result in human death or serious injury or harm to individual (2) may result in high costs to organization or (3) may significantly violate harm or impede an organizationrsquos mission reputation or interest
Medium Event (1) may result in injury or harm to the individual (2) may result in costs to the organization or (3) may violate harm or impede an organizationrsquos mission reputation or interest
Low Event (1) may result in the loss of some tangible organizational assets or resources or (2) may noticeably affect an organizationrsquos mission reputation or interest
The impact depends on the extent to which the breach poses a risk of identity theft or other substantial harm to an
individual such as embarrassment inconvenience unfairness harm to reputation or the potential for harassment
or prejudice particularly when health or financial benefits information is involved
Financial considerations can be factored in when determining the impact on our organization For instance credit
monitoring is generally estimated at $20 per year per case (individual) The costs associated with implementing
a call center including staff salaries may also be a factor Alternatively the cost of contracting for this service
could be a factor
BD MORTGAGE GROUP LLC 21
Assigning Risk Score
The risk score is determined by cross-referencing the likelihood score with the impact score
Likelihood Impact
Low Medium High
High Medium High High
Medium Low Medium High
Low Low Low Medium
Notification of Individuals
The risk score assigned will help determine if and when we should provide notification If the likelihood of risk
is low there could be more harm or impact on the individual if notification is provided due to the actions the
notified individual may take Thus notification must be weighed with the likelihood of risk No notification may
be required when the risk levels of each of the five factors is low If the likelihood of risk is high and the level of
impact or harm to the individual is medium notification and remedy may be required Alternatively if the
likelihood of risk is low and the level of impact or harm to the individual is high notification only may be required
If the five factors are considered appropriately it is more likely that notification will only be given in those
instances where there is a reasonable risk of harm and will not lead to the overuse of notification and thus the
associated further complications to the individual
Thus consideration should be given to all factors when determining final actions to take when addressing each
incident The table below should only be used as guide and conditions may warrant actions above or below those
associated with the final risk score
Risk Score Necessary Action
High Notify and provide remedy
Medium Notify only
Low Monitor only
Timing of Notification
Notice will be provided within a reasonable time following the discovery of a breach consistent with the legitimate
needs of law enforcement and any measures necessary for the Census Bureau to determine the scope of the breach
and if applicable to restore the reasonable integrity of the systemprocess that was compromised
In some circumstances law enforcement considerations may require a delay in notification if the investigation of
the breach or of an individual affected by the breach requires it and notification would seriously impede the
investigation The delay should not exacerbate risk or harm to any affected individual(s) or be tied to the
completion of the investigation but rather be based on whether it would seriously impede the investigation to
provide the notice promptly
Responsibility for Notification
The notice should come from a senior BD Mortgage Group LLC representative
BD MORTGAGE GROUP LLC 22
Content of Notification
The notice must be clear concise conspicuous easy-to-understand in plain language and should include the
following elements
bull A brief description of what happened including the date(s) of the breach and its discovery
bull A description of the types of personal information that were involved in the breach (eg full name Social
Security number date of birth home address account number disability code etc) to the extent possible
bull What steps if any an individual should take to protect himself from potential harm
bull What BD Mortgage Group LLC is doing if anything to investigate the breach to mitigate losses and to
protect against any further breaches
bull Who and how affected individuals should contact BD Mortgage Group LLC for more information including
a toll-free telephone number e-mail address and postal address
bull Direction to additional guidance available from the Federal Trade Commission at
httpwwwconsumergovidtheft
Minimizing your risk at httpwwwconsumergovidtheftcon_minimizehtm
Publications at httpwwwconsumergovidtheftcon_pubshtm
Method of Communication
Notice of the breach will be provided commensurate to the number of individuals affected by the breach and the
availability of contact information BD Mortgage Group LLC has for the affected individuals Correspondence
must be prominently marked on the exterior reflecting the importance of the communication to help ensure the
recipient does not discard or otherwise ignore the notification
In general the primary means of notification will be by first-class mail to the last known mailing address of the
individual based on BD Mortgage Group LLC records
Where we have reason to believe that the address is no longer current reasonable efforts will be made to update
the address using the US Postal Service National Change of Address (NCOA) database
Substitute notice may be made in instances where BD Mortgage Group LLC does not have sufficient contact
information for those who need to be notified In such instances notice may consist of a conspicuous posting of
the notice on the companyrsquos home page of its web site and include additional information in a Frequently Asked
Questions (FAQ)
BD MORTGAGE GROUP LLC 23
Process for Remediation of a Breach
Remedy is provided when the risk score is High
Credit Monitoring Data Breach Risk Packages (ie Lifelock)
Low Risk Package Low Risk Package Includes
1048707 Social Security Credit Card and 1 Bureau Credit Report Monitoring 1048707 3 Bureau Initial Fraud Alert 1048707 Credit Card Registry 1048707 Online Identity Theft Assistance 1048707 24 x 7 Customer Support
Medium Risk Package Medium Risk includes Low Risk benefits plus 1048707 Instant 1 Bureau Credit Report 1048707 Instant 1 Bureau Credit Score 1048707 Personal Information Directory Monitoring and Deletion 1048707 Identity Theft Consumer Guide 1048707 $25000 ($0 deductible) Identity Theft Insurance
High Risk Package High Risk includes Medium Risk benefits plus 1048707 3 Bureau Credit Report Monitoring 1048707 Instant 3 in 1 Credit Report 1048707 Instant 3 Bureau Credit Scores 1048707 Fraud Resolution amp Identity Restoration Specialist
BD MORTGAGE GROUP LLC 24
Reporting a Data Breach
Security Breach Notification Laws have been enacted in most US states since 2002 These laws were enacted in
response to an escalating number of breaches of consumer databases containing personally identifiable
information The first such law the California data security breach notification law was enacted in 2002 and
became effective on July 1 2003 As related in the bill statement law requires a state agency or a person or
business that conducts business in California that owns or licenses computerized data that includes personal
information as defined to disclose in specified ways any breach of the security of the data as defined to any
resident of California whose unencrypted personal information was or is reasonably believed to have been
acquired by an unauthorized person In addition the law permits delayed notification if a law enforcement
agency determines that it would impede a criminal investigation The law also requires any entity that licenses
such information to notify the owner or licensee of the information of any breach in the security of the data
The California law has been the model for the enactment of similar laws in other states The National Conference
of State Legislatures maintains a list of enacted and proposed security breach notification laws
BD MORTGAGE GROUP LLC 25
BD MORTGAGE GROUP LLC 26
2-90-29 - Information Security Audit
To ensure security of our systems and that we comply with rules for customer information security we conduct
an annual audit of our information technology systems A provider qualified to review our independent
information technology in conjunction with mortgage procedures must conduct this audit
Since we do not have any proprietary information technology but utilize software and services provided by
vendors exclusively we rely on the qualified audits of the technology provided by these vendors This is
conducted in conjunction with our annual vendor approval process
Vendor Category Vendor Name Information Tech Cert Date
Loan Origination System
E-Disclosure
Data Back-up
Web 1003 Application
Pricing and Eligibility
Document Management
E-Fax
Voice-MailTelephony
NetworkInternet Service
Office SupportCleanerLandlord
Courier
In addition we assume that other licensed entities with which we do business have had their plans reviewed and
found acceptable Consequently we do not audit our mortgage lender business partners
Internal Policies for Information Security Management
In addition to these procedures please refer to our internal Information Security Plan and Red Flags for our
ongoing Information Security procedures
BD MORTGAGE GROUP LLC 3
2-90-24 Password Security
We follow industry standards for access to secure systems to avoid compromising customer data and to thwart
attempts to illegally access our systems
bull Any system access software BD Mortgage Group LLC uses whether developed by BD Mortgage Group LLC
or purchased from a third-party vendor must have BD Mortgage Group LLC account number and password
hidden or embedded so that the password is known only to Authorized Employees
bull Password files must be encrypted (128-bit encryption or stronger)
bull Each Authorized Employee of BD Mortgage Group LLCrsquos system access software must then be assigned
unique log-ons and passwords
bull Password management conforms to the following best practices
bull Minimum 8 characters in length
bull Mix of alpha numeric and special characters
bull Passwords must expire every 90 days
bull No re-use of a password for 6 months
bull No automatic scripting of passwords
NEVER DISCLOSE YOUR PASSWORD TO ANYONE
Employees may never disclose their passwords even when requesting password resets or if a specific vendor
requests it
BD MORTGAGE GROUP LLC 4
Laptop Computers and Mobile Devices
This describes Information Security requirements for encrypting data at rest on BD Mortgage Group LLC mobile
devices
This policy applies to any mobile device issued by BD Mortgage Group LLC or used for BD Mortgage Group
LLC business which contains stored data owned by BD Mortgage Group LLC
All mobile devices containing stored data owned by BD Mortgage Group LLC must use an approved method of
encryption to protect data at rest Mobile devices are defined to include laptops PDAs and cell phones
Users are expressly forbidden from storing BD Mortgage Group LLC data on devices that are not issued by BD
Mortgage Group LLC such as storing BD Mortgage Group LLC email on a personal cell phone or PDA
Laptops must employ full disk encryption with an approved software encryption package No BD Mortgage
Group LLC data may exist on a laptop in cleartext
PDAs and Cell phones
Any BD Mortgage Group LLC data stored on a cell phone or PDA must be saved to an encrypted file system
using BD Mortgage Group LLC-approved software BD Mortgage Group LLC shall also employ remote wipe
technology to remotely disable and delete any data stored on a BD Mortgage Group LLC PDA or cell phone
which is reported lost or stolen
Keys
All keys used for encryption and decryption must meet 128 bit complexity requirements
Loss and Theft
The loss or theft of any mobile device containing BD Mortgage Group LLC data must be reported immediately
Enforcement
Any employee found to have violated this policy may be subject to disciplinary action up to and including
termination of employment
BD MORTGAGE GROUP LLC 5
Definitions
Term Definition
Cleartext Unencrypted data
Full disk encryption Technique that encrypts an entire hard drive including operating system and data
Key Phrase used to encrypt or decrypt data
PDA Personal Data Assistant
Remote wipe Software that remotely deletes data stored on a mobile device
BD MORTGAGE GROUP LLC 6
Desktop Security Policy
The purpose of this policy is to provide guidance for workstation security for BD Mortgage Group LLC
workstations in order to ensure the security of information on the workstation and information the workstation
may have access to
Scope
This policy applies to all BD Mortgage Group LLC employees contractors workforce members vendors and
agents with a BD Mortgage Group LLC-owned or personal-workstation connected to the BD Mortgage Group
LLC network
Policy
Appropriate measures must be taken when using workstations to ensure the confidentiality integrity and
availability of sensitivity information and that access to sensitive information is restricted to authorized users
Workforce members using workstations shall consider the sensitivity of the information that may be accessed
and minimize the possibility of unauthorized access BD Mortgage Group LLC will implement physical and
technical safeguards for all workstations that access electronic protected health information to restrict access to
authorized users
Appropriate measures include
bull Restricting physical access to workstations to only authorized personnel
bull Securing workstations (screen lock or logout) prior to leaving area to prevent unauthorized access
bull Enabling a password-protected screen saver with a short timeout period to ensure that workstations that were
left unsecured will be protected
bull Complying with all applicable password policies and procedures
bull Ensuring workstations are used for authorized business purposes only
bull Never installing unauthorized software on workstations
bull Storing all sensitivity information on network servers
bull Keeping food and drink away from workstations in order to avoid accidental spills
bull Securing laptops that contain sensitivity information by using cable locks or locking laptops up in drawers or
cabinets
bull Complying with the Portable Workstation Encryption policy
bull Complying with the Anti-Virus policy
bull Ensuring that monitors are positioned away from public view If necessary install privacy screen filters or
other physical barriers to public viewing
bull Ensuring workstations are left on but logged off in order to facilitate after-hours updates Exit running
applications and close open documents
bull Ensuring that all workstations use a surge protector (not just a power strip) or a UPS (battery backup)
bull If wireless network access is used ensure access is secure by following the Wireless Access policy
Enforcement
Any employee found to have violated this policy may be subject to disciplinary action up to and including
termination of employment
BD MORTGAGE GROUP LLC 7
Definitions
Workstations include laptops desktops PDAs computer based medical equipment containing or accessing
patient information and authorized home workstations accessing the BD Mortgage Group LLC network
Workforce members include employees volunteers trainees and other persons under the direct control of BD
Mortgage Group LLC
BD MORTGAGE GROUP LLC 8
Document Retention and Destruction
In accordance with the Sarbanes-Oxley Act which makes it a crime to alter cover up falsify or destroy any
document with the intent of impeding or obstructing any official proceeding this policy provides for the
systematic review retention and destruction of documents received or created by BD Mortgage Group LLC in
connection with the transaction of organization business This policy covers all records and documents regardless
of physical form contains guidelines for how long certain documents should be kept and how records should be
destroyed The policy is designed to ensure compliance with federal and state laws and regulations to eliminate
accidental or innocent destruction of records and to facilitate BD Mortgage Group LLCrsquos operations by promoting
efficiency and freeing up valuable storage space
Document Retention
BD Mortgage Group LLC follows the document retention procedures outlined below Documents that are not
listed but are substantially similar to those listed in the schedule will be retained for the appropriate length of
time
BD MORTGAGE GROUP LLC 9
General Records Retention Schedule
Corporate Records
Annual Reports to Secretary of StateAttorney General Permanent
Articles of Incorporation Permanent
Board Meeting and Board Committee Minutes Permanent
Board PoliciesResolutions Permanent
By-laws Permanent
Construction Documents Permanent
Fixed Asset Records Permanent
IRS Application for Tax-Exempt Status (Form 1023) Permanent
IRS Determination Letter Permanent
State Sales Tax Exemption Letter Permanent
Contracts (after expiration) 7 years
Correspondence (general) 3 years
Accounting and Corporate Tax Records
Annual Audits and Financial Statements Permanent
Depreciation Schedules Permanent
General Ledgers Permanent
IRS 990 Tax Returns Permanent
Business Expense Records 7 years
IRS 1099s 7 years
Journal Entries 7 years
Invoices 7 years
Sales Records (box office concessions gift shop) 5 years
Petty Cash Vouchers 3 years
Cash Receipts 3 years
Credit Card Receipts 3 years
Bank Records
Check Registers Permanent
Bank Deposit Slips 7 years
Bank Statements and Reconciliation 7 years
Electronic Fund Transfer Documents 7 years
Payroll and Employment Tax Records
Payroll Registers Permanent
State Unemployment Tax Records Permanent
Earnings Records 7 years
Garnishment Records 7 years
Payroll Tax returns 7 years
W-2 Statements 7 years
Employee Records
Employment and Termination Agreements Permanent
Retirement and Pension Plan Documents Permanent
Records Relating to Promotion Demotion or Discharge 7 years after termination
Accident Reports and Workerrsquos Compensation Records 5 years
Salary Schedules 5 years
Employment Applications 3 years
I-9 Forms 3 years after termination
Time Cards 2 years
Loan File Records
Loan Application Copy File 5 years after completion
Loan Servicing File 5 years after loan payoff
BD MORTGAGE GROUP LLC 10
BD MORTGAGE GROUP LLC 11
Electronic Documents and Records
Electronic documents will be retained as if they were paper documents Therefore any electronic files including
records of donations made online that fall into one of the document types on the above schedule will be
maintained for the appropriate amount of time If a user has sufficient reason to keep an email message the
message should be printed in hard copy and kept in the appropriate file or moved to an ldquoarchiverdquo computer file
folder Backup and recovery methods will be tested on a regular basis
See ndash E-SIGN Policy and Procedure
Emergency Planning
BD Mortgage Group LLCrsquos records will be stored in a safe secure and accessible manner Documents and
financial files that are essential to keeping BD Mortgage Group LLC operating in an emergency will be duplicated
or backed up at least every week and maintained off site
BD MORTGAGE GROUP LLC 12
Document Destruction
BD Mortgage Group LLCrsquos designated ldquoInformation Security and Red Flag ID Theft Planrdquo individual is
responsible for the ongoing process of identifying records which have met the required retention period and
overseeing their destruction Destruction of financial and personnel-related documents will be accomplished by
shredding
Document destruction will be suspended immediately upon any indication of an official investigation or when a
lawsuit is filed or appears imminent Destruction will be reinstated upon conclusion of the investigation
Compliance
Failure on the part of employees to follow this policy can result in possible civil and criminal sanctions against
BD Mortgage Group LLC and its employees and possible disciplinary action against responsible individuals The
chief financial officer and finance committee chair will periodically review these procedures with legal counsel
or the organizationrsquos certified public accountant to ensure that they are in compliance with new or revised
regulations
Onsite Records Storage Policy
Active closed or denied loan application copies exclusive of delivery file documentation subject to the Funding
Warehousing Delivery and Servicing Setup process will be stored in the branch These files will be indexed by
month and alphabetically by borrower last name File cabinets must be locked and keys are maintained by the
operations manager and may be accessed under supervision during business hours
Offsite Records Storage
If due to space concerns there is insufficient room in the branch location to provide file storage off-site records
storage may be utilized through a secure bonded professional records Management Company that is a member
of the American Business Records Management Association Records of each file box sent to Archive must be
maintained current by the operations manager and must be available for immediate inspection within 2 hoursrsquo
notice
The purpose of this policy is to ensure the proper use of BD Mortgage Group LLCrsquos email system and make users
aware of what BD Mortgage Group LLC deems as acceptable and unacceptable use of its email system The BD
Mortgage Group LLC reserves the right to amend this policy at its discretion In case of amendments users will
be informed appropriately
BD MORTGAGE GROUP LLC 13
Electronic Communication
Email is a business communication tool and users are obliged to use this tool in a responsible effective and lawful
manner Although by its nature email seems to be less formal than other written communication the same laws
apply Therefore it is important that users are aware of the legal risks of e-mail
By following the guidelines in this policy the email user can minimize the legal risks involved in the use of e-
mail If any user disregards the rules set out in this Email Policy the user will be fully liable and BD Mortgage
Group LLC will disassociate itself from the user as far as legally possible
The following rules are required by law and are to be strictly adhered to
bull It is strictly prohibited to send or forward emails containing libelous defamatory offensive racist or
obscene remarks If you receive an e-mail of this nature you must promptly notify your supervisor
bull Do not forward a message without acquiring permission from the sender first
bull Do not send unsolicited email messages
bull Do not forge or attempt to forge email messages
bull Do not send email messages using another personrsquos email account
bull Do not copy a message or attachment belonging to another user without permission of the originator
bull Do not disguise or attempt to disguise your identity when sending mail
Best Practices
BD Mortgage Group LLC considers email as an important means of communication and recognizes the
importance of proper email content and speedy replies in conveying a professional image and delivering good
customer service Therefore BD Mortgage Group LLC wishes users to adhere to the following guidelines
Writing emails
bull Signatures must include your name job title and BD Mortgage Group LLC A disclaimer will be added
underneath your signature (see Disclaimer)
bull Use the spell checker before you send out an email
bull Do not send unnecessary attachments Compress attachments larger than 200K before sending them
bull Do not write emails in capitals
bull Do not use cc or bcc fields unless the cc or bcc recipient is aware that you will be copying a mail to
himher and knows what action if any to take
bull If you forward mails state clearly what action you expect the recipient to take
bull Only send emails of which the content could be displayed on a public notice board If they cannot be
displayed publicly in their current state consider rephrasing the email using other means of
communication or protecting information by using a password (see confidential)
bull Only mark emails as important if they really are important
Replying to emails
Emails should be answered within at least 8 working hours but users must endeavor to answer priority emails
within 4 hours
Priority emails are emails from existing customers and business partners
BD MORTGAGE GROUP LLC 14
Newsgroups
Users need to request permission from their supervisor before subscribing to a newsletter or news group
Maintenance
Delete any email messages that you do not need to have a copy of and set your email client to automatically
empty your lsquodeleted itemsrsquo on closing
Personal Use
Although BD Mortgage Group LLC email system is meant for business use BD Mortgage Group LLC allows
the reasonable use of email for personal use if certain guidelines are adhered to
bull Personal use of email should not interfere with work
bull Personal emails must also adhere to the guidelines in this policy
bull Personal emails are kept in a separate folder named lsquoPrivatersquo The emails in this folder must be deleted weekly
so as not to clog up the system
bull The forwarding of chain letters junk mail jokes and executables is strictly forbidden
bull On average users are not allowed to send more than 2 personal emails a day
bull Do not send mass mailings
bull All messages distributed via the companyrsquos email system even personal emails are BD Mortgage Group
LLCrsquos property
Confidential Information
Avoid sending confidential information by e-mail If you do you must secure the information by including it in
a Microsoft Word Excel or PDF file and protect it with a password Then provide the recipient with the password
by means of other communication for instance by telephone
Disclaimer
The following disclaimer will be added to each outgoing email
lsquoThis email and any files transmitted with it are confidential and intended solely for the use of the individual or
entity to which they are addressed If you have received this email in error please notify the system manager
Please note that any views or opinions presented in this email are solely those of the author and do not necessarily
represent those of the company Finally the recipient should check this email and any attachments for the presence
of viruses The company accepts no liability for any damage caused by any virus transmitted by this emailrsquo
System Monitoring
You must have no expectation of privacy in anything you create store send or receive on the companyrsquos computer
system Your emails can be monitored without prior notification if BD Mortgage Group LLC deems this
necessary If there is evidence that you are not adhering to the guidelines set out in this policy the BD Mortgage
Group LLC reserves the right to take disciplinary action including termination andor legal action
BD MORTGAGE GROUP LLC 15
Secure Fax Transmission
The legacy of fax transmission in the mortgage industry is long The risk of using fax transmissions is that the
sender has no idea whether the recipient is attending to the machine while the document is being received printed
and then available for viewing In order to prevent the compromise of secure information never send information
to an unattended facsimile machine If you can confirm that the recipient is standing at the machine it is acceptable
to proceed with communications in this manner
Alternatively we can provide an ldquoE-faxrdquo account for individual users This allows the transmission of facsimiles
via e-mail to a secure login account
For transmitting paper documents always create a password protected document and deliver the password to the
recipient using a different method of communication such as the telephone
Secure Telephone Communications
Vishing is the criminal practice of using social engineering and Voice over IP (VoIP) to gain access to private
personal and financial information from the public for the purpose of financial reward The term is a combination
of voice and phishing Vishing exploits the publics trust in landline telephone services which have traditionally
terminated in physical locations which are known to the telephone company and associated with a bill-payer
The victim is often unaware that VoIP allows for caller ID spoofing inexpensive complex automated systems
and anonymity for the bill-payer Vishing is typically used to steal credit card numbers or other information used
in identity theft schemes from individuals
According to the FBIs Internet Crime Complaint Center (IC3) the number of vishing complaints received by
the center is increasing at what it calls an alarming rate Vishing and phishing are related and both rely on e-
mail as a means of delivering bait but the two use different hooks in order to snag user data
Vishing starts with an e-mail like phishing but requests that end-users contact a particular institution by phone
in order to resolve an issue or re-secure personal data People who call the provided number will be asked to
provide the same types of data phishers attempt to procure Ironically vishing e-mails may even attempt to
reassure recipients of their legitimacy by stating that the institution in question would never request customer
financial data via e-mail or IM
As always the best defense against phishing or vishing is a little common sense If your bank or other financial
institution with which you are affiliated contacts you requesting personal data hang up (or call them) using only
the number provided on the back of your card or official statement If you cant get confirmation that the request
is actually legitimate dont follow up on it
BD MORTGAGE GROUP LLC 16
Social Engineering Scams ndash Internal and External Prevention
One of the most prevalent forms of online scams is referred to as a seemingly benign term social engineering
This practice which is sometimes referred to as phishing refers to using trickery to get people to voluntarily
hand over critical information such as usernames or passwords
In many cases spam filters can easily detect the clumsier social engineering efforts and thus spare computer
users from grief However there are a growing number of sophisticated efforts that are crafted to circumvent the
spam filters - and unsuspecting customers that click into these cleverly disguised emails run the risk of facing
serious repercussions
Social engineering attacks mimic an email notification from a well-known and trusted source financial
institutions LinkedIn PayPal the Better Business Bureau Facebook and so forth The attackers create an email
that looks exactly like the normal system notices that are sent out by those entities but they change the links to
hit their own servers
The most classic example is an email that sends a dire notice with a link to login and check on a potential problem
When a person clicks on the link it takes him or her to a page on the cyber attackerrsquos servers that looks just like
the well-known entitys login page
When a person enters his or her username and password this information is stored in a database on the phony
server while an error box appears that says Invalid username or password please try again This error box
message comes with an OK button that when clicked redirects the person to the real login page
People may not realize there is a problem because passwords are obscured with asterisks so it is natural to assume
there was a typo during the initial password entry However the miscreants now have the persons username and
password
So what does this mean to mortgage bankers if someone gets tricked into thinking a social engineering scam
message really came from Facebook or LinkedIn Quite simply many people have the same usernames and
passwords for multiple websites Thus a person who has unwittingly surrendered his or her personal information
for a Facebook page might not realize that the social engineering scam artists could later use that information to
gain access to online mortgage banking accounts
BD Mortgage Group LLC needs to take a proactive approach in educating customers on how to identify potential
scams that pop up in their email in-boxes Here are some safety tips we send out to all customers
1 Dont click links from emails Instead open a Web browser and specifically go to the site in question and login
directly It is not common for financial institutions to have a click here to login link within their email
communications
2 Be suspicious of serious warnings and dollar amounts posted directly in emails Financial services companies
are not in the habit of sending customers panic-inducing messages of low account balances or other account
discrepancies with details plainly shown in the email Warnings are more discreet and merely direct the customer
to go log in for details
3 Use mouse-overs to view a link before clicking Although not all email software and hardware devices support
them a mouse-over can quickly and easily identify the links within an email message
4 Try not to use the same password at multiple sites Use a password program to store and remember online
access data
BD MORTGAGE GROUP LLC 17
5 Routinely update passwords Updating passwords even once a year is an easy way to stay one step ahead of
the social engineering scammers
Invite customers who are in doubt about the veracity of emails to forward them to BD Mortgage Group LLC for
verification Several sites that have been the subject of social engineering scams including eBay and PayPal have
special email accounts that receive review and keep track of these online frauds These spoof-checking efforts
will help empower the customer to ensure that BD Mortgage Group LLC does not become the victim of the next
big Internet fraud
BD MORTGAGE GROUP LLC 18
Data Breach Policy Implementation Guide
The response to any breach of personally identifiable information (PII) can have a critical impact on the BD
Mortgage Group LLCrsquos reputation and how trustworthy the public perceives the company Thus exceptional care
must be taken when responding to data breach incidents Not all incidents result in data breaches and not all data
breaches require notification This guide is to assist the Data Breach Team in developing an appropriate response
to a data breach based on the specific characteristics of the incident
Background
This Data Breach Policy Implementation Guide is based on the Presidentrsquos Identity Theft Task Force
recommendations that provide a menu of steps for the company to consider so that it may pursue a risk-based
tailored response to data breach incidents
Definition of Breach
A breach is a loss of control compromise unauthorized disclosure unauthorized acquisition unauthorized
access or any similar term referring to situations where persons other than authorized users and for an authorized
purpose have access or potential access to PII in usable form whether physical or electronic
Reporting Breaches and Breach Response Team
Breach is immediately reported to
bull Chief Privacy Officer (CPO)
bull Chief Information Officer (CIO)
bull Chief IT Security Office (ITSO)
bull Associate Director for Communications
bull Chief Office of Analysis and Executive Support (OAES)
bull As warranted
bull Chief Office of Security
bull General Counsel
bull Law Enforcement
Risk Assessment Process
Risk is a function of the probability or likelihood of a privacy violation and the resulting impact of that violation
To assign a risk score assess the probability of the event (data breach) occurring and then assess the impact or
harm caused to an individual and our organization in its ability to achieve its mission
BD MORTGAGE GROUP LLC 19
Likelihood Likelihood Definition
High (H) The nature of the attack and the data indicate that the motivation is criminal intent the security of the data and controls to minimize the likelihood of a privacy violation are ineffective
Medium (M)
The nature of the attack and data indicate that the motivation could be criminal intent but controls are in place that may impede success
Low (L) The nature of the attack and data do not indicate criminal intent and security and controls are in place to prevent or at least significantly impede the likelihood of a privacy violation
To assess likelihood of a breach occurring consider five factors
1 How the loss occurred
2 Data elements breached
3 Ability to access the data - the likelihood the personal information will be or has been compromised ndash made
accessible to and usable by unauthorized persons
4 Ability to mitigate the risk of harm
5 Evidence of data being used for identity theft or other harm
1 How Loss Occurred
H - Online system hacked
H - Data was targeted
M - Device was targeted
M - Device stolen
L - Device lost
2 Data Elements Breached
H - Social Security Number
H - Biometric record
H - Financial account number
H - PIN or security code for financial account
H - Health data
M - Birthdate
M - Government Issued Identification Number (drivers license etc)
L - Name
L - Address
L - Telephone Number
A combination of identifying information and financial or security information should always be considered a
high risk with high likelihood of harm occurring
3 Ability to access data
H ndash paper records or electronic records in a spreadsheet that is not password protected
M ndash electronic records that are password protected only
L ndash electronic records that are password protected and encrypted
4 Ability to mitigate the risk of harm
H ndash no recovery of data
M ndash partial recovery of data
L ndash recovery of data prior to use
BD MORTGAGE GROUP LLC 20
5 Evidence of data being used for identity theft or other harm
H ndash Data published on the web
M ndash Data accessed but no direct evidence of use
L ndash No tangible evidence of data use
After evaluating each factor and assigning an overall probability or likelihood of a breach occurring review and
assess the impact or harm to an individual or our organization
Impact Rating
Impact Definition
High Event (1) may result in human death or serious injury or harm to individual (2) may result in high costs to organization or (3) may significantly violate harm or impede an organizationrsquos mission reputation or interest
Medium Event (1) may result in injury or harm to the individual (2) may result in costs to the organization or (3) may violate harm or impede an organizationrsquos mission reputation or interest
Low Event (1) may result in the loss of some tangible organizational assets or resources or (2) may noticeably affect an organizationrsquos mission reputation or interest
The impact depends on the extent to which the breach poses a risk of identity theft or other substantial harm to an
individual such as embarrassment inconvenience unfairness harm to reputation or the potential for harassment
or prejudice particularly when health or financial benefits information is involved
Financial considerations can be factored in when determining the impact on our organization For instance credit
monitoring is generally estimated at $20 per year per case (individual) The costs associated with implementing
a call center including staff salaries may also be a factor Alternatively the cost of contracting for this service
could be a factor
BD MORTGAGE GROUP LLC 21
Assigning Risk Score
The risk score is determined by cross-referencing the likelihood score with the impact score
Likelihood Impact
Low Medium High
High Medium High High
Medium Low Medium High
Low Low Low Medium
Notification of Individuals
The risk score assigned will help determine if and when we should provide notification If the likelihood of risk
is low there could be more harm or impact on the individual if notification is provided due to the actions the
notified individual may take Thus notification must be weighed with the likelihood of risk No notification may
be required when the risk levels of each of the five factors is low If the likelihood of risk is high and the level of
impact or harm to the individual is medium notification and remedy may be required Alternatively if the
likelihood of risk is low and the level of impact or harm to the individual is high notification only may be required
If the five factors are considered appropriately it is more likely that notification will only be given in those
instances where there is a reasonable risk of harm and will not lead to the overuse of notification and thus the
associated further complications to the individual
Thus consideration should be given to all factors when determining final actions to take when addressing each
incident The table below should only be used as guide and conditions may warrant actions above or below those
associated with the final risk score
Risk Score Necessary Action
High Notify and provide remedy
Medium Notify only
Low Monitor only
Timing of Notification
Notice will be provided within a reasonable time following the discovery of a breach consistent with the legitimate
needs of law enforcement and any measures necessary for the Census Bureau to determine the scope of the breach
and if applicable to restore the reasonable integrity of the systemprocess that was compromised
In some circumstances law enforcement considerations may require a delay in notification if the investigation of
the breach or of an individual affected by the breach requires it and notification would seriously impede the
investigation The delay should not exacerbate risk or harm to any affected individual(s) or be tied to the
completion of the investigation but rather be based on whether it would seriously impede the investigation to
provide the notice promptly
Responsibility for Notification
The notice should come from a senior BD Mortgage Group LLC representative
BD MORTGAGE GROUP LLC 22
Content of Notification
The notice must be clear concise conspicuous easy-to-understand in plain language and should include the
following elements
bull A brief description of what happened including the date(s) of the breach and its discovery
bull A description of the types of personal information that were involved in the breach (eg full name Social
Security number date of birth home address account number disability code etc) to the extent possible
bull What steps if any an individual should take to protect himself from potential harm
bull What BD Mortgage Group LLC is doing if anything to investigate the breach to mitigate losses and to
protect against any further breaches
bull Who and how affected individuals should contact BD Mortgage Group LLC for more information including
a toll-free telephone number e-mail address and postal address
bull Direction to additional guidance available from the Federal Trade Commission at
httpwwwconsumergovidtheft
Minimizing your risk at httpwwwconsumergovidtheftcon_minimizehtm
Publications at httpwwwconsumergovidtheftcon_pubshtm
Method of Communication
Notice of the breach will be provided commensurate to the number of individuals affected by the breach and the
availability of contact information BD Mortgage Group LLC has for the affected individuals Correspondence
must be prominently marked on the exterior reflecting the importance of the communication to help ensure the
recipient does not discard or otherwise ignore the notification
In general the primary means of notification will be by first-class mail to the last known mailing address of the
individual based on BD Mortgage Group LLC records
Where we have reason to believe that the address is no longer current reasonable efforts will be made to update
the address using the US Postal Service National Change of Address (NCOA) database
Substitute notice may be made in instances where BD Mortgage Group LLC does not have sufficient contact
information for those who need to be notified In such instances notice may consist of a conspicuous posting of
the notice on the companyrsquos home page of its web site and include additional information in a Frequently Asked
Questions (FAQ)
BD MORTGAGE GROUP LLC 23
Process for Remediation of a Breach
Remedy is provided when the risk score is High
Credit Monitoring Data Breach Risk Packages (ie Lifelock)
Low Risk Package Low Risk Package Includes
1048707 Social Security Credit Card and 1 Bureau Credit Report Monitoring 1048707 3 Bureau Initial Fraud Alert 1048707 Credit Card Registry 1048707 Online Identity Theft Assistance 1048707 24 x 7 Customer Support
Medium Risk Package Medium Risk includes Low Risk benefits plus 1048707 Instant 1 Bureau Credit Report 1048707 Instant 1 Bureau Credit Score 1048707 Personal Information Directory Monitoring and Deletion 1048707 Identity Theft Consumer Guide 1048707 $25000 ($0 deductible) Identity Theft Insurance
High Risk Package High Risk includes Medium Risk benefits plus 1048707 3 Bureau Credit Report Monitoring 1048707 Instant 3 in 1 Credit Report 1048707 Instant 3 Bureau Credit Scores 1048707 Fraud Resolution amp Identity Restoration Specialist
BD MORTGAGE GROUP LLC 24
Reporting a Data Breach
Security Breach Notification Laws have been enacted in most US states since 2002 These laws were enacted in
response to an escalating number of breaches of consumer databases containing personally identifiable
information The first such law the California data security breach notification law was enacted in 2002 and
became effective on July 1 2003 As related in the bill statement law requires a state agency or a person or
business that conducts business in California that owns or licenses computerized data that includes personal
information as defined to disclose in specified ways any breach of the security of the data as defined to any
resident of California whose unencrypted personal information was or is reasonably believed to have been
acquired by an unauthorized person In addition the law permits delayed notification if a law enforcement
agency determines that it would impede a criminal investigation The law also requires any entity that licenses
such information to notify the owner or licensee of the information of any breach in the security of the data
The California law has been the model for the enactment of similar laws in other states The National Conference
of State Legislatures maintains a list of enacted and proposed security breach notification laws
BD MORTGAGE GROUP LLC 25
BD MORTGAGE GROUP LLC 26
2-90-29 - Information Security Audit
To ensure security of our systems and that we comply with rules for customer information security we conduct
an annual audit of our information technology systems A provider qualified to review our independent
information technology in conjunction with mortgage procedures must conduct this audit
Since we do not have any proprietary information technology but utilize software and services provided by
vendors exclusively we rely on the qualified audits of the technology provided by these vendors This is
conducted in conjunction with our annual vendor approval process
Vendor Category Vendor Name Information Tech Cert Date
Loan Origination System
E-Disclosure
Data Back-up
Web 1003 Application
Pricing and Eligibility
Document Management
E-Fax
Voice-MailTelephony
NetworkInternet Service
Office SupportCleanerLandlord
Courier
In addition we assume that other licensed entities with which we do business have had their plans reviewed and
found acceptable Consequently we do not audit our mortgage lender business partners
Internal Policies for Information Security Management
In addition to these procedures please refer to our internal Information Security Plan and Red Flags for our
ongoing Information Security procedures
BD MORTGAGE GROUP LLC 4
Laptop Computers and Mobile Devices
This describes Information Security requirements for encrypting data at rest on BD Mortgage Group LLC mobile
devices
This policy applies to any mobile device issued by BD Mortgage Group LLC or used for BD Mortgage Group
LLC business which contains stored data owned by BD Mortgage Group LLC
All mobile devices containing stored data owned by BD Mortgage Group LLC must use an approved method of
encryption to protect data at rest Mobile devices are defined to include laptops PDAs and cell phones
Users are expressly forbidden from storing BD Mortgage Group LLC data on devices that are not issued by BD
Mortgage Group LLC such as storing BD Mortgage Group LLC email on a personal cell phone or PDA
Laptops must employ full disk encryption with an approved software encryption package No BD Mortgage
Group LLC data may exist on a laptop in cleartext
PDAs and Cell phones
Any BD Mortgage Group LLC data stored on a cell phone or PDA must be saved to an encrypted file system
using BD Mortgage Group LLC-approved software BD Mortgage Group LLC shall also employ remote wipe
technology to remotely disable and delete any data stored on a BD Mortgage Group LLC PDA or cell phone
which is reported lost or stolen
Keys
All keys used for encryption and decryption must meet 128 bit complexity requirements
Loss and Theft
The loss or theft of any mobile device containing BD Mortgage Group LLC data must be reported immediately
Enforcement
Any employee found to have violated this policy may be subject to disciplinary action up to and including
termination of employment
BD MORTGAGE GROUP LLC 5
Definitions
Term Definition
Cleartext Unencrypted data
Full disk encryption Technique that encrypts an entire hard drive including operating system and data
Key Phrase used to encrypt or decrypt data
PDA Personal Data Assistant
Remote wipe Software that remotely deletes data stored on a mobile device
BD MORTGAGE GROUP LLC 6
Desktop Security Policy
The purpose of this policy is to provide guidance for workstation security for BD Mortgage Group LLC
workstations in order to ensure the security of information on the workstation and information the workstation
may have access to
Scope
This policy applies to all BD Mortgage Group LLC employees contractors workforce members vendors and
agents with a BD Mortgage Group LLC-owned or personal-workstation connected to the BD Mortgage Group
LLC network
Policy
Appropriate measures must be taken when using workstations to ensure the confidentiality integrity and
availability of sensitivity information and that access to sensitive information is restricted to authorized users
Workforce members using workstations shall consider the sensitivity of the information that may be accessed
and minimize the possibility of unauthorized access BD Mortgage Group LLC will implement physical and
technical safeguards for all workstations that access electronic protected health information to restrict access to
authorized users
Appropriate measures include
bull Restricting physical access to workstations to only authorized personnel
bull Securing workstations (screen lock or logout) prior to leaving area to prevent unauthorized access
bull Enabling a password-protected screen saver with a short timeout period to ensure that workstations that were
left unsecured will be protected
bull Complying with all applicable password policies and procedures
bull Ensuring workstations are used for authorized business purposes only
bull Never installing unauthorized software on workstations
bull Storing all sensitivity information on network servers
bull Keeping food and drink away from workstations in order to avoid accidental spills
bull Securing laptops that contain sensitivity information by using cable locks or locking laptops up in drawers or
cabinets
bull Complying with the Portable Workstation Encryption policy
bull Complying with the Anti-Virus policy
bull Ensuring that monitors are positioned away from public view If necessary install privacy screen filters or
other physical barriers to public viewing
bull Ensuring workstations are left on but logged off in order to facilitate after-hours updates Exit running
applications and close open documents
bull Ensuring that all workstations use a surge protector (not just a power strip) or a UPS (battery backup)
bull If wireless network access is used ensure access is secure by following the Wireless Access policy
Enforcement
Any employee found to have violated this policy may be subject to disciplinary action up to and including
termination of employment
BD MORTGAGE GROUP LLC 7
Definitions
Workstations include laptops desktops PDAs computer based medical equipment containing or accessing
patient information and authorized home workstations accessing the BD Mortgage Group LLC network
Workforce members include employees volunteers trainees and other persons under the direct control of BD
Mortgage Group LLC
BD MORTGAGE GROUP LLC 8
Document Retention and Destruction
In accordance with the Sarbanes-Oxley Act which makes it a crime to alter cover up falsify or destroy any
document with the intent of impeding or obstructing any official proceeding this policy provides for the
systematic review retention and destruction of documents received or created by BD Mortgage Group LLC in
connection with the transaction of organization business This policy covers all records and documents regardless
of physical form contains guidelines for how long certain documents should be kept and how records should be
destroyed The policy is designed to ensure compliance with federal and state laws and regulations to eliminate
accidental or innocent destruction of records and to facilitate BD Mortgage Group LLCrsquos operations by promoting
efficiency and freeing up valuable storage space
Document Retention
BD Mortgage Group LLC follows the document retention procedures outlined below Documents that are not
listed but are substantially similar to those listed in the schedule will be retained for the appropriate length of
time
BD MORTGAGE GROUP LLC 9
General Records Retention Schedule
Corporate Records
Annual Reports to Secretary of StateAttorney General Permanent
Articles of Incorporation Permanent
Board Meeting and Board Committee Minutes Permanent
Board PoliciesResolutions Permanent
By-laws Permanent
Construction Documents Permanent
Fixed Asset Records Permanent
IRS Application for Tax-Exempt Status (Form 1023) Permanent
IRS Determination Letter Permanent
State Sales Tax Exemption Letter Permanent
Contracts (after expiration) 7 years
Correspondence (general) 3 years
Accounting and Corporate Tax Records
Annual Audits and Financial Statements Permanent
Depreciation Schedules Permanent
General Ledgers Permanent
IRS 990 Tax Returns Permanent
Business Expense Records 7 years
IRS 1099s 7 years
Journal Entries 7 years
Invoices 7 years
Sales Records (box office concessions gift shop) 5 years
Petty Cash Vouchers 3 years
Cash Receipts 3 years
Credit Card Receipts 3 years
Bank Records
Check Registers Permanent
Bank Deposit Slips 7 years
Bank Statements and Reconciliation 7 years
Electronic Fund Transfer Documents 7 years
Payroll and Employment Tax Records
Payroll Registers Permanent
State Unemployment Tax Records Permanent
Earnings Records 7 years
Garnishment Records 7 years
Payroll Tax returns 7 years
W-2 Statements 7 years
Employee Records
Employment and Termination Agreements Permanent
Retirement and Pension Plan Documents Permanent
Records Relating to Promotion Demotion or Discharge 7 years after termination
Accident Reports and Workerrsquos Compensation Records 5 years
Salary Schedules 5 years
Employment Applications 3 years
I-9 Forms 3 years after termination
Time Cards 2 years
Loan File Records
Loan Application Copy File 5 years after completion
Loan Servicing File 5 years after loan payoff
BD MORTGAGE GROUP LLC 10
BD MORTGAGE GROUP LLC 11
Electronic Documents and Records
Electronic documents will be retained as if they were paper documents Therefore any electronic files including
records of donations made online that fall into one of the document types on the above schedule will be
maintained for the appropriate amount of time If a user has sufficient reason to keep an email message the
message should be printed in hard copy and kept in the appropriate file or moved to an ldquoarchiverdquo computer file
folder Backup and recovery methods will be tested on a regular basis
See ndash E-SIGN Policy and Procedure
Emergency Planning
BD Mortgage Group LLCrsquos records will be stored in a safe secure and accessible manner Documents and
financial files that are essential to keeping BD Mortgage Group LLC operating in an emergency will be duplicated
or backed up at least every week and maintained off site
BD MORTGAGE GROUP LLC 12
Document Destruction
BD Mortgage Group LLCrsquos designated ldquoInformation Security and Red Flag ID Theft Planrdquo individual is
responsible for the ongoing process of identifying records which have met the required retention period and
overseeing their destruction Destruction of financial and personnel-related documents will be accomplished by
shredding
Document destruction will be suspended immediately upon any indication of an official investigation or when a
lawsuit is filed or appears imminent Destruction will be reinstated upon conclusion of the investigation
Compliance
Failure on the part of employees to follow this policy can result in possible civil and criminal sanctions against
BD Mortgage Group LLC and its employees and possible disciplinary action against responsible individuals The
chief financial officer and finance committee chair will periodically review these procedures with legal counsel
or the organizationrsquos certified public accountant to ensure that they are in compliance with new or revised
regulations
Onsite Records Storage Policy
Active closed or denied loan application copies exclusive of delivery file documentation subject to the Funding
Warehousing Delivery and Servicing Setup process will be stored in the branch These files will be indexed by
month and alphabetically by borrower last name File cabinets must be locked and keys are maintained by the
operations manager and may be accessed under supervision during business hours
Offsite Records Storage
If due to space concerns there is insufficient room in the branch location to provide file storage off-site records
storage may be utilized through a secure bonded professional records Management Company that is a member
of the American Business Records Management Association Records of each file box sent to Archive must be
maintained current by the operations manager and must be available for immediate inspection within 2 hoursrsquo
notice
The purpose of this policy is to ensure the proper use of BD Mortgage Group LLCrsquos email system and make users
aware of what BD Mortgage Group LLC deems as acceptable and unacceptable use of its email system The BD
Mortgage Group LLC reserves the right to amend this policy at its discretion In case of amendments users will
be informed appropriately
BD MORTGAGE GROUP LLC 13
Electronic Communication
Email is a business communication tool and users are obliged to use this tool in a responsible effective and lawful
manner Although by its nature email seems to be less formal than other written communication the same laws
apply Therefore it is important that users are aware of the legal risks of e-mail
By following the guidelines in this policy the email user can minimize the legal risks involved in the use of e-
mail If any user disregards the rules set out in this Email Policy the user will be fully liable and BD Mortgage
Group LLC will disassociate itself from the user as far as legally possible
The following rules are required by law and are to be strictly adhered to
bull It is strictly prohibited to send or forward emails containing libelous defamatory offensive racist or
obscene remarks If you receive an e-mail of this nature you must promptly notify your supervisor
bull Do not forward a message without acquiring permission from the sender first
bull Do not send unsolicited email messages
bull Do not forge or attempt to forge email messages
bull Do not send email messages using another personrsquos email account
bull Do not copy a message or attachment belonging to another user without permission of the originator
bull Do not disguise or attempt to disguise your identity when sending mail
Best Practices
BD Mortgage Group LLC considers email as an important means of communication and recognizes the
importance of proper email content and speedy replies in conveying a professional image and delivering good
customer service Therefore BD Mortgage Group LLC wishes users to adhere to the following guidelines
Writing emails
bull Signatures must include your name job title and BD Mortgage Group LLC A disclaimer will be added
underneath your signature (see Disclaimer)
bull Use the spell checker before you send out an email
bull Do not send unnecessary attachments Compress attachments larger than 200K before sending them
bull Do not write emails in capitals
bull Do not use cc or bcc fields unless the cc or bcc recipient is aware that you will be copying a mail to
himher and knows what action if any to take
bull If you forward mails state clearly what action you expect the recipient to take
bull Only send emails of which the content could be displayed on a public notice board If they cannot be
displayed publicly in their current state consider rephrasing the email using other means of
communication or protecting information by using a password (see confidential)
bull Only mark emails as important if they really are important
Replying to emails
Emails should be answered within at least 8 working hours but users must endeavor to answer priority emails
within 4 hours
Priority emails are emails from existing customers and business partners
BD MORTGAGE GROUP LLC 14
Newsgroups
Users need to request permission from their supervisor before subscribing to a newsletter or news group
Maintenance
Delete any email messages that you do not need to have a copy of and set your email client to automatically
empty your lsquodeleted itemsrsquo on closing
Personal Use
Although BD Mortgage Group LLC email system is meant for business use BD Mortgage Group LLC allows
the reasonable use of email for personal use if certain guidelines are adhered to
bull Personal use of email should not interfere with work
bull Personal emails must also adhere to the guidelines in this policy
bull Personal emails are kept in a separate folder named lsquoPrivatersquo The emails in this folder must be deleted weekly
so as not to clog up the system
bull The forwarding of chain letters junk mail jokes and executables is strictly forbidden
bull On average users are not allowed to send more than 2 personal emails a day
bull Do not send mass mailings
bull All messages distributed via the companyrsquos email system even personal emails are BD Mortgage Group
LLCrsquos property
Confidential Information
Avoid sending confidential information by e-mail If you do you must secure the information by including it in
a Microsoft Word Excel or PDF file and protect it with a password Then provide the recipient with the password
by means of other communication for instance by telephone
Disclaimer
The following disclaimer will be added to each outgoing email
lsquoThis email and any files transmitted with it are confidential and intended solely for the use of the individual or
entity to which they are addressed If you have received this email in error please notify the system manager
Please note that any views or opinions presented in this email are solely those of the author and do not necessarily
represent those of the company Finally the recipient should check this email and any attachments for the presence
of viruses The company accepts no liability for any damage caused by any virus transmitted by this emailrsquo
System Monitoring
You must have no expectation of privacy in anything you create store send or receive on the companyrsquos computer
system Your emails can be monitored without prior notification if BD Mortgage Group LLC deems this
necessary If there is evidence that you are not adhering to the guidelines set out in this policy the BD Mortgage
Group LLC reserves the right to take disciplinary action including termination andor legal action
BD MORTGAGE GROUP LLC 15
Secure Fax Transmission
The legacy of fax transmission in the mortgage industry is long The risk of using fax transmissions is that the
sender has no idea whether the recipient is attending to the machine while the document is being received printed
and then available for viewing In order to prevent the compromise of secure information never send information
to an unattended facsimile machine If you can confirm that the recipient is standing at the machine it is acceptable
to proceed with communications in this manner
Alternatively we can provide an ldquoE-faxrdquo account for individual users This allows the transmission of facsimiles
via e-mail to a secure login account
For transmitting paper documents always create a password protected document and deliver the password to the
recipient using a different method of communication such as the telephone
Secure Telephone Communications
Vishing is the criminal practice of using social engineering and Voice over IP (VoIP) to gain access to private
personal and financial information from the public for the purpose of financial reward The term is a combination
of voice and phishing Vishing exploits the publics trust in landline telephone services which have traditionally
terminated in physical locations which are known to the telephone company and associated with a bill-payer
The victim is often unaware that VoIP allows for caller ID spoofing inexpensive complex automated systems
and anonymity for the bill-payer Vishing is typically used to steal credit card numbers or other information used
in identity theft schemes from individuals
According to the FBIs Internet Crime Complaint Center (IC3) the number of vishing complaints received by
the center is increasing at what it calls an alarming rate Vishing and phishing are related and both rely on e-
mail as a means of delivering bait but the two use different hooks in order to snag user data
Vishing starts with an e-mail like phishing but requests that end-users contact a particular institution by phone
in order to resolve an issue or re-secure personal data People who call the provided number will be asked to
provide the same types of data phishers attempt to procure Ironically vishing e-mails may even attempt to
reassure recipients of their legitimacy by stating that the institution in question would never request customer
financial data via e-mail or IM
As always the best defense against phishing or vishing is a little common sense If your bank or other financial
institution with which you are affiliated contacts you requesting personal data hang up (or call them) using only
the number provided on the back of your card or official statement If you cant get confirmation that the request
is actually legitimate dont follow up on it
BD MORTGAGE GROUP LLC 16
Social Engineering Scams ndash Internal and External Prevention
One of the most prevalent forms of online scams is referred to as a seemingly benign term social engineering
This practice which is sometimes referred to as phishing refers to using trickery to get people to voluntarily
hand over critical information such as usernames or passwords
In many cases spam filters can easily detect the clumsier social engineering efforts and thus spare computer
users from grief However there are a growing number of sophisticated efforts that are crafted to circumvent the
spam filters - and unsuspecting customers that click into these cleverly disguised emails run the risk of facing
serious repercussions
Social engineering attacks mimic an email notification from a well-known and trusted source financial
institutions LinkedIn PayPal the Better Business Bureau Facebook and so forth The attackers create an email
that looks exactly like the normal system notices that are sent out by those entities but they change the links to
hit their own servers
The most classic example is an email that sends a dire notice with a link to login and check on a potential problem
When a person clicks on the link it takes him or her to a page on the cyber attackerrsquos servers that looks just like
the well-known entitys login page
When a person enters his or her username and password this information is stored in a database on the phony
server while an error box appears that says Invalid username or password please try again This error box
message comes with an OK button that when clicked redirects the person to the real login page
People may not realize there is a problem because passwords are obscured with asterisks so it is natural to assume
there was a typo during the initial password entry However the miscreants now have the persons username and
password
So what does this mean to mortgage bankers if someone gets tricked into thinking a social engineering scam
message really came from Facebook or LinkedIn Quite simply many people have the same usernames and
passwords for multiple websites Thus a person who has unwittingly surrendered his or her personal information
for a Facebook page might not realize that the social engineering scam artists could later use that information to
gain access to online mortgage banking accounts
BD Mortgage Group LLC needs to take a proactive approach in educating customers on how to identify potential
scams that pop up in their email in-boxes Here are some safety tips we send out to all customers
1 Dont click links from emails Instead open a Web browser and specifically go to the site in question and login
directly It is not common for financial institutions to have a click here to login link within their email
communications
2 Be suspicious of serious warnings and dollar amounts posted directly in emails Financial services companies
are not in the habit of sending customers panic-inducing messages of low account balances or other account
discrepancies with details plainly shown in the email Warnings are more discreet and merely direct the customer
to go log in for details
3 Use mouse-overs to view a link before clicking Although not all email software and hardware devices support
them a mouse-over can quickly and easily identify the links within an email message
4 Try not to use the same password at multiple sites Use a password program to store and remember online
access data
BD MORTGAGE GROUP LLC 17
5 Routinely update passwords Updating passwords even once a year is an easy way to stay one step ahead of
the social engineering scammers
Invite customers who are in doubt about the veracity of emails to forward them to BD Mortgage Group LLC for
verification Several sites that have been the subject of social engineering scams including eBay and PayPal have
special email accounts that receive review and keep track of these online frauds These spoof-checking efforts
will help empower the customer to ensure that BD Mortgage Group LLC does not become the victim of the next
big Internet fraud
BD MORTGAGE GROUP LLC 18
Data Breach Policy Implementation Guide
The response to any breach of personally identifiable information (PII) can have a critical impact on the BD
Mortgage Group LLCrsquos reputation and how trustworthy the public perceives the company Thus exceptional care
must be taken when responding to data breach incidents Not all incidents result in data breaches and not all data
breaches require notification This guide is to assist the Data Breach Team in developing an appropriate response
to a data breach based on the specific characteristics of the incident
Background
This Data Breach Policy Implementation Guide is based on the Presidentrsquos Identity Theft Task Force
recommendations that provide a menu of steps for the company to consider so that it may pursue a risk-based
tailored response to data breach incidents
Definition of Breach
A breach is a loss of control compromise unauthorized disclosure unauthorized acquisition unauthorized
access or any similar term referring to situations where persons other than authorized users and for an authorized
purpose have access or potential access to PII in usable form whether physical or electronic
Reporting Breaches and Breach Response Team
Breach is immediately reported to
bull Chief Privacy Officer (CPO)
bull Chief Information Officer (CIO)
bull Chief IT Security Office (ITSO)
bull Associate Director for Communications
bull Chief Office of Analysis and Executive Support (OAES)
bull As warranted
bull Chief Office of Security
bull General Counsel
bull Law Enforcement
Risk Assessment Process
Risk is a function of the probability or likelihood of a privacy violation and the resulting impact of that violation
To assign a risk score assess the probability of the event (data breach) occurring and then assess the impact or
harm caused to an individual and our organization in its ability to achieve its mission
BD MORTGAGE GROUP LLC 19
Likelihood Likelihood Definition
High (H) The nature of the attack and the data indicate that the motivation is criminal intent the security of the data and controls to minimize the likelihood of a privacy violation are ineffective
Medium (M)
The nature of the attack and data indicate that the motivation could be criminal intent but controls are in place that may impede success
Low (L) The nature of the attack and data do not indicate criminal intent and security and controls are in place to prevent or at least significantly impede the likelihood of a privacy violation
To assess likelihood of a breach occurring consider five factors
1 How the loss occurred
2 Data elements breached
3 Ability to access the data - the likelihood the personal information will be or has been compromised ndash made
accessible to and usable by unauthorized persons
4 Ability to mitigate the risk of harm
5 Evidence of data being used for identity theft or other harm
1 How Loss Occurred
H - Online system hacked
H - Data was targeted
M - Device was targeted
M - Device stolen
L - Device lost
2 Data Elements Breached
H - Social Security Number
H - Biometric record
H - Financial account number
H - PIN or security code for financial account
H - Health data
M - Birthdate
M - Government Issued Identification Number (drivers license etc)
L - Name
L - Address
L - Telephone Number
A combination of identifying information and financial or security information should always be considered a
high risk with high likelihood of harm occurring
3 Ability to access data
H ndash paper records or electronic records in a spreadsheet that is not password protected
M ndash electronic records that are password protected only
L ndash electronic records that are password protected and encrypted
4 Ability to mitigate the risk of harm
H ndash no recovery of data
M ndash partial recovery of data
L ndash recovery of data prior to use
BD MORTGAGE GROUP LLC 20
5 Evidence of data being used for identity theft or other harm
H ndash Data published on the web
M ndash Data accessed but no direct evidence of use
L ndash No tangible evidence of data use
After evaluating each factor and assigning an overall probability or likelihood of a breach occurring review and
assess the impact or harm to an individual or our organization
Impact Rating
Impact Definition
High Event (1) may result in human death or serious injury or harm to individual (2) may result in high costs to organization or (3) may significantly violate harm or impede an organizationrsquos mission reputation or interest
Medium Event (1) may result in injury or harm to the individual (2) may result in costs to the organization or (3) may violate harm or impede an organizationrsquos mission reputation or interest
Low Event (1) may result in the loss of some tangible organizational assets or resources or (2) may noticeably affect an organizationrsquos mission reputation or interest
The impact depends on the extent to which the breach poses a risk of identity theft or other substantial harm to an
individual such as embarrassment inconvenience unfairness harm to reputation or the potential for harassment
or prejudice particularly when health or financial benefits information is involved
Financial considerations can be factored in when determining the impact on our organization For instance credit
monitoring is generally estimated at $20 per year per case (individual) The costs associated with implementing
a call center including staff salaries may also be a factor Alternatively the cost of contracting for this service
could be a factor
BD MORTGAGE GROUP LLC 21
Assigning Risk Score
The risk score is determined by cross-referencing the likelihood score with the impact score
Likelihood Impact
Low Medium High
High Medium High High
Medium Low Medium High
Low Low Low Medium
Notification of Individuals
The risk score assigned will help determine if and when we should provide notification If the likelihood of risk
is low there could be more harm or impact on the individual if notification is provided due to the actions the
notified individual may take Thus notification must be weighed with the likelihood of risk No notification may
be required when the risk levels of each of the five factors is low If the likelihood of risk is high and the level of
impact or harm to the individual is medium notification and remedy may be required Alternatively if the
likelihood of risk is low and the level of impact or harm to the individual is high notification only may be required
If the five factors are considered appropriately it is more likely that notification will only be given in those
instances where there is a reasonable risk of harm and will not lead to the overuse of notification and thus the
associated further complications to the individual
Thus consideration should be given to all factors when determining final actions to take when addressing each
incident The table below should only be used as guide and conditions may warrant actions above or below those
associated with the final risk score
Risk Score Necessary Action
High Notify and provide remedy
Medium Notify only
Low Monitor only
Timing of Notification
Notice will be provided within a reasonable time following the discovery of a breach consistent with the legitimate
needs of law enforcement and any measures necessary for the Census Bureau to determine the scope of the breach
and if applicable to restore the reasonable integrity of the systemprocess that was compromised
In some circumstances law enforcement considerations may require a delay in notification if the investigation of
the breach or of an individual affected by the breach requires it and notification would seriously impede the
investigation The delay should not exacerbate risk or harm to any affected individual(s) or be tied to the
completion of the investigation but rather be based on whether it would seriously impede the investigation to
provide the notice promptly
Responsibility for Notification
The notice should come from a senior BD Mortgage Group LLC representative
BD MORTGAGE GROUP LLC 22
Content of Notification
The notice must be clear concise conspicuous easy-to-understand in plain language and should include the
following elements
bull A brief description of what happened including the date(s) of the breach and its discovery
bull A description of the types of personal information that were involved in the breach (eg full name Social
Security number date of birth home address account number disability code etc) to the extent possible
bull What steps if any an individual should take to protect himself from potential harm
bull What BD Mortgage Group LLC is doing if anything to investigate the breach to mitigate losses and to
protect against any further breaches
bull Who and how affected individuals should contact BD Mortgage Group LLC for more information including
a toll-free telephone number e-mail address and postal address
bull Direction to additional guidance available from the Federal Trade Commission at
httpwwwconsumergovidtheft
Minimizing your risk at httpwwwconsumergovidtheftcon_minimizehtm
Publications at httpwwwconsumergovidtheftcon_pubshtm
Method of Communication
Notice of the breach will be provided commensurate to the number of individuals affected by the breach and the
availability of contact information BD Mortgage Group LLC has for the affected individuals Correspondence
must be prominently marked on the exterior reflecting the importance of the communication to help ensure the
recipient does not discard or otherwise ignore the notification
In general the primary means of notification will be by first-class mail to the last known mailing address of the
individual based on BD Mortgage Group LLC records
Where we have reason to believe that the address is no longer current reasonable efforts will be made to update
the address using the US Postal Service National Change of Address (NCOA) database
Substitute notice may be made in instances where BD Mortgage Group LLC does not have sufficient contact
information for those who need to be notified In such instances notice may consist of a conspicuous posting of
the notice on the companyrsquos home page of its web site and include additional information in a Frequently Asked
Questions (FAQ)
BD MORTGAGE GROUP LLC 23
Process for Remediation of a Breach
Remedy is provided when the risk score is High
Credit Monitoring Data Breach Risk Packages (ie Lifelock)
Low Risk Package Low Risk Package Includes
1048707 Social Security Credit Card and 1 Bureau Credit Report Monitoring 1048707 3 Bureau Initial Fraud Alert 1048707 Credit Card Registry 1048707 Online Identity Theft Assistance 1048707 24 x 7 Customer Support
Medium Risk Package Medium Risk includes Low Risk benefits plus 1048707 Instant 1 Bureau Credit Report 1048707 Instant 1 Bureau Credit Score 1048707 Personal Information Directory Monitoring and Deletion 1048707 Identity Theft Consumer Guide 1048707 $25000 ($0 deductible) Identity Theft Insurance
High Risk Package High Risk includes Medium Risk benefits plus 1048707 3 Bureau Credit Report Monitoring 1048707 Instant 3 in 1 Credit Report 1048707 Instant 3 Bureau Credit Scores 1048707 Fraud Resolution amp Identity Restoration Specialist
BD MORTGAGE GROUP LLC 24
Reporting a Data Breach
Security Breach Notification Laws have been enacted in most US states since 2002 These laws were enacted in
response to an escalating number of breaches of consumer databases containing personally identifiable
information The first such law the California data security breach notification law was enacted in 2002 and
became effective on July 1 2003 As related in the bill statement law requires a state agency or a person or
business that conducts business in California that owns or licenses computerized data that includes personal
information as defined to disclose in specified ways any breach of the security of the data as defined to any
resident of California whose unencrypted personal information was or is reasonably believed to have been
acquired by an unauthorized person In addition the law permits delayed notification if a law enforcement
agency determines that it would impede a criminal investigation The law also requires any entity that licenses
such information to notify the owner or licensee of the information of any breach in the security of the data
The California law has been the model for the enactment of similar laws in other states The National Conference
of State Legislatures maintains a list of enacted and proposed security breach notification laws
BD MORTGAGE GROUP LLC 25
BD MORTGAGE GROUP LLC 26
2-90-29 - Information Security Audit
To ensure security of our systems and that we comply with rules for customer information security we conduct
an annual audit of our information technology systems A provider qualified to review our independent
information technology in conjunction with mortgage procedures must conduct this audit
Since we do not have any proprietary information technology but utilize software and services provided by
vendors exclusively we rely on the qualified audits of the technology provided by these vendors This is
conducted in conjunction with our annual vendor approval process
Vendor Category Vendor Name Information Tech Cert Date
Loan Origination System
E-Disclosure
Data Back-up
Web 1003 Application
Pricing and Eligibility
Document Management
E-Fax
Voice-MailTelephony
NetworkInternet Service
Office SupportCleanerLandlord
Courier
In addition we assume that other licensed entities with which we do business have had their plans reviewed and
found acceptable Consequently we do not audit our mortgage lender business partners
Internal Policies for Information Security Management
In addition to these procedures please refer to our internal Information Security Plan and Red Flags for our
ongoing Information Security procedures
BD MORTGAGE GROUP LLC 5
Definitions
Term Definition
Cleartext Unencrypted data
Full disk encryption Technique that encrypts an entire hard drive including operating system and data
Key Phrase used to encrypt or decrypt data
PDA Personal Data Assistant
Remote wipe Software that remotely deletes data stored on a mobile device
BD MORTGAGE GROUP LLC 6
Desktop Security Policy
The purpose of this policy is to provide guidance for workstation security for BD Mortgage Group LLC
workstations in order to ensure the security of information on the workstation and information the workstation
may have access to
Scope
This policy applies to all BD Mortgage Group LLC employees contractors workforce members vendors and
agents with a BD Mortgage Group LLC-owned or personal-workstation connected to the BD Mortgage Group
LLC network
Policy
Appropriate measures must be taken when using workstations to ensure the confidentiality integrity and
availability of sensitivity information and that access to sensitive information is restricted to authorized users
Workforce members using workstations shall consider the sensitivity of the information that may be accessed
and minimize the possibility of unauthorized access BD Mortgage Group LLC will implement physical and
technical safeguards for all workstations that access electronic protected health information to restrict access to
authorized users
Appropriate measures include
bull Restricting physical access to workstations to only authorized personnel
bull Securing workstations (screen lock or logout) prior to leaving area to prevent unauthorized access
bull Enabling a password-protected screen saver with a short timeout period to ensure that workstations that were
left unsecured will be protected
bull Complying with all applicable password policies and procedures
bull Ensuring workstations are used for authorized business purposes only
bull Never installing unauthorized software on workstations
bull Storing all sensitivity information on network servers
bull Keeping food and drink away from workstations in order to avoid accidental spills
bull Securing laptops that contain sensitivity information by using cable locks or locking laptops up in drawers or
cabinets
bull Complying with the Portable Workstation Encryption policy
bull Complying with the Anti-Virus policy
bull Ensuring that monitors are positioned away from public view If necessary install privacy screen filters or
other physical barriers to public viewing
bull Ensuring workstations are left on but logged off in order to facilitate after-hours updates Exit running
applications and close open documents
bull Ensuring that all workstations use a surge protector (not just a power strip) or a UPS (battery backup)
bull If wireless network access is used ensure access is secure by following the Wireless Access policy
Enforcement
Any employee found to have violated this policy may be subject to disciplinary action up to and including
termination of employment
BD MORTGAGE GROUP LLC 7
Definitions
Workstations include laptops desktops PDAs computer based medical equipment containing or accessing
patient information and authorized home workstations accessing the BD Mortgage Group LLC network
Workforce members include employees volunteers trainees and other persons under the direct control of BD
Mortgage Group LLC
BD MORTGAGE GROUP LLC 8
Document Retention and Destruction
In accordance with the Sarbanes-Oxley Act which makes it a crime to alter cover up falsify or destroy any
document with the intent of impeding or obstructing any official proceeding this policy provides for the
systematic review retention and destruction of documents received or created by BD Mortgage Group LLC in
connection with the transaction of organization business This policy covers all records and documents regardless
of physical form contains guidelines for how long certain documents should be kept and how records should be
destroyed The policy is designed to ensure compliance with federal and state laws and regulations to eliminate
accidental or innocent destruction of records and to facilitate BD Mortgage Group LLCrsquos operations by promoting
efficiency and freeing up valuable storage space
Document Retention
BD Mortgage Group LLC follows the document retention procedures outlined below Documents that are not
listed but are substantially similar to those listed in the schedule will be retained for the appropriate length of
time
BD MORTGAGE GROUP LLC 9
General Records Retention Schedule
Corporate Records
Annual Reports to Secretary of StateAttorney General Permanent
Articles of Incorporation Permanent
Board Meeting and Board Committee Minutes Permanent
Board PoliciesResolutions Permanent
By-laws Permanent
Construction Documents Permanent
Fixed Asset Records Permanent
IRS Application for Tax-Exempt Status (Form 1023) Permanent
IRS Determination Letter Permanent
State Sales Tax Exemption Letter Permanent
Contracts (after expiration) 7 years
Correspondence (general) 3 years
Accounting and Corporate Tax Records
Annual Audits and Financial Statements Permanent
Depreciation Schedules Permanent
General Ledgers Permanent
IRS 990 Tax Returns Permanent
Business Expense Records 7 years
IRS 1099s 7 years
Journal Entries 7 years
Invoices 7 years
Sales Records (box office concessions gift shop) 5 years
Petty Cash Vouchers 3 years
Cash Receipts 3 years
Credit Card Receipts 3 years
Bank Records
Check Registers Permanent
Bank Deposit Slips 7 years
Bank Statements and Reconciliation 7 years
Electronic Fund Transfer Documents 7 years
Payroll and Employment Tax Records
Payroll Registers Permanent
State Unemployment Tax Records Permanent
Earnings Records 7 years
Garnishment Records 7 years
Payroll Tax returns 7 years
W-2 Statements 7 years
Employee Records
Employment and Termination Agreements Permanent
Retirement and Pension Plan Documents Permanent
Records Relating to Promotion Demotion or Discharge 7 years after termination
Accident Reports and Workerrsquos Compensation Records 5 years
Salary Schedules 5 years
Employment Applications 3 years
I-9 Forms 3 years after termination
Time Cards 2 years
Loan File Records
Loan Application Copy File 5 years after completion
Loan Servicing File 5 years after loan payoff
BD MORTGAGE GROUP LLC 10
BD MORTGAGE GROUP LLC 11
Electronic Documents and Records
Electronic documents will be retained as if they were paper documents Therefore any electronic files including
records of donations made online that fall into one of the document types on the above schedule will be
maintained for the appropriate amount of time If a user has sufficient reason to keep an email message the
message should be printed in hard copy and kept in the appropriate file or moved to an ldquoarchiverdquo computer file
folder Backup and recovery methods will be tested on a regular basis
See ndash E-SIGN Policy and Procedure
Emergency Planning
BD Mortgage Group LLCrsquos records will be stored in a safe secure and accessible manner Documents and
financial files that are essential to keeping BD Mortgage Group LLC operating in an emergency will be duplicated
or backed up at least every week and maintained off site
BD MORTGAGE GROUP LLC 12
Document Destruction
BD Mortgage Group LLCrsquos designated ldquoInformation Security and Red Flag ID Theft Planrdquo individual is
responsible for the ongoing process of identifying records which have met the required retention period and
overseeing their destruction Destruction of financial and personnel-related documents will be accomplished by
shredding
Document destruction will be suspended immediately upon any indication of an official investigation or when a
lawsuit is filed or appears imminent Destruction will be reinstated upon conclusion of the investigation
Compliance
Failure on the part of employees to follow this policy can result in possible civil and criminal sanctions against
BD Mortgage Group LLC and its employees and possible disciplinary action against responsible individuals The
chief financial officer and finance committee chair will periodically review these procedures with legal counsel
or the organizationrsquos certified public accountant to ensure that they are in compliance with new or revised
regulations
Onsite Records Storage Policy
Active closed or denied loan application copies exclusive of delivery file documentation subject to the Funding
Warehousing Delivery and Servicing Setup process will be stored in the branch These files will be indexed by
month and alphabetically by borrower last name File cabinets must be locked and keys are maintained by the
operations manager and may be accessed under supervision during business hours
Offsite Records Storage
If due to space concerns there is insufficient room in the branch location to provide file storage off-site records
storage may be utilized through a secure bonded professional records Management Company that is a member
of the American Business Records Management Association Records of each file box sent to Archive must be
maintained current by the operations manager and must be available for immediate inspection within 2 hoursrsquo
notice
The purpose of this policy is to ensure the proper use of BD Mortgage Group LLCrsquos email system and make users
aware of what BD Mortgage Group LLC deems as acceptable and unacceptable use of its email system The BD
Mortgage Group LLC reserves the right to amend this policy at its discretion In case of amendments users will
be informed appropriately
BD MORTGAGE GROUP LLC 13
Electronic Communication
Email is a business communication tool and users are obliged to use this tool in a responsible effective and lawful
manner Although by its nature email seems to be less formal than other written communication the same laws
apply Therefore it is important that users are aware of the legal risks of e-mail
By following the guidelines in this policy the email user can minimize the legal risks involved in the use of e-
mail If any user disregards the rules set out in this Email Policy the user will be fully liable and BD Mortgage
Group LLC will disassociate itself from the user as far as legally possible
The following rules are required by law and are to be strictly adhered to
bull It is strictly prohibited to send or forward emails containing libelous defamatory offensive racist or
obscene remarks If you receive an e-mail of this nature you must promptly notify your supervisor
bull Do not forward a message without acquiring permission from the sender first
bull Do not send unsolicited email messages
bull Do not forge or attempt to forge email messages
bull Do not send email messages using another personrsquos email account
bull Do not copy a message or attachment belonging to another user without permission of the originator
bull Do not disguise or attempt to disguise your identity when sending mail
Best Practices
BD Mortgage Group LLC considers email as an important means of communication and recognizes the
importance of proper email content and speedy replies in conveying a professional image and delivering good
customer service Therefore BD Mortgage Group LLC wishes users to adhere to the following guidelines
Writing emails
bull Signatures must include your name job title and BD Mortgage Group LLC A disclaimer will be added
underneath your signature (see Disclaimer)
bull Use the spell checker before you send out an email
bull Do not send unnecessary attachments Compress attachments larger than 200K before sending them
bull Do not write emails in capitals
bull Do not use cc or bcc fields unless the cc or bcc recipient is aware that you will be copying a mail to
himher and knows what action if any to take
bull If you forward mails state clearly what action you expect the recipient to take
bull Only send emails of which the content could be displayed on a public notice board If they cannot be
displayed publicly in their current state consider rephrasing the email using other means of
communication or protecting information by using a password (see confidential)
bull Only mark emails as important if they really are important
Replying to emails
Emails should be answered within at least 8 working hours but users must endeavor to answer priority emails
within 4 hours
Priority emails are emails from existing customers and business partners
BD MORTGAGE GROUP LLC 14
Newsgroups
Users need to request permission from their supervisor before subscribing to a newsletter or news group
Maintenance
Delete any email messages that you do not need to have a copy of and set your email client to automatically
empty your lsquodeleted itemsrsquo on closing
Personal Use
Although BD Mortgage Group LLC email system is meant for business use BD Mortgage Group LLC allows
the reasonable use of email for personal use if certain guidelines are adhered to
bull Personal use of email should not interfere with work
bull Personal emails must also adhere to the guidelines in this policy
bull Personal emails are kept in a separate folder named lsquoPrivatersquo The emails in this folder must be deleted weekly
so as not to clog up the system
bull The forwarding of chain letters junk mail jokes and executables is strictly forbidden
bull On average users are not allowed to send more than 2 personal emails a day
bull Do not send mass mailings
bull All messages distributed via the companyrsquos email system even personal emails are BD Mortgage Group
LLCrsquos property
Confidential Information
Avoid sending confidential information by e-mail If you do you must secure the information by including it in
a Microsoft Word Excel or PDF file and protect it with a password Then provide the recipient with the password
by means of other communication for instance by telephone
Disclaimer
The following disclaimer will be added to each outgoing email
lsquoThis email and any files transmitted with it are confidential and intended solely for the use of the individual or
entity to which they are addressed If you have received this email in error please notify the system manager
Please note that any views or opinions presented in this email are solely those of the author and do not necessarily
represent those of the company Finally the recipient should check this email and any attachments for the presence
of viruses The company accepts no liability for any damage caused by any virus transmitted by this emailrsquo
System Monitoring
You must have no expectation of privacy in anything you create store send or receive on the companyrsquos computer
system Your emails can be monitored without prior notification if BD Mortgage Group LLC deems this
necessary If there is evidence that you are not adhering to the guidelines set out in this policy the BD Mortgage
Group LLC reserves the right to take disciplinary action including termination andor legal action
BD MORTGAGE GROUP LLC 15
Secure Fax Transmission
The legacy of fax transmission in the mortgage industry is long The risk of using fax transmissions is that the
sender has no idea whether the recipient is attending to the machine while the document is being received printed
and then available for viewing In order to prevent the compromise of secure information never send information
to an unattended facsimile machine If you can confirm that the recipient is standing at the machine it is acceptable
to proceed with communications in this manner
Alternatively we can provide an ldquoE-faxrdquo account for individual users This allows the transmission of facsimiles
via e-mail to a secure login account
For transmitting paper documents always create a password protected document and deliver the password to the
recipient using a different method of communication such as the telephone
Secure Telephone Communications
Vishing is the criminal practice of using social engineering and Voice over IP (VoIP) to gain access to private
personal and financial information from the public for the purpose of financial reward The term is a combination
of voice and phishing Vishing exploits the publics trust in landline telephone services which have traditionally
terminated in physical locations which are known to the telephone company and associated with a bill-payer
The victim is often unaware that VoIP allows for caller ID spoofing inexpensive complex automated systems
and anonymity for the bill-payer Vishing is typically used to steal credit card numbers or other information used
in identity theft schemes from individuals
According to the FBIs Internet Crime Complaint Center (IC3) the number of vishing complaints received by
the center is increasing at what it calls an alarming rate Vishing and phishing are related and both rely on e-
mail as a means of delivering bait but the two use different hooks in order to snag user data
Vishing starts with an e-mail like phishing but requests that end-users contact a particular institution by phone
in order to resolve an issue or re-secure personal data People who call the provided number will be asked to
provide the same types of data phishers attempt to procure Ironically vishing e-mails may even attempt to
reassure recipients of their legitimacy by stating that the institution in question would never request customer
financial data via e-mail or IM
As always the best defense against phishing or vishing is a little common sense If your bank or other financial
institution with which you are affiliated contacts you requesting personal data hang up (or call them) using only
the number provided on the back of your card or official statement If you cant get confirmation that the request
is actually legitimate dont follow up on it
BD MORTGAGE GROUP LLC 16
Social Engineering Scams ndash Internal and External Prevention
One of the most prevalent forms of online scams is referred to as a seemingly benign term social engineering
This practice which is sometimes referred to as phishing refers to using trickery to get people to voluntarily
hand over critical information such as usernames or passwords
In many cases spam filters can easily detect the clumsier social engineering efforts and thus spare computer
users from grief However there are a growing number of sophisticated efforts that are crafted to circumvent the
spam filters - and unsuspecting customers that click into these cleverly disguised emails run the risk of facing
serious repercussions
Social engineering attacks mimic an email notification from a well-known and trusted source financial
institutions LinkedIn PayPal the Better Business Bureau Facebook and so forth The attackers create an email
that looks exactly like the normal system notices that are sent out by those entities but they change the links to
hit their own servers
The most classic example is an email that sends a dire notice with a link to login and check on a potential problem
When a person clicks on the link it takes him or her to a page on the cyber attackerrsquos servers that looks just like
the well-known entitys login page
When a person enters his or her username and password this information is stored in a database on the phony
server while an error box appears that says Invalid username or password please try again This error box
message comes with an OK button that when clicked redirects the person to the real login page
People may not realize there is a problem because passwords are obscured with asterisks so it is natural to assume
there was a typo during the initial password entry However the miscreants now have the persons username and
password
So what does this mean to mortgage bankers if someone gets tricked into thinking a social engineering scam
message really came from Facebook or LinkedIn Quite simply many people have the same usernames and
passwords for multiple websites Thus a person who has unwittingly surrendered his or her personal information
for a Facebook page might not realize that the social engineering scam artists could later use that information to
gain access to online mortgage banking accounts
BD Mortgage Group LLC needs to take a proactive approach in educating customers on how to identify potential
scams that pop up in their email in-boxes Here are some safety tips we send out to all customers
1 Dont click links from emails Instead open a Web browser and specifically go to the site in question and login
directly It is not common for financial institutions to have a click here to login link within their email
communications
2 Be suspicious of serious warnings and dollar amounts posted directly in emails Financial services companies
are not in the habit of sending customers panic-inducing messages of low account balances or other account
discrepancies with details plainly shown in the email Warnings are more discreet and merely direct the customer
to go log in for details
3 Use mouse-overs to view a link before clicking Although not all email software and hardware devices support
them a mouse-over can quickly and easily identify the links within an email message
4 Try not to use the same password at multiple sites Use a password program to store and remember online
access data
BD MORTGAGE GROUP LLC 17
5 Routinely update passwords Updating passwords even once a year is an easy way to stay one step ahead of
the social engineering scammers
Invite customers who are in doubt about the veracity of emails to forward them to BD Mortgage Group LLC for
verification Several sites that have been the subject of social engineering scams including eBay and PayPal have
special email accounts that receive review and keep track of these online frauds These spoof-checking efforts
will help empower the customer to ensure that BD Mortgage Group LLC does not become the victim of the next
big Internet fraud
BD MORTGAGE GROUP LLC 18
Data Breach Policy Implementation Guide
The response to any breach of personally identifiable information (PII) can have a critical impact on the BD
Mortgage Group LLCrsquos reputation and how trustworthy the public perceives the company Thus exceptional care
must be taken when responding to data breach incidents Not all incidents result in data breaches and not all data
breaches require notification This guide is to assist the Data Breach Team in developing an appropriate response
to a data breach based on the specific characteristics of the incident
Background
This Data Breach Policy Implementation Guide is based on the Presidentrsquos Identity Theft Task Force
recommendations that provide a menu of steps for the company to consider so that it may pursue a risk-based
tailored response to data breach incidents
Definition of Breach
A breach is a loss of control compromise unauthorized disclosure unauthorized acquisition unauthorized
access or any similar term referring to situations where persons other than authorized users and for an authorized
purpose have access or potential access to PII in usable form whether physical or electronic
Reporting Breaches and Breach Response Team
Breach is immediately reported to
bull Chief Privacy Officer (CPO)
bull Chief Information Officer (CIO)
bull Chief IT Security Office (ITSO)
bull Associate Director for Communications
bull Chief Office of Analysis and Executive Support (OAES)
bull As warranted
bull Chief Office of Security
bull General Counsel
bull Law Enforcement
Risk Assessment Process
Risk is a function of the probability or likelihood of a privacy violation and the resulting impact of that violation
To assign a risk score assess the probability of the event (data breach) occurring and then assess the impact or
harm caused to an individual and our organization in its ability to achieve its mission
BD MORTGAGE GROUP LLC 19
Likelihood Likelihood Definition
High (H) The nature of the attack and the data indicate that the motivation is criminal intent the security of the data and controls to minimize the likelihood of a privacy violation are ineffective
Medium (M)
The nature of the attack and data indicate that the motivation could be criminal intent but controls are in place that may impede success
Low (L) The nature of the attack and data do not indicate criminal intent and security and controls are in place to prevent or at least significantly impede the likelihood of a privacy violation
To assess likelihood of a breach occurring consider five factors
1 How the loss occurred
2 Data elements breached
3 Ability to access the data - the likelihood the personal information will be or has been compromised ndash made
accessible to and usable by unauthorized persons
4 Ability to mitigate the risk of harm
5 Evidence of data being used for identity theft or other harm
1 How Loss Occurred
H - Online system hacked
H - Data was targeted
M - Device was targeted
M - Device stolen
L - Device lost
2 Data Elements Breached
H - Social Security Number
H - Biometric record
H - Financial account number
H - PIN or security code for financial account
H - Health data
M - Birthdate
M - Government Issued Identification Number (drivers license etc)
L - Name
L - Address
L - Telephone Number
A combination of identifying information and financial or security information should always be considered a
high risk with high likelihood of harm occurring
3 Ability to access data
H ndash paper records or electronic records in a spreadsheet that is not password protected
M ndash electronic records that are password protected only
L ndash electronic records that are password protected and encrypted
4 Ability to mitigate the risk of harm
H ndash no recovery of data
M ndash partial recovery of data
L ndash recovery of data prior to use
BD MORTGAGE GROUP LLC 20
5 Evidence of data being used for identity theft or other harm
H ndash Data published on the web
M ndash Data accessed but no direct evidence of use
L ndash No tangible evidence of data use
After evaluating each factor and assigning an overall probability or likelihood of a breach occurring review and
assess the impact or harm to an individual or our organization
Impact Rating
Impact Definition
High Event (1) may result in human death or serious injury or harm to individual (2) may result in high costs to organization or (3) may significantly violate harm or impede an organizationrsquos mission reputation or interest
Medium Event (1) may result in injury or harm to the individual (2) may result in costs to the organization or (3) may violate harm or impede an organizationrsquos mission reputation or interest
Low Event (1) may result in the loss of some tangible organizational assets or resources or (2) may noticeably affect an organizationrsquos mission reputation or interest
The impact depends on the extent to which the breach poses a risk of identity theft or other substantial harm to an
individual such as embarrassment inconvenience unfairness harm to reputation or the potential for harassment
or prejudice particularly when health or financial benefits information is involved
Financial considerations can be factored in when determining the impact on our organization For instance credit
monitoring is generally estimated at $20 per year per case (individual) The costs associated with implementing
a call center including staff salaries may also be a factor Alternatively the cost of contracting for this service
could be a factor
BD MORTGAGE GROUP LLC 21
Assigning Risk Score
The risk score is determined by cross-referencing the likelihood score with the impact score
Likelihood Impact
Low Medium High
High Medium High High
Medium Low Medium High
Low Low Low Medium
Notification of Individuals
The risk score assigned will help determine if and when we should provide notification If the likelihood of risk
is low there could be more harm or impact on the individual if notification is provided due to the actions the
notified individual may take Thus notification must be weighed with the likelihood of risk No notification may
be required when the risk levels of each of the five factors is low If the likelihood of risk is high and the level of
impact or harm to the individual is medium notification and remedy may be required Alternatively if the
likelihood of risk is low and the level of impact or harm to the individual is high notification only may be required
If the five factors are considered appropriately it is more likely that notification will only be given in those
instances where there is a reasonable risk of harm and will not lead to the overuse of notification and thus the
associated further complications to the individual
Thus consideration should be given to all factors when determining final actions to take when addressing each
incident The table below should only be used as guide and conditions may warrant actions above or below those
associated with the final risk score
Risk Score Necessary Action
High Notify and provide remedy
Medium Notify only
Low Monitor only
Timing of Notification
Notice will be provided within a reasonable time following the discovery of a breach consistent with the legitimate
needs of law enforcement and any measures necessary for the Census Bureau to determine the scope of the breach
and if applicable to restore the reasonable integrity of the systemprocess that was compromised
In some circumstances law enforcement considerations may require a delay in notification if the investigation of
the breach or of an individual affected by the breach requires it and notification would seriously impede the
investigation The delay should not exacerbate risk or harm to any affected individual(s) or be tied to the
completion of the investigation but rather be based on whether it would seriously impede the investigation to
provide the notice promptly
Responsibility for Notification
The notice should come from a senior BD Mortgage Group LLC representative
BD MORTGAGE GROUP LLC 22
Content of Notification
The notice must be clear concise conspicuous easy-to-understand in plain language and should include the
following elements
bull A brief description of what happened including the date(s) of the breach and its discovery
bull A description of the types of personal information that were involved in the breach (eg full name Social
Security number date of birth home address account number disability code etc) to the extent possible
bull What steps if any an individual should take to protect himself from potential harm
bull What BD Mortgage Group LLC is doing if anything to investigate the breach to mitigate losses and to
protect against any further breaches
bull Who and how affected individuals should contact BD Mortgage Group LLC for more information including
a toll-free telephone number e-mail address and postal address
bull Direction to additional guidance available from the Federal Trade Commission at
httpwwwconsumergovidtheft
Minimizing your risk at httpwwwconsumergovidtheftcon_minimizehtm
Publications at httpwwwconsumergovidtheftcon_pubshtm
Method of Communication
Notice of the breach will be provided commensurate to the number of individuals affected by the breach and the
availability of contact information BD Mortgage Group LLC has for the affected individuals Correspondence
must be prominently marked on the exterior reflecting the importance of the communication to help ensure the
recipient does not discard or otherwise ignore the notification
In general the primary means of notification will be by first-class mail to the last known mailing address of the
individual based on BD Mortgage Group LLC records
Where we have reason to believe that the address is no longer current reasonable efforts will be made to update
the address using the US Postal Service National Change of Address (NCOA) database
Substitute notice may be made in instances where BD Mortgage Group LLC does not have sufficient contact
information for those who need to be notified In such instances notice may consist of a conspicuous posting of
the notice on the companyrsquos home page of its web site and include additional information in a Frequently Asked
Questions (FAQ)
BD MORTGAGE GROUP LLC 23
Process for Remediation of a Breach
Remedy is provided when the risk score is High
Credit Monitoring Data Breach Risk Packages (ie Lifelock)
Low Risk Package Low Risk Package Includes
1048707 Social Security Credit Card and 1 Bureau Credit Report Monitoring 1048707 3 Bureau Initial Fraud Alert 1048707 Credit Card Registry 1048707 Online Identity Theft Assistance 1048707 24 x 7 Customer Support
Medium Risk Package Medium Risk includes Low Risk benefits plus 1048707 Instant 1 Bureau Credit Report 1048707 Instant 1 Bureau Credit Score 1048707 Personal Information Directory Monitoring and Deletion 1048707 Identity Theft Consumer Guide 1048707 $25000 ($0 deductible) Identity Theft Insurance
High Risk Package High Risk includes Medium Risk benefits plus 1048707 3 Bureau Credit Report Monitoring 1048707 Instant 3 in 1 Credit Report 1048707 Instant 3 Bureau Credit Scores 1048707 Fraud Resolution amp Identity Restoration Specialist
BD MORTGAGE GROUP LLC 24
Reporting a Data Breach
Security Breach Notification Laws have been enacted in most US states since 2002 These laws were enacted in
response to an escalating number of breaches of consumer databases containing personally identifiable
information The first such law the California data security breach notification law was enacted in 2002 and
became effective on July 1 2003 As related in the bill statement law requires a state agency or a person or
business that conducts business in California that owns or licenses computerized data that includes personal
information as defined to disclose in specified ways any breach of the security of the data as defined to any
resident of California whose unencrypted personal information was or is reasonably believed to have been
acquired by an unauthorized person In addition the law permits delayed notification if a law enforcement
agency determines that it would impede a criminal investigation The law also requires any entity that licenses
such information to notify the owner or licensee of the information of any breach in the security of the data
The California law has been the model for the enactment of similar laws in other states The National Conference
of State Legislatures maintains a list of enacted and proposed security breach notification laws
BD MORTGAGE GROUP LLC 25
BD MORTGAGE GROUP LLC 26
2-90-29 - Information Security Audit
To ensure security of our systems and that we comply with rules for customer information security we conduct
an annual audit of our information technology systems A provider qualified to review our independent
information technology in conjunction with mortgage procedures must conduct this audit
Since we do not have any proprietary information technology but utilize software and services provided by
vendors exclusively we rely on the qualified audits of the technology provided by these vendors This is
conducted in conjunction with our annual vendor approval process
Vendor Category Vendor Name Information Tech Cert Date
Loan Origination System
E-Disclosure
Data Back-up
Web 1003 Application
Pricing and Eligibility
Document Management
E-Fax
Voice-MailTelephony
NetworkInternet Service
Office SupportCleanerLandlord
Courier
In addition we assume that other licensed entities with which we do business have had their plans reviewed and
found acceptable Consequently we do not audit our mortgage lender business partners
Internal Policies for Information Security Management
In addition to these procedures please refer to our internal Information Security Plan and Red Flags for our
ongoing Information Security procedures
BD MORTGAGE GROUP LLC 6
Desktop Security Policy
The purpose of this policy is to provide guidance for workstation security for BD Mortgage Group LLC
workstations in order to ensure the security of information on the workstation and information the workstation
may have access to
Scope
This policy applies to all BD Mortgage Group LLC employees contractors workforce members vendors and
agents with a BD Mortgage Group LLC-owned or personal-workstation connected to the BD Mortgage Group
LLC network
Policy
Appropriate measures must be taken when using workstations to ensure the confidentiality integrity and
availability of sensitivity information and that access to sensitive information is restricted to authorized users
Workforce members using workstations shall consider the sensitivity of the information that may be accessed
and minimize the possibility of unauthorized access BD Mortgage Group LLC will implement physical and
technical safeguards for all workstations that access electronic protected health information to restrict access to
authorized users
Appropriate measures include
bull Restricting physical access to workstations to only authorized personnel
bull Securing workstations (screen lock or logout) prior to leaving area to prevent unauthorized access
bull Enabling a password-protected screen saver with a short timeout period to ensure that workstations that were
left unsecured will be protected
bull Complying with all applicable password policies and procedures
bull Ensuring workstations are used for authorized business purposes only
bull Never installing unauthorized software on workstations
bull Storing all sensitivity information on network servers
bull Keeping food and drink away from workstations in order to avoid accidental spills
bull Securing laptops that contain sensitivity information by using cable locks or locking laptops up in drawers or
cabinets
bull Complying with the Portable Workstation Encryption policy
bull Complying with the Anti-Virus policy
bull Ensuring that monitors are positioned away from public view If necessary install privacy screen filters or
other physical barriers to public viewing
bull Ensuring workstations are left on but logged off in order to facilitate after-hours updates Exit running
applications and close open documents
bull Ensuring that all workstations use a surge protector (not just a power strip) or a UPS (battery backup)
bull If wireless network access is used ensure access is secure by following the Wireless Access policy
Enforcement
Any employee found to have violated this policy may be subject to disciplinary action up to and including
termination of employment
BD MORTGAGE GROUP LLC 7
Definitions
Workstations include laptops desktops PDAs computer based medical equipment containing or accessing
patient information and authorized home workstations accessing the BD Mortgage Group LLC network
Workforce members include employees volunteers trainees and other persons under the direct control of BD
Mortgage Group LLC
BD MORTGAGE GROUP LLC 8
Document Retention and Destruction
In accordance with the Sarbanes-Oxley Act which makes it a crime to alter cover up falsify or destroy any
document with the intent of impeding or obstructing any official proceeding this policy provides for the
systematic review retention and destruction of documents received or created by BD Mortgage Group LLC in
connection with the transaction of organization business This policy covers all records and documents regardless
of physical form contains guidelines for how long certain documents should be kept and how records should be
destroyed The policy is designed to ensure compliance with federal and state laws and regulations to eliminate
accidental or innocent destruction of records and to facilitate BD Mortgage Group LLCrsquos operations by promoting
efficiency and freeing up valuable storage space
Document Retention
BD Mortgage Group LLC follows the document retention procedures outlined below Documents that are not
listed but are substantially similar to those listed in the schedule will be retained for the appropriate length of
time
BD MORTGAGE GROUP LLC 9
General Records Retention Schedule
Corporate Records
Annual Reports to Secretary of StateAttorney General Permanent
Articles of Incorporation Permanent
Board Meeting and Board Committee Minutes Permanent
Board PoliciesResolutions Permanent
By-laws Permanent
Construction Documents Permanent
Fixed Asset Records Permanent
IRS Application for Tax-Exempt Status (Form 1023) Permanent
IRS Determination Letter Permanent
State Sales Tax Exemption Letter Permanent
Contracts (after expiration) 7 years
Correspondence (general) 3 years
Accounting and Corporate Tax Records
Annual Audits and Financial Statements Permanent
Depreciation Schedules Permanent
General Ledgers Permanent
IRS 990 Tax Returns Permanent
Business Expense Records 7 years
IRS 1099s 7 years
Journal Entries 7 years
Invoices 7 years
Sales Records (box office concessions gift shop) 5 years
Petty Cash Vouchers 3 years
Cash Receipts 3 years
Credit Card Receipts 3 years
Bank Records
Check Registers Permanent
Bank Deposit Slips 7 years
Bank Statements and Reconciliation 7 years
Electronic Fund Transfer Documents 7 years
Payroll and Employment Tax Records
Payroll Registers Permanent
State Unemployment Tax Records Permanent
Earnings Records 7 years
Garnishment Records 7 years
Payroll Tax returns 7 years
W-2 Statements 7 years
Employee Records
Employment and Termination Agreements Permanent
Retirement and Pension Plan Documents Permanent
Records Relating to Promotion Demotion or Discharge 7 years after termination
Accident Reports and Workerrsquos Compensation Records 5 years
Salary Schedules 5 years
Employment Applications 3 years
I-9 Forms 3 years after termination
Time Cards 2 years
Loan File Records
Loan Application Copy File 5 years after completion
Loan Servicing File 5 years after loan payoff
BD MORTGAGE GROUP LLC 10
BD MORTGAGE GROUP LLC 11
Electronic Documents and Records
Electronic documents will be retained as if they were paper documents Therefore any electronic files including
records of donations made online that fall into one of the document types on the above schedule will be
maintained for the appropriate amount of time If a user has sufficient reason to keep an email message the
message should be printed in hard copy and kept in the appropriate file or moved to an ldquoarchiverdquo computer file
folder Backup and recovery methods will be tested on a regular basis
See ndash E-SIGN Policy and Procedure
Emergency Planning
BD Mortgage Group LLCrsquos records will be stored in a safe secure and accessible manner Documents and
financial files that are essential to keeping BD Mortgage Group LLC operating in an emergency will be duplicated
or backed up at least every week and maintained off site
BD MORTGAGE GROUP LLC 12
Document Destruction
BD Mortgage Group LLCrsquos designated ldquoInformation Security and Red Flag ID Theft Planrdquo individual is
responsible for the ongoing process of identifying records which have met the required retention period and
overseeing their destruction Destruction of financial and personnel-related documents will be accomplished by
shredding
Document destruction will be suspended immediately upon any indication of an official investigation or when a
lawsuit is filed or appears imminent Destruction will be reinstated upon conclusion of the investigation
Compliance
Failure on the part of employees to follow this policy can result in possible civil and criminal sanctions against
BD Mortgage Group LLC and its employees and possible disciplinary action against responsible individuals The
chief financial officer and finance committee chair will periodically review these procedures with legal counsel
or the organizationrsquos certified public accountant to ensure that they are in compliance with new or revised
regulations
Onsite Records Storage Policy
Active closed or denied loan application copies exclusive of delivery file documentation subject to the Funding
Warehousing Delivery and Servicing Setup process will be stored in the branch These files will be indexed by
month and alphabetically by borrower last name File cabinets must be locked and keys are maintained by the
operations manager and may be accessed under supervision during business hours
Offsite Records Storage
If due to space concerns there is insufficient room in the branch location to provide file storage off-site records
storage may be utilized through a secure bonded professional records Management Company that is a member
of the American Business Records Management Association Records of each file box sent to Archive must be
maintained current by the operations manager and must be available for immediate inspection within 2 hoursrsquo
notice
The purpose of this policy is to ensure the proper use of BD Mortgage Group LLCrsquos email system and make users
aware of what BD Mortgage Group LLC deems as acceptable and unacceptable use of its email system The BD
Mortgage Group LLC reserves the right to amend this policy at its discretion In case of amendments users will
be informed appropriately
BD MORTGAGE GROUP LLC 13
Electronic Communication
Email is a business communication tool and users are obliged to use this tool in a responsible effective and lawful
manner Although by its nature email seems to be less formal than other written communication the same laws
apply Therefore it is important that users are aware of the legal risks of e-mail
By following the guidelines in this policy the email user can minimize the legal risks involved in the use of e-
mail If any user disregards the rules set out in this Email Policy the user will be fully liable and BD Mortgage
Group LLC will disassociate itself from the user as far as legally possible
The following rules are required by law and are to be strictly adhered to
bull It is strictly prohibited to send or forward emails containing libelous defamatory offensive racist or
obscene remarks If you receive an e-mail of this nature you must promptly notify your supervisor
bull Do not forward a message without acquiring permission from the sender first
bull Do not send unsolicited email messages
bull Do not forge or attempt to forge email messages
bull Do not send email messages using another personrsquos email account
bull Do not copy a message or attachment belonging to another user without permission of the originator
bull Do not disguise or attempt to disguise your identity when sending mail
Best Practices
BD Mortgage Group LLC considers email as an important means of communication and recognizes the
importance of proper email content and speedy replies in conveying a professional image and delivering good
customer service Therefore BD Mortgage Group LLC wishes users to adhere to the following guidelines
Writing emails
bull Signatures must include your name job title and BD Mortgage Group LLC A disclaimer will be added
underneath your signature (see Disclaimer)
bull Use the spell checker before you send out an email
bull Do not send unnecessary attachments Compress attachments larger than 200K before sending them
bull Do not write emails in capitals
bull Do not use cc or bcc fields unless the cc or bcc recipient is aware that you will be copying a mail to
himher and knows what action if any to take
bull If you forward mails state clearly what action you expect the recipient to take
bull Only send emails of which the content could be displayed on a public notice board If they cannot be
displayed publicly in their current state consider rephrasing the email using other means of
communication or protecting information by using a password (see confidential)
bull Only mark emails as important if they really are important
Replying to emails
Emails should be answered within at least 8 working hours but users must endeavor to answer priority emails
within 4 hours
Priority emails are emails from existing customers and business partners
BD MORTGAGE GROUP LLC 14
Newsgroups
Users need to request permission from their supervisor before subscribing to a newsletter or news group
Maintenance
Delete any email messages that you do not need to have a copy of and set your email client to automatically
empty your lsquodeleted itemsrsquo on closing
Personal Use
Although BD Mortgage Group LLC email system is meant for business use BD Mortgage Group LLC allows
the reasonable use of email for personal use if certain guidelines are adhered to
bull Personal use of email should not interfere with work
bull Personal emails must also adhere to the guidelines in this policy
bull Personal emails are kept in a separate folder named lsquoPrivatersquo The emails in this folder must be deleted weekly
so as not to clog up the system
bull The forwarding of chain letters junk mail jokes and executables is strictly forbidden
bull On average users are not allowed to send more than 2 personal emails a day
bull Do not send mass mailings
bull All messages distributed via the companyrsquos email system even personal emails are BD Mortgage Group
LLCrsquos property
Confidential Information
Avoid sending confidential information by e-mail If you do you must secure the information by including it in
a Microsoft Word Excel or PDF file and protect it with a password Then provide the recipient with the password
by means of other communication for instance by telephone
Disclaimer
The following disclaimer will be added to each outgoing email
lsquoThis email and any files transmitted with it are confidential and intended solely for the use of the individual or
entity to which they are addressed If you have received this email in error please notify the system manager
Please note that any views or opinions presented in this email are solely those of the author and do not necessarily
represent those of the company Finally the recipient should check this email and any attachments for the presence
of viruses The company accepts no liability for any damage caused by any virus transmitted by this emailrsquo
System Monitoring
You must have no expectation of privacy in anything you create store send or receive on the companyrsquos computer
system Your emails can be monitored without prior notification if BD Mortgage Group LLC deems this
necessary If there is evidence that you are not adhering to the guidelines set out in this policy the BD Mortgage
Group LLC reserves the right to take disciplinary action including termination andor legal action
BD MORTGAGE GROUP LLC 15
Secure Fax Transmission
The legacy of fax transmission in the mortgage industry is long The risk of using fax transmissions is that the
sender has no idea whether the recipient is attending to the machine while the document is being received printed
and then available for viewing In order to prevent the compromise of secure information never send information
to an unattended facsimile machine If you can confirm that the recipient is standing at the machine it is acceptable
to proceed with communications in this manner
Alternatively we can provide an ldquoE-faxrdquo account for individual users This allows the transmission of facsimiles
via e-mail to a secure login account
For transmitting paper documents always create a password protected document and deliver the password to the
recipient using a different method of communication such as the telephone
Secure Telephone Communications
Vishing is the criminal practice of using social engineering and Voice over IP (VoIP) to gain access to private
personal and financial information from the public for the purpose of financial reward The term is a combination
of voice and phishing Vishing exploits the publics trust in landline telephone services which have traditionally
terminated in physical locations which are known to the telephone company and associated with a bill-payer
The victim is often unaware that VoIP allows for caller ID spoofing inexpensive complex automated systems
and anonymity for the bill-payer Vishing is typically used to steal credit card numbers or other information used
in identity theft schemes from individuals
According to the FBIs Internet Crime Complaint Center (IC3) the number of vishing complaints received by
the center is increasing at what it calls an alarming rate Vishing and phishing are related and both rely on e-
mail as a means of delivering bait but the two use different hooks in order to snag user data
Vishing starts with an e-mail like phishing but requests that end-users contact a particular institution by phone
in order to resolve an issue or re-secure personal data People who call the provided number will be asked to
provide the same types of data phishers attempt to procure Ironically vishing e-mails may even attempt to
reassure recipients of their legitimacy by stating that the institution in question would never request customer
financial data via e-mail or IM
As always the best defense against phishing or vishing is a little common sense If your bank or other financial
institution with which you are affiliated contacts you requesting personal data hang up (or call them) using only
the number provided on the back of your card or official statement If you cant get confirmation that the request
is actually legitimate dont follow up on it
BD MORTGAGE GROUP LLC 16
Social Engineering Scams ndash Internal and External Prevention
One of the most prevalent forms of online scams is referred to as a seemingly benign term social engineering
This practice which is sometimes referred to as phishing refers to using trickery to get people to voluntarily
hand over critical information such as usernames or passwords
In many cases spam filters can easily detect the clumsier social engineering efforts and thus spare computer
users from grief However there are a growing number of sophisticated efforts that are crafted to circumvent the
spam filters - and unsuspecting customers that click into these cleverly disguised emails run the risk of facing
serious repercussions
Social engineering attacks mimic an email notification from a well-known and trusted source financial
institutions LinkedIn PayPal the Better Business Bureau Facebook and so forth The attackers create an email
that looks exactly like the normal system notices that are sent out by those entities but they change the links to
hit their own servers
The most classic example is an email that sends a dire notice with a link to login and check on a potential problem
When a person clicks on the link it takes him or her to a page on the cyber attackerrsquos servers that looks just like
the well-known entitys login page
When a person enters his or her username and password this information is stored in a database on the phony
server while an error box appears that says Invalid username or password please try again This error box
message comes with an OK button that when clicked redirects the person to the real login page
People may not realize there is a problem because passwords are obscured with asterisks so it is natural to assume
there was a typo during the initial password entry However the miscreants now have the persons username and
password
So what does this mean to mortgage bankers if someone gets tricked into thinking a social engineering scam
message really came from Facebook or LinkedIn Quite simply many people have the same usernames and
passwords for multiple websites Thus a person who has unwittingly surrendered his or her personal information
for a Facebook page might not realize that the social engineering scam artists could later use that information to
gain access to online mortgage banking accounts
BD Mortgage Group LLC needs to take a proactive approach in educating customers on how to identify potential
scams that pop up in their email in-boxes Here are some safety tips we send out to all customers
1 Dont click links from emails Instead open a Web browser and specifically go to the site in question and login
directly It is not common for financial institutions to have a click here to login link within their email
communications
2 Be suspicious of serious warnings and dollar amounts posted directly in emails Financial services companies
are not in the habit of sending customers panic-inducing messages of low account balances or other account
discrepancies with details plainly shown in the email Warnings are more discreet and merely direct the customer
to go log in for details
3 Use mouse-overs to view a link before clicking Although not all email software and hardware devices support
them a mouse-over can quickly and easily identify the links within an email message
4 Try not to use the same password at multiple sites Use a password program to store and remember online
access data
BD MORTGAGE GROUP LLC 17
5 Routinely update passwords Updating passwords even once a year is an easy way to stay one step ahead of
the social engineering scammers
Invite customers who are in doubt about the veracity of emails to forward them to BD Mortgage Group LLC for
verification Several sites that have been the subject of social engineering scams including eBay and PayPal have
special email accounts that receive review and keep track of these online frauds These spoof-checking efforts
will help empower the customer to ensure that BD Mortgage Group LLC does not become the victim of the next
big Internet fraud
BD MORTGAGE GROUP LLC 18
Data Breach Policy Implementation Guide
The response to any breach of personally identifiable information (PII) can have a critical impact on the BD
Mortgage Group LLCrsquos reputation and how trustworthy the public perceives the company Thus exceptional care
must be taken when responding to data breach incidents Not all incidents result in data breaches and not all data
breaches require notification This guide is to assist the Data Breach Team in developing an appropriate response
to a data breach based on the specific characteristics of the incident
Background
This Data Breach Policy Implementation Guide is based on the Presidentrsquos Identity Theft Task Force
recommendations that provide a menu of steps for the company to consider so that it may pursue a risk-based
tailored response to data breach incidents
Definition of Breach
A breach is a loss of control compromise unauthorized disclosure unauthorized acquisition unauthorized
access or any similar term referring to situations where persons other than authorized users and for an authorized
purpose have access or potential access to PII in usable form whether physical or electronic
Reporting Breaches and Breach Response Team
Breach is immediately reported to
bull Chief Privacy Officer (CPO)
bull Chief Information Officer (CIO)
bull Chief IT Security Office (ITSO)
bull Associate Director for Communications
bull Chief Office of Analysis and Executive Support (OAES)
bull As warranted
bull Chief Office of Security
bull General Counsel
bull Law Enforcement
Risk Assessment Process
Risk is a function of the probability or likelihood of a privacy violation and the resulting impact of that violation
To assign a risk score assess the probability of the event (data breach) occurring and then assess the impact or
harm caused to an individual and our organization in its ability to achieve its mission
BD MORTGAGE GROUP LLC 19
Likelihood Likelihood Definition
High (H) The nature of the attack and the data indicate that the motivation is criminal intent the security of the data and controls to minimize the likelihood of a privacy violation are ineffective
Medium (M)
The nature of the attack and data indicate that the motivation could be criminal intent but controls are in place that may impede success
Low (L) The nature of the attack and data do not indicate criminal intent and security and controls are in place to prevent or at least significantly impede the likelihood of a privacy violation
To assess likelihood of a breach occurring consider five factors
1 How the loss occurred
2 Data elements breached
3 Ability to access the data - the likelihood the personal information will be or has been compromised ndash made
accessible to and usable by unauthorized persons
4 Ability to mitigate the risk of harm
5 Evidence of data being used for identity theft or other harm
1 How Loss Occurred
H - Online system hacked
H - Data was targeted
M - Device was targeted
M - Device stolen
L - Device lost
2 Data Elements Breached
H - Social Security Number
H - Biometric record
H - Financial account number
H - PIN or security code for financial account
H - Health data
M - Birthdate
M - Government Issued Identification Number (drivers license etc)
L - Name
L - Address
L - Telephone Number
A combination of identifying information and financial or security information should always be considered a
high risk with high likelihood of harm occurring
3 Ability to access data
H ndash paper records or electronic records in a spreadsheet that is not password protected
M ndash electronic records that are password protected only
L ndash electronic records that are password protected and encrypted
4 Ability to mitigate the risk of harm
H ndash no recovery of data
M ndash partial recovery of data
L ndash recovery of data prior to use
BD MORTGAGE GROUP LLC 20
5 Evidence of data being used for identity theft or other harm
H ndash Data published on the web
M ndash Data accessed but no direct evidence of use
L ndash No tangible evidence of data use
After evaluating each factor and assigning an overall probability or likelihood of a breach occurring review and
assess the impact or harm to an individual or our organization
Impact Rating
Impact Definition
High Event (1) may result in human death or serious injury or harm to individual (2) may result in high costs to organization or (3) may significantly violate harm or impede an organizationrsquos mission reputation or interest
Medium Event (1) may result in injury or harm to the individual (2) may result in costs to the organization or (3) may violate harm or impede an organizationrsquos mission reputation or interest
Low Event (1) may result in the loss of some tangible organizational assets or resources or (2) may noticeably affect an organizationrsquos mission reputation or interest
The impact depends on the extent to which the breach poses a risk of identity theft or other substantial harm to an
individual such as embarrassment inconvenience unfairness harm to reputation or the potential for harassment
or prejudice particularly when health or financial benefits information is involved
Financial considerations can be factored in when determining the impact on our organization For instance credit
monitoring is generally estimated at $20 per year per case (individual) The costs associated with implementing
a call center including staff salaries may also be a factor Alternatively the cost of contracting for this service
could be a factor
BD MORTGAGE GROUP LLC 21
Assigning Risk Score
The risk score is determined by cross-referencing the likelihood score with the impact score
Likelihood Impact
Low Medium High
High Medium High High
Medium Low Medium High
Low Low Low Medium
Notification of Individuals
The risk score assigned will help determine if and when we should provide notification If the likelihood of risk
is low there could be more harm or impact on the individual if notification is provided due to the actions the
notified individual may take Thus notification must be weighed with the likelihood of risk No notification may
be required when the risk levels of each of the five factors is low If the likelihood of risk is high and the level of
impact or harm to the individual is medium notification and remedy may be required Alternatively if the
likelihood of risk is low and the level of impact or harm to the individual is high notification only may be required
If the five factors are considered appropriately it is more likely that notification will only be given in those
instances where there is a reasonable risk of harm and will not lead to the overuse of notification and thus the
associated further complications to the individual
Thus consideration should be given to all factors when determining final actions to take when addressing each
incident The table below should only be used as guide and conditions may warrant actions above or below those
associated with the final risk score
Risk Score Necessary Action
High Notify and provide remedy
Medium Notify only
Low Monitor only
Timing of Notification
Notice will be provided within a reasonable time following the discovery of a breach consistent with the legitimate
needs of law enforcement and any measures necessary for the Census Bureau to determine the scope of the breach
and if applicable to restore the reasonable integrity of the systemprocess that was compromised
In some circumstances law enforcement considerations may require a delay in notification if the investigation of
the breach or of an individual affected by the breach requires it and notification would seriously impede the
investigation The delay should not exacerbate risk or harm to any affected individual(s) or be tied to the
completion of the investigation but rather be based on whether it would seriously impede the investigation to
provide the notice promptly
Responsibility for Notification
The notice should come from a senior BD Mortgage Group LLC representative
BD MORTGAGE GROUP LLC 22
Content of Notification
The notice must be clear concise conspicuous easy-to-understand in plain language and should include the
following elements
bull A brief description of what happened including the date(s) of the breach and its discovery
bull A description of the types of personal information that were involved in the breach (eg full name Social
Security number date of birth home address account number disability code etc) to the extent possible
bull What steps if any an individual should take to protect himself from potential harm
bull What BD Mortgage Group LLC is doing if anything to investigate the breach to mitigate losses and to
protect against any further breaches
bull Who and how affected individuals should contact BD Mortgage Group LLC for more information including
a toll-free telephone number e-mail address and postal address
bull Direction to additional guidance available from the Federal Trade Commission at
httpwwwconsumergovidtheft
Minimizing your risk at httpwwwconsumergovidtheftcon_minimizehtm
Publications at httpwwwconsumergovidtheftcon_pubshtm
Method of Communication
Notice of the breach will be provided commensurate to the number of individuals affected by the breach and the
availability of contact information BD Mortgage Group LLC has for the affected individuals Correspondence
must be prominently marked on the exterior reflecting the importance of the communication to help ensure the
recipient does not discard or otherwise ignore the notification
In general the primary means of notification will be by first-class mail to the last known mailing address of the
individual based on BD Mortgage Group LLC records
Where we have reason to believe that the address is no longer current reasonable efforts will be made to update
the address using the US Postal Service National Change of Address (NCOA) database
Substitute notice may be made in instances where BD Mortgage Group LLC does not have sufficient contact
information for those who need to be notified In such instances notice may consist of a conspicuous posting of
the notice on the companyrsquos home page of its web site and include additional information in a Frequently Asked
Questions (FAQ)
BD MORTGAGE GROUP LLC 23
Process for Remediation of a Breach
Remedy is provided when the risk score is High
Credit Monitoring Data Breach Risk Packages (ie Lifelock)
Low Risk Package Low Risk Package Includes
1048707 Social Security Credit Card and 1 Bureau Credit Report Monitoring 1048707 3 Bureau Initial Fraud Alert 1048707 Credit Card Registry 1048707 Online Identity Theft Assistance 1048707 24 x 7 Customer Support
Medium Risk Package Medium Risk includes Low Risk benefits plus 1048707 Instant 1 Bureau Credit Report 1048707 Instant 1 Bureau Credit Score 1048707 Personal Information Directory Monitoring and Deletion 1048707 Identity Theft Consumer Guide 1048707 $25000 ($0 deductible) Identity Theft Insurance
High Risk Package High Risk includes Medium Risk benefits plus 1048707 3 Bureau Credit Report Monitoring 1048707 Instant 3 in 1 Credit Report 1048707 Instant 3 Bureau Credit Scores 1048707 Fraud Resolution amp Identity Restoration Specialist
BD MORTGAGE GROUP LLC 24
Reporting a Data Breach
Security Breach Notification Laws have been enacted in most US states since 2002 These laws were enacted in
response to an escalating number of breaches of consumer databases containing personally identifiable
information The first such law the California data security breach notification law was enacted in 2002 and
became effective on July 1 2003 As related in the bill statement law requires a state agency or a person or
business that conducts business in California that owns or licenses computerized data that includes personal
information as defined to disclose in specified ways any breach of the security of the data as defined to any
resident of California whose unencrypted personal information was or is reasonably believed to have been
acquired by an unauthorized person In addition the law permits delayed notification if a law enforcement
agency determines that it would impede a criminal investigation The law also requires any entity that licenses
such information to notify the owner or licensee of the information of any breach in the security of the data
The California law has been the model for the enactment of similar laws in other states The National Conference
of State Legislatures maintains a list of enacted and proposed security breach notification laws
BD MORTGAGE GROUP LLC 25
BD MORTGAGE GROUP LLC 26
2-90-29 - Information Security Audit
To ensure security of our systems and that we comply with rules for customer information security we conduct
an annual audit of our information technology systems A provider qualified to review our independent
information technology in conjunction with mortgage procedures must conduct this audit
Since we do not have any proprietary information technology but utilize software and services provided by
vendors exclusively we rely on the qualified audits of the technology provided by these vendors This is
conducted in conjunction with our annual vendor approval process
Vendor Category Vendor Name Information Tech Cert Date
Loan Origination System
E-Disclosure
Data Back-up
Web 1003 Application
Pricing and Eligibility
Document Management
E-Fax
Voice-MailTelephony
NetworkInternet Service
Office SupportCleanerLandlord
Courier
In addition we assume that other licensed entities with which we do business have had their plans reviewed and
found acceptable Consequently we do not audit our mortgage lender business partners
Internal Policies for Information Security Management
In addition to these procedures please refer to our internal Information Security Plan and Red Flags for our
ongoing Information Security procedures
BD MORTGAGE GROUP LLC 7
Definitions
Workstations include laptops desktops PDAs computer based medical equipment containing or accessing
patient information and authorized home workstations accessing the BD Mortgage Group LLC network
Workforce members include employees volunteers trainees and other persons under the direct control of BD
Mortgage Group LLC
BD MORTGAGE GROUP LLC 8
Document Retention and Destruction
In accordance with the Sarbanes-Oxley Act which makes it a crime to alter cover up falsify or destroy any
document with the intent of impeding or obstructing any official proceeding this policy provides for the
systematic review retention and destruction of documents received or created by BD Mortgage Group LLC in
connection with the transaction of organization business This policy covers all records and documents regardless
of physical form contains guidelines for how long certain documents should be kept and how records should be
destroyed The policy is designed to ensure compliance with federal and state laws and regulations to eliminate
accidental or innocent destruction of records and to facilitate BD Mortgage Group LLCrsquos operations by promoting
efficiency and freeing up valuable storage space
Document Retention
BD Mortgage Group LLC follows the document retention procedures outlined below Documents that are not
listed but are substantially similar to those listed in the schedule will be retained for the appropriate length of
time
BD MORTGAGE GROUP LLC 9
General Records Retention Schedule
Corporate Records
Annual Reports to Secretary of StateAttorney General Permanent
Articles of Incorporation Permanent
Board Meeting and Board Committee Minutes Permanent
Board PoliciesResolutions Permanent
By-laws Permanent
Construction Documents Permanent
Fixed Asset Records Permanent
IRS Application for Tax-Exempt Status (Form 1023) Permanent
IRS Determination Letter Permanent
State Sales Tax Exemption Letter Permanent
Contracts (after expiration) 7 years
Correspondence (general) 3 years
Accounting and Corporate Tax Records
Annual Audits and Financial Statements Permanent
Depreciation Schedules Permanent
General Ledgers Permanent
IRS 990 Tax Returns Permanent
Business Expense Records 7 years
IRS 1099s 7 years
Journal Entries 7 years
Invoices 7 years
Sales Records (box office concessions gift shop) 5 years
Petty Cash Vouchers 3 years
Cash Receipts 3 years
Credit Card Receipts 3 years
Bank Records
Check Registers Permanent
Bank Deposit Slips 7 years
Bank Statements and Reconciliation 7 years
Electronic Fund Transfer Documents 7 years
Payroll and Employment Tax Records
Payroll Registers Permanent
State Unemployment Tax Records Permanent
Earnings Records 7 years
Garnishment Records 7 years
Payroll Tax returns 7 years
W-2 Statements 7 years
Employee Records
Employment and Termination Agreements Permanent
Retirement and Pension Plan Documents Permanent
Records Relating to Promotion Demotion or Discharge 7 years after termination
Accident Reports and Workerrsquos Compensation Records 5 years
Salary Schedules 5 years
Employment Applications 3 years
I-9 Forms 3 years after termination
Time Cards 2 years
Loan File Records
Loan Application Copy File 5 years after completion
Loan Servicing File 5 years after loan payoff
BD MORTGAGE GROUP LLC 10
BD MORTGAGE GROUP LLC 11
Electronic Documents and Records
Electronic documents will be retained as if they were paper documents Therefore any electronic files including
records of donations made online that fall into one of the document types on the above schedule will be
maintained for the appropriate amount of time If a user has sufficient reason to keep an email message the
message should be printed in hard copy and kept in the appropriate file or moved to an ldquoarchiverdquo computer file
folder Backup and recovery methods will be tested on a regular basis
See ndash E-SIGN Policy and Procedure
Emergency Planning
BD Mortgage Group LLCrsquos records will be stored in a safe secure and accessible manner Documents and
financial files that are essential to keeping BD Mortgage Group LLC operating in an emergency will be duplicated
or backed up at least every week and maintained off site
BD MORTGAGE GROUP LLC 12
Document Destruction
BD Mortgage Group LLCrsquos designated ldquoInformation Security and Red Flag ID Theft Planrdquo individual is
responsible for the ongoing process of identifying records which have met the required retention period and
overseeing their destruction Destruction of financial and personnel-related documents will be accomplished by
shredding
Document destruction will be suspended immediately upon any indication of an official investigation or when a
lawsuit is filed or appears imminent Destruction will be reinstated upon conclusion of the investigation
Compliance
Failure on the part of employees to follow this policy can result in possible civil and criminal sanctions against
BD Mortgage Group LLC and its employees and possible disciplinary action against responsible individuals The
chief financial officer and finance committee chair will periodically review these procedures with legal counsel
or the organizationrsquos certified public accountant to ensure that they are in compliance with new or revised
regulations
Onsite Records Storage Policy
Active closed or denied loan application copies exclusive of delivery file documentation subject to the Funding
Warehousing Delivery and Servicing Setup process will be stored in the branch These files will be indexed by
month and alphabetically by borrower last name File cabinets must be locked and keys are maintained by the
operations manager and may be accessed under supervision during business hours
Offsite Records Storage
If due to space concerns there is insufficient room in the branch location to provide file storage off-site records
storage may be utilized through a secure bonded professional records Management Company that is a member
of the American Business Records Management Association Records of each file box sent to Archive must be
maintained current by the operations manager and must be available for immediate inspection within 2 hoursrsquo
notice
The purpose of this policy is to ensure the proper use of BD Mortgage Group LLCrsquos email system and make users
aware of what BD Mortgage Group LLC deems as acceptable and unacceptable use of its email system The BD
Mortgage Group LLC reserves the right to amend this policy at its discretion In case of amendments users will
be informed appropriately
BD MORTGAGE GROUP LLC 13
Electronic Communication
Email is a business communication tool and users are obliged to use this tool in a responsible effective and lawful
manner Although by its nature email seems to be less formal than other written communication the same laws
apply Therefore it is important that users are aware of the legal risks of e-mail
By following the guidelines in this policy the email user can minimize the legal risks involved in the use of e-
mail If any user disregards the rules set out in this Email Policy the user will be fully liable and BD Mortgage
Group LLC will disassociate itself from the user as far as legally possible
The following rules are required by law and are to be strictly adhered to
bull It is strictly prohibited to send or forward emails containing libelous defamatory offensive racist or
obscene remarks If you receive an e-mail of this nature you must promptly notify your supervisor
bull Do not forward a message without acquiring permission from the sender first
bull Do not send unsolicited email messages
bull Do not forge or attempt to forge email messages
bull Do not send email messages using another personrsquos email account
bull Do not copy a message or attachment belonging to another user without permission of the originator
bull Do not disguise or attempt to disguise your identity when sending mail
Best Practices
BD Mortgage Group LLC considers email as an important means of communication and recognizes the
importance of proper email content and speedy replies in conveying a professional image and delivering good
customer service Therefore BD Mortgage Group LLC wishes users to adhere to the following guidelines
Writing emails
bull Signatures must include your name job title and BD Mortgage Group LLC A disclaimer will be added
underneath your signature (see Disclaimer)
bull Use the spell checker before you send out an email
bull Do not send unnecessary attachments Compress attachments larger than 200K before sending them
bull Do not write emails in capitals
bull Do not use cc or bcc fields unless the cc or bcc recipient is aware that you will be copying a mail to
himher and knows what action if any to take
bull If you forward mails state clearly what action you expect the recipient to take
bull Only send emails of which the content could be displayed on a public notice board If they cannot be
displayed publicly in their current state consider rephrasing the email using other means of
communication or protecting information by using a password (see confidential)
bull Only mark emails as important if they really are important
Replying to emails
Emails should be answered within at least 8 working hours but users must endeavor to answer priority emails
within 4 hours
Priority emails are emails from existing customers and business partners
BD MORTGAGE GROUP LLC 14
Newsgroups
Users need to request permission from their supervisor before subscribing to a newsletter or news group
Maintenance
Delete any email messages that you do not need to have a copy of and set your email client to automatically
empty your lsquodeleted itemsrsquo on closing
Personal Use
Although BD Mortgage Group LLC email system is meant for business use BD Mortgage Group LLC allows
the reasonable use of email for personal use if certain guidelines are adhered to
bull Personal use of email should not interfere with work
bull Personal emails must also adhere to the guidelines in this policy
bull Personal emails are kept in a separate folder named lsquoPrivatersquo The emails in this folder must be deleted weekly
so as not to clog up the system
bull The forwarding of chain letters junk mail jokes and executables is strictly forbidden
bull On average users are not allowed to send more than 2 personal emails a day
bull Do not send mass mailings
bull All messages distributed via the companyrsquos email system even personal emails are BD Mortgage Group
LLCrsquos property
Confidential Information
Avoid sending confidential information by e-mail If you do you must secure the information by including it in
a Microsoft Word Excel or PDF file and protect it with a password Then provide the recipient with the password
by means of other communication for instance by telephone
Disclaimer
The following disclaimer will be added to each outgoing email
lsquoThis email and any files transmitted with it are confidential and intended solely for the use of the individual or
entity to which they are addressed If you have received this email in error please notify the system manager
Please note that any views or opinions presented in this email are solely those of the author and do not necessarily
represent those of the company Finally the recipient should check this email and any attachments for the presence
of viruses The company accepts no liability for any damage caused by any virus transmitted by this emailrsquo
System Monitoring
You must have no expectation of privacy in anything you create store send or receive on the companyrsquos computer
system Your emails can be monitored without prior notification if BD Mortgage Group LLC deems this
necessary If there is evidence that you are not adhering to the guidelines set out in this policy the BD Mortgage
Group LLC reserves the right to take disciplinary action including termination andor legal action
BD MORTGAGE GROUP LLC 15
Secure Fax Transmission
The legacy of fax transmission in the mortgage industry is long The risk of using fax transmissions is that the
sender has no idea whether the recipient is attending to the machine while the document is being received printed
and then available for viewing In order to prevent the compromise of secure information never send information
to an unattended facsimile machine If you can confirm that the recipient is standing at the machine it is acceptable
to proceed with communications in this manner
Alternatively we can provide an ldquoE-faxrdquo account for individual users This allows the transmission of facsimiles
via e-mail to a secure login account
For transmitting paper documents always create a password protected document and deliver the password to the
recipient using a different method of communication such as the telephone
Secure Telephone Communications
Vishing is the criminal practice of using social engineering and Voice over IP (VoIP) to gain access to private
personal and financial information from the public for the purpose of financial reward The term is a combination
of voice and phishing Vishing exploits the publics trust in landline telephone services which have traditionally
terminated in physical locations which are known to the telephone company and associated with a bill-payer
The victim is often unaware that VoIP allows for caller ID spoofing inexpensive complex automated systems
and anonymity for the bill-payer Vishing is typically used to steal credit card numbers or other information used
in identity theft schemes from individuals
According to the FBIs Internet Crime Complaint Center (IC3) the number of vishing complaints received by
the center is increasing at what it calls an alarming rate Vishing and phishing are related and both rely on e-
mail as a means of delivering bait but the two use different hooks in order to snag user data
Vishing starts with an e-mail like phishing but requests that end-users contact a particular institution by phone
in order to resolve an issue or re-secure personal data People who call the provided number will be asked to
provide the same types of data phishers attempt to procure Ironically vishing e-mails may even attempt to
reassure recipients of their legitimacy by stating that the institution in question would never request customer
financial data via e-mail or IM
As always the best defense against phishing or vishing is a little common sense If your bank or other financial
institution with which you are affiliated contacts you requesting personal data hang up (or call them) using only
the number provided on the back of your card or official statement If you cant get confirmation that the request
is actually legitimate dont follow up on it
BD MORTGAGE GROUP LLC 16
Social Engineering Scams ndash Internal and External Prevention
One of the most prevalent forms of online scams is referred to as a seemingly benign term social engineering
This practice which is sometimes referred to as phishing refers to using trickery to get people to voluntarily
hand over critical information such as usernames or passwords
In many cases spam filters can easily detect the clumsier social engineering efforts and thus spare computer
users from grief However there are a growing number of sophisticated efforts that are crafted to circumvent the
spam filters - and unsuspecting customers that click into these cleverly disguised emails run the risk of facing
serious repercussions
Social engineering attacks mimic an email notification from a well-known and trusted source financial
institutions LinkedIn PayPal the Better Business Bureau Facebook and so forth The attackers create an email
that looks exactly like the normal system notices that are sent out by those entities but they change the links to
hit their own servers
The most classic example is an email that sends a dire notice with a link to login and check on a potential problem
When a person clicks on the link it takes him or her to a page on the cyber attackerrsquos servers that looks just like
the well-known entitys login page
When a person enters his or her username and password this information is stored in a database on the phony
server while an error box appears that says Invalid username or password please try again This error box
message comes with an OK button that when clicked redirects the person to the real login page
People may not realize there is a problem because passwords are obscured with asterisks so it is natural to assume
there was a typo during the initial password entry However the miscreants now have the persons username and
password
So what does this mean to mortgage bankers if someone gets tricked into thinking a social engineering scam
message really came from Facebook or LinkedIn Quite simply many people have the same usernames and
passwords for multiple websites Thus a person who has unwittingly surrendered his or her personal information
for a Facebook page might not realize that the social engineering scam artists could later use that information to
gain access to online mortgage banking accounts
BD Mortgage Group LLC needs to take a proactive approach in educating customers on how to identify potential
scams that pop up in their email in-boxes Here are some safety tips we send out to all customers
1 Dont click links from emails Instead open a Web browser and specifically go to the site in question and login
directly It is not common for financial institutions to have a click here to login link within their email
communications
2 Be suspicious of serious warnings and dollar amounts posted directly in emails Financial services companies
are not in the habit of sending customers panic-inducing messages of low account balances or other account
discrepancies with details plainly shown in the email Warnings are more discreet and merely direct the customer
to go log in for details
3 Use mouse-overs to view a link before clicking Although not all email software and hardware devices support
them a mouse-over can quickly and easily identify the links within an email message
4 Try not to use the same password at multiple sites Use a password program to store and remember online
access data
BD MORTGAGE GROUP LLC 17
5 Routinely update passwords Updating passwords even once a year is an easy way to stay one step ahead of
the social engineering scammers
Invite customers who are in doubt about the veracity of emails to forward them to BD Mortgage Group LLC for
verification Several sites that have been the subject of social engineering scams including eBay and PayPal have
special email accounts that receive review and keep track of these online frauds These spoof-checking efforts
will help empower the customer to ensure that BD Mortgage Group LLC does not become the victim of the next
big Internet fraud
BD MORTGAGE GROUP LLC 18
Data Breach Policy Implementation Guide
The response to any breach of personally identifiable information (PII) can have a critical impact on the BD
Mortgage Group LLCrsquos reputation and how trustworthy the public perceives the company Thus exceptional care
must be taken when responding to data breach incidents Not all incidents result in data breaches and not all data
breaches require notification This guide is to assist the Data Breach Team in developing an appropriate response
to a data breach based on the specific characteristics of the incident
Background
This Data Breach Policy Implementation Guide is based on the Presidentrsquos Identity Theft Task Force
recommendations that provide a menu of steps for the company to consider so that it may pursue a risk-based
tailored response to data breach incidents
Definition of Breach
A breach is a loss of control compromise unauthorized disclosure unauthorized acquisition unauthorized
access or any similar term referring to situations where persons other than authorized users and for an authorized
purpose have access or potential access to PII in usable form whether physical or electronic
Reporting Breaches and Breach Response Team
Breach is immediately reported to
bull Chief Privacy Officer (CPO)
bull Chief Information Officer (CIO)
bull Chief IT Security Office (ITSO)
bull Associate Director for Communications
bull Chief Office of Analysis and Executive Support (OAES)
bull As warranted
bull Chief Office of Security
bull General Counsel
bull Law Enforcement
Risk Assessment Process
Risk is a function of the probability or likelihood of a privacy violation and the resulting impact of that violation
To assign a risk score assess the probability of the event (data breach) occurring and then assess the impact or
harm caused to an individual and our organization in its ability to achieve its mission
BD MORTGAGE GROUP LLC 19
Likelihood Likelihood Definition
High (H) The nature of the attack and the data indicate that the motivation is criminal intent the security of the data and controls to minimize the likelihood of a privacy violation are ineffective
Medium (M)
The nature of the attack and data indicate that the motivation could be criminal intent but controls are in place that may impede success
Low (L) The nature of the attack and data do not indicate criminal intent and security and controls are in place to prevent or at least significantly impede the likelihood of a privacy violation
To assess likelihood of a breach occurring consider five factors
1 How the loss occurred
2 Data elements breached
3 Ability to access the data - the likelihood the personal information will be or has been compromised ndash made
accessible to and usable by unauthorized persons
4 Ability to mitigate the risk of harm
5 Evidence of data being used for identity theft or other harm
1 How Loss Occurred
H - Online system hacked
H - Data was targeted
M - Device was targeted
M - Device stolen
L - Device lost
2 Data Elements Breached
H - Social Security Number
H - Biometric record
H - Financial account number
H - PIN or security code for financial account
H - Health data
M - Birthdate
M - Government Issued Identification Number (drivers license etc)
L - Name
L - Address
L - Telephone Number
A combination of identifying information and financial or security information should always be considered a
high risk with high likelihood of harm occurring
3 Ability to access data
H ndash paper records or electronic records in a spreadsheet that is not password protected
M ndash electronic records that are password protected only
L ndash electronic records that are password protected and encrypted
4 Ability to mitigate the risk of harm
H ndash no recovery of data
M ndash partial recovery of data
L ndash recovery of data prior to use
BD MORTGAGE GROUP LLC 20
5 Evidence of data being used for identity theft or other harm
H ndash Data published on the web
M ndash Data accessed but no direct evidence of use
L ndash No tangible evidence of data use
After evaluating each factor and assigning an overall probability or likelihood of a breach occurring review and
assess the impact or harm to an individual or our organization
Impact Rating
Impact Definition
High Event (1) may result in human death or serious injury or harm to individual (2) may result in high costs to organization or (3) may significantly violate harm or impede an organizationrsquos mission reputation or interest
Medium Event (1) may result in injury or harm to the individual (2) may result in costs to the organization or (3) may violate harm or impede an organizationrsquos mission reputation or interest
Low Event (1) may result in the loss of some tangible organizational assets or resources or (2) may noticeably affect an organizationrsquos mission reputation or interest
The impact depends on the extent to which the breach poses a risk of identity theft or other substantial harm to an
individual such as embarrassment inconvenience unfairness harm to reputation or the potential for harassment
or prejudice particularly when health or financial benefits information is involved
Financial considerations can be factored in when determining the impact on our organization For instance credit
monitoring is generally estimated at $20 per year per case (individual) The costs associated with implementing
a call center including staff salaries may also be a factor Alternatively the cost of contracting for this service
could be a factor
BD MORTGAGE GROUP LLC 21
Assigning Risk Score
The risk score is determined by cross-referencing the likelihood score with the impact score
Likelihood Impact
Low Medium High
High Medium High High
Medium Low Medium High
Low Low Low Medium
Notification of Individuals
The risk score assigned will help determine if and when we should provide notification If the likelihood of risk
is low there could be more harm or impact on the individual if notification is provided due to the actions the
notified individual may take Thus notification must be weighed with the likelihood of risk No notification may
be required when the risk levels of each of the five factors is low If the likelihood of risk is high and the level of
impact or harm to the individual is medium notification and remedy may be required Alternatively if the
likelihood of risk is low and the level of impact or harm to the individual is high notification only may be required
If the five factors are considered appropriately it is more likely that notification will only be given in those
instances where there is a reasonable risk of harm and will not lead to the overuse of notification and thus the
associated further complications to the individual
Thus consideration should be given to all factors when determining final actions to take when addressing each
incident The table below should only be used as guide and conditions may warrant actions above or below those
associated with the final risk score
Risk Score Necessary Action
High Notify and provide remedy
Medium Notify only
Low Monitor only
Timing of Notification
Notice will be provided within a reasonable time following the discovery of a breach consistent with the legitimate
needs of law enforcement and any measures necessary for the Census Bureau to determine the scope of the breach
and if applicable to restore the reasonable integrity of the systemprocess that was compromised
In some circumstances law enforcement considerations may require a delay in notification if the investigation of
the breach or of an individual affected by the breach requires it and notification would seriously impede the
investigation The delay should not exacerbate risk or harm to any affected individual(s) or be tied to the
completion of the investigation but rather be based on whether it would seriously impede the investigation to
provide the notice promptly
Responsibility for Notification
The notice should come from a senior BD Mortgage Group LLC representative
BD MORTGAGE GROUP LLC 22
Content of Notification
The notice must be clear concise conspicuous easy-to-understand in plain language and should include the
following elements
bull A brief description of what happened including the date(s) of the breach and its discovery
bull A description of the types of personal information that were involved in the breach (eg full name Social
Security number date of birth home address account number disability code etc) to the extent possible
bull What steps if any an individual should take to protect himself from potential harm
bull What BD Mortgage Group LLC is doing if anything to investigate the breach to mitigate losses and to
protect against any further breaches
bull Who and how affected individuals should contact BD Mortgage Group LLC for more information including
a toll-free telephone number e-mail address and postal address
bull Direction to additional guidance available from the Federal Trade Commission at
httpwwwconsumergovidtheft
Minimizing your risk at httpwwwconsumergovidtheftcon_minimizehtm
Publications at httpwwwconsumergovidtheftcon_pubshtm
Method of Communication
Notice of the breach will be provided commensurate to the number of individuals affected by the breach and the
availability of contact information BD Mortgage Group LLC has for the affected individuals Correspondence
must be prominently marked on the exterior reflecting the importance of the communication to help ensure the
recipient does not discard or otherwise ignore the notification
In general the primary means of notification will be by first-class mail to the last known mailing address of the
individual based on BD Mortgage Group LLC records
Where we have reason to believe that the address is no longer current reasonable efforts will be made to update
the address using the US Postal Service National Change of Address (NCOA) database
Substitute notice may be made in instances where BD Mortgage Group LLC does not have sufficient contact
information for those who need to be notified In such instances notice may consist of a conspicuous posting of
the notice on the companyrsquos home page of its web site and include additional information in a Frequently Asked
Questions (FAQ)
BD MORTGAGE GROUP LLC 23
Process for Remediation of a Breach
Remedy is provided when the risk score is High
Credit Monitoring Data Breach Risk Packages (ie Lifelock)
Low Risk Package Low Risk Package Includes
1048707 Social Security Credit Card and 1 Bureau Credit Report Monitoring 1048707 3 Bureau Initial Fraud Alert 1048707 Credit Card Registry 1048707 Online Identity Theft Assistance 1048707 24 x 7 Customer Support
Medium Risk Package Medium Risk includes Low Risk benefits plus 1048707 Instant 1 Bureau Credit Report 1048707 Instant 1 Bureau Credit Score 1048707 Personal Information Directory Monitoring and Deletion 1048707 Identity Theft Consumer Guide 1048707 $25000 ($0 deductible) Identity Theft Insurance
High Risk Package High Risk includes Medium Risk benefits plus 1048707 3 Bureau Credit Report Monitoring 1048707 Instant 3 in 1 Credit Report 1048707 Instant 3 Bureau Credit Scores 1048707 Fraud Resolution amp Identity Restoration Specialist
BD MORTGAGE GROUP LLC 24
Reporting a Data Breach
Security Breach Notification Laws have been enacted in most US states since 2002 These laws were enacted in
response to an escalating number of breaches of consumer databases containing personally identifiable
information The first such law the California data security breach notification law was enacted in 2002 and
became effective on July 1 2003 As related in the bill statement law requires a state agency or a person or
business that conducts business in California that owns or licenses computerized data that includes personal
information as defined to disclose in specified ways any breach of the security of the data as defined to any
resident of California whose unencrypted personal information was or is reasonably believed to have been
acquired by an unauthorized person In addition the law permits delayed notification if a law enforcement
agency determines that it would impede a criminal investigation The law also requires any entity that licenses
such information to notify the owner or licensee of the information of any breach in the security of the data
The California law has been the model for the enactment of similar laws in other states The National Conference
of State Legislatures maintains a list of enacted and proposed security breach notification laws
BD MORTGAGE GROUP LLC 25
BD MORTGAGE GROUP LLC 26
2-90-29 - Information Security Audit
To ensure security of our systems and that we comply with rules for customer information security we conduct
an annual audit of our information technology systems A provider qualified to review our independent
information technology in conjunction with mortgage procedures must conduct this audit
Since we do not have any proprietary information technology but utilize software and services provided by
vendors exclusively we rely on the qualified audits of the technology provided by these vendors This is
conducted in conjunction with our annual vendor approval process
Vendor Category Vendor Name Information Tech Cert Date
Loan Origination System
E-Disclosure
Data Back-up
Web 1003 Application
Pricing and Eligibility
Document Management
E-Fax
Voice-MailTelephony
NetworkInternet Service
Office SupportCleanerLandlord
Courier
In addition we assume that other licensed entities with which we do business have had their plans reviewed and
found acceptable Consequently we do not audit our mortgage lender business partners
Internal Policies for Information Security Management
In addition to these procedures please refer to our internal Information Security Plan and Red Flags for our
ongoing Information Security procedures
BD MORTGAGE GROUP LLC 8
Document Retention and Destruction
In accordance with the Sarbanes-Oxley Act which makes it a crime to alter cover up falsify or destroy any
document with the intent of impeding or obstructing any official proceeding this policy provides for the
systematic review retention and destruction of documents received or created by BD Mortgage Group LLC in
connection with the transaction of organization business This policy covers all records and documents regardless
of physical form contains guidelines for how long certain documents should be kept and how records should be
destroyed The policy is designed to ensure compliance with federal and state laws and regulations to eliminate
accidental or innocent destruction of records and to facilitate BD Mortgage Group LLCrsquos operations by promoting
efficiency and freeing up valuable storage space
Document Retention
BD Mortgage Group LLC follows the document retention procedures outlined below Documents that are not
listed but are substantially similar to those listed in the schedule will be retained for the appropriate length of
time
BD MORTGAGE GROUP LLC 9
General Records Retention Schedule
Corporate Records
Annual Reports to Secretary of StateAttorney General Permanent
Articles of Incorporation Permanent
Board Meeting and Board Committee Minutes Permanent
Board PoliciesResolutions Permanent
By-laws Permanent
Construction Documents Permanent
Fixed Asset Records Permanent
IRS Application for Tax-Exempt Status (Form 1023) Permanent
IRS Determination Letter Permanent
State Sales Tax Exemption Letter Permanent
Contracts (after expiration) 7 years
Correspondence (general) 3 years
Accounting and Corporate Tax Records
Annual Audits and Financial Statements Permanent
Depreciation Schedules Permanent
General Ledgers Permanent
IRS 990 Tax Returns Permanent
Business Expense Records 7 years
IRS 1099s 7 years
Journal Entries 7 years
Invoices 7 years
Sales Records (box office concessions gift shop) 5 years
Petty Cash Vouchers 3 years
Cash Receipts 3 years
Credit Card Receipts 3 years
Bank Records
Check Registers Permanent
Bank Deposit Slips 7 years
Bank Statements and Reconciliation 7 years
Electronic Fund Transfer Documents 7 years
Payroll and Employment Tax Records
Payroll Registers Permanent
State Unemployment Tax Records Permanent
Earnings Records 7 years
Garnishment Records 7 years
Payroll Tax returns 7 years
W-2 Statements 7 years
Employee Records
Employment and Termination Agreements Permanent
Retirement and Pension Plan Documents Permanent
Records Relating to Promotion Demotion or Discharge 7 years after termination
Accident Reports and Workerrsquos Compensation Records 5 years
Salary Schedules 5 years
Employment Applications 3 years
I-9 Forms 3 years after termination
Time Cards 2 years
Loan File Records
Loan Application Copy File 5 years after completion
Loan Servicing File 5 years after loan payoff
BD MORTGAGE GROUP LLC 10
BD MORTGAGE GROUP LLC 11
Electronic Documents and Records
Electronic documents will be retained as if they were paper documents Therefore any electronic files including
records of donations made online that fall into one of the document types on the above schedule will be
maintained for the appropriate amount of time If a user has sufficient reason to keep an email message the
message should be printed in hard copy and kept in the appropriate file or moved to an ldquoarchiverdquo computer file
folder Backup and recovery methods will be tested on a regular basis
See ndash E-SIGN Policy and Procedure
Emergency Planning
BD Mortgage Group LLCrsquos records will be stored in a safe secure and accessible manner Documents and
financial files that are essential to keeping BD Mortgage Group LLC operating in an emergency will be duplicated
or backed up at least every week and maintained off site
BD MORTGAGE GROUP LLC 12
Document Destruction
BD Mortgage Group LLCrsquos designated ldquoInformation Security and Red Flag ID Theft Planrdquo individual is
responsible for the ongoing process of identifying records which have met the required retention period and
overseeing their destruction Destruction of financial and personnel-related documents will be accomplished by
shredding
Document destruction will be suspended immediately upon any indication of an official investigation or when a
lawsuit is filed or appears imminent Destruction will be reinstated upon conclusion of the investigation
Compliance
Failure on the part of employees to follow this policy can result in possible civil and criminal sanctions against
BD Mortgage Group LLC and its employees and possible disciplinary action against responsible individuals The
chief financial officer and finance committee chair will periodically review these procedures with legal counsel
or the organizationrsquos certified public accountant to ensure that they are in compliance with new or revised
regulations
Onsite Records Storage Policy
Active closed or denied loan application copies exclusive of delivery file documentation subject to the Funding
Warehousing Delivery and Servicing Setup process will be stored in the branch These files will be indexed by
month and alphabetically by borrower last name File cabinets must be locked and keys are maintained by the
operations manager and may be accessed under supervision during business hours
Offsite Records Storage
If due to space concerns there is insufficient room in the branch location to provide file storage off-site records
storage may be utilized through a secure bonded professional records Management Company that is a member
of the American Business Records Management Association Records of each file box sent to Archive must be
maintained current by the operations manager and must be available for immediate inspection within 2 hoursrsquo
notice
The purpose of this policy is to ensure the proper use of BD Mortgage Group LLCrsquos email system and make users
aware of what BD Mortgage Group LLC deems as acceptable and unacceptable use of its email system The BD
Mortgage Group LLC reserves the right to amend this policy at its discretion In case of amendments users will
be informed appropriately
BD MORTGAGE GROUP LLC 13
Electronic Communication
Email is a business communication tool and users are obliged to use this tool in a responsible effective and lawful
manner Although by its nature email seems to be less formal than other written communication the same laws
apply Therefore it is important that users are aware of the legal risks of e-mail
By following the guidelines in this policy the email user can minimize the legal risks involved in the use of e-
mail If any user disregards the rules set out in this Email Policy the user will be fully liable and BD Mortgage
Group LLC will disassociate itself from the user as far as legally possible
The following rules are required by law and are to be strictly adhered to
bull It is strictly prohibited to send or forward emails containing libelous defamatory offensive racist or
obscene remarks If you receive an e-mail of this nature you must promptly notify your supervisor
bull Do not forward a message without acquiring permission from the sender first
bull Do not send unsolicited email messages
bull Do not forge or attempt to forge email messages
bull Do not send email messages using another personrsquos email account
bull Do not copy a message or attachment belonging to another user without permission of the originator
bull Do not disguise or attempt to disguise your identity when sending mail
Best Practices
BD Mortgage Group LLC considers email as an important means of communication and recognizes the
importance of proper email content and speedy replies in conveying a professional image and delivering good
customer service Therefore BD Mortgage Group LLC wishes users to adhere to the following guidelines
Writing emails
bull Signatures must include your name job title and BD Mortgage Group LLC A disclaimer will be added
underneath your signature (see Disclaimer)
bull Use the spell checker before you send out an email
bull Do not send unnecessary attachments Compress attachments larger than 200K before sending them
bull Do not write emails in capitals
bull Do not use cc or bcc fields unless the cc or bcc recipient is aware that you will be copying a mail to
himher and knows what action if any to take
bull If you forward mails state clearly what action you expect the recipient to take
bull Only send emails of which the content could be displayed on a public notice board If they cannot be
displayed publicly in their current state consider rephrasing the email using other means of
communication or protecting information by using a password (see confidential)
bull Only mark emails as important if they really are important
Replying to emails
Emails should be answered within at least 8 working hours but users must endeavor to answer priority emails
within 4 hours
Priority emails are emails from existing customers and business partners
BD MORTGAGE GROUP LLC 14
Newsgroups
Users need to request permission from their supervisor before subscribing to a newsletter or news group
Maintenance
Delete any email messages that you do not need to have a copy of and set your email client to automatically
empty your lsquodeleted itemsrsquo on closing
Personal Use
Although BD Mortgage Group LLC email system is meant for business use BD Mortgage Group LLC allows
the reasonable use of email for personal use if certain guidelines are adhered to
bull Personal use of email should not interfere with work
bull Personal emails must also adhere to the guidelines in this policy
bull Personal emails are kept in a separate folder named lsquoPrivatersquo The emails in this folder must be deleted weekly
so as not to clog up the system
bull The forwarding of chain letters junk mail jokes and executables is strictly forbidden
bull On average users are not allowed to send more than 2 personal emails a day
bull Do not send mass mailings
bull All messages distributed via the companyrsquos email system even personal emails are BD Mortgage Group
LLCrsquos property
Confidential Information
Avoid sending confidential information by e-mail If you do you must secure the information by including it in
a Microsoft Word Excel or PDF file and protect it with a password Then provide the recipient with the password
by means of other communication for instance by telephone
Disclaimer
The following disclaimer will be added to each outgoing email
lsquoThis email and any files transmitted with it are confidential and intended solely for the use of the individual or
entity to which they are addressed If you have received this email in error please notify the system manager
Please note that any views or opinions presented in this email are solely those of the author and do not necessarily
represent those of the company Finally the recipient should check this email and any attachments for the presence
of viruses The company accepts no liability for any damage caused by any virus transmitted by this emailrsquo
System Monitoring
You must have no expectation of privacy in anything you create store send or receive on the companyrsquos computer
system Your emails can be monitored without prior notification if BD Mortgage Group LLC deems this
necessary If there is evidence that you are not adhering to the guidelines set out in this policy the BD Mortgage
Group LLC reserves the right to take disciplinary action including termination andor legal action
BD MORTGAGE GROUP LLC 15
Secure Fax Transmission
The legacy of fax transmission in the mortgage industry is long The risk of using fax transmissions is that the
sender has no idea whether the recipient is attending to the machine while the document is being received printed
and then available for viewing In order to prevent the compromise of secure information never send information
to an unattended facsimile machine If you can confirm that the recipient is standing at the machine it is acceptable
to proceed with communications in this manner
Alternatively we can provide an ldquoE-faxrdquo account for individual users This allows the transmission of facsimiles
via e-mail to a secure login account
For transmitting paper documents always create a password protected document and deliver the password to the
recipient using a different method of communication such as the telephone
Secure Telephone Communications
Vishing is the criminal practice of using social engineering and Voice over IP (VoIP) to gain access to private
personal and financial information from the public for the purpose of financial reward The term is a combination
of voice and phishing Vishing exploits the publics trust in landline telephone services which have traditionally
terminated in physical locations which are known to the telephone company and associated with a bill-payer
The victim is often unaware that VoIP allows for caller ID spoofing inexpensive complex automated systems
and anonymity for the bill-payer Vishing is typically used to steal credit card numbers or other information used
in identity theft schemes from individuals
According to the FBIs Internet Crime Complaint Center (IC3) the number of vishing complaints received by
the center is increasing at what it calls an alarming rate Vishing and phishing are related and both rely on e-
mail as a means of delivering bait but the two use different hooks in order to snag user data
Vishing starts with an e-mail like phishing but requests that end-users contact a particular institution by phone
in order to resolve an issue or re-secure personal data People who call the provided number will be asked to
provide the same types of data phishers attempt to procure Ironically vishing e-mails may even attempt to
reassure recipients of their legitimacy by stating that the institution in question would never request customer
financial data via e-mail or IM
As always the best defense against phishing or vishing is a little common sense If your bank or other financial
institution with which you are affiliated contacts you requesting personal data hang up (or call them) using only
the number provided on the back of your card or official statement If you cant get confirmation that the request
is actually legitimate dont follow up on it
BD MORTGAGE GROUP LLC 16
Social Engineering Scams ndash Internal and External Prevention
One of the most prevalent forms of online scams is referred to as a seemingly benign term social engineering
This practice which is sometimes referred to as phishing refers to using trickery to get people to voluntarily
hand over critical information such as usernames or passwords
In many cases spam filters can easily detect the clumsier social engineering efforts and thus spare computer
users from grief However there are a growing number of sophisticated efforts that are crafted to circumvent the
spam filters - and unsuspecting customers that click into these cleverly disguised emails run the risk of facing
serious repercussions
Social engineering attacks mimic an email notification from a well-known and trusted source financial
institutions LinkedIn PayPal the Better Business Bureau Facebook and so forth The attackers create an email
that looks exactly like the normal system notices that are sent out by those entities but they change the links to
hit their own servers
The most classic example is an email that sends a dire notice with a link to login and check on a potential problem
When a person clicks on the link it takes him or her to a page on the cyber attackerrsquos servers that looks just like
the well-known entitys login page
When a person enters his or her username and password this information is stored in a database on the phony
server while an error box appears that says Invalid username or password please try again This error box
message comes with an OK button that when clicked redirects the person to the real login page
People may not realize there is a problem because passwords are obscured with asterisks so it is natural to assume
there was a typo during the initial password entry However the miscreants now have the persons username and
password
So what does this mean to mortgage bankers if someone gets tricked into thinking a social engineering scam
message really came from Facebook or LinkedIn Quite simply many people have the same usernames and
passwords for multiple websites Thus a person who has unwittingly surrendered his or her personal information
for a Facebook page might not realize that the social engineering scam artists could later use that information to
gain access to online mortgage banking accounts
BD Mortgage Group LLC needs to take a proactive approach in educating customers on how to identify potential
scams that pop up in their email in-boxes Here are some safety tips we send out to all customers
1 Dont click links from emails Instead open a Web browser and specifically go to the site in question and login
directly It is not common for financial institutions to have a click here to login link within their email
communications
2 Be suspicious of serious warnings and dollar amounts posted directly in emails Financial services companies
are not in the habit of sending customers panic-inducing messages of low account balances or other account
discrepancies with details plainly shown in the email Warnings are more discreet and merely direct the customer
to go log in for details
3 Use mouse-overs to view a link before clicking Although not all email software and hardware devices support
them a mouse-over can quickly and easily identify the links within an email message
4 Try not to use the same password at multiple sites Use a password program to store and remember online
access data
BD MORTGAGE GROUP LLC 17
5 Routinely update passwords Updating passwords even once a year is an easy way to stay one step ahead of
the social engineering scammers
Invite customers who are in doubt about the veracity of emails to forward them to BD Mortgage Group LLC for
verification Several sites that have been the subject of social engineering scams including eBay and PayPal have
special email accounts that receive review and keep track of these online frauds These spoof-checking efforts
will help empower the customer to ensure that BD Mortgage Group LLC does not become the victim of the next
big Internet fraud
BD MORTGAGE GROUP LLC 18
Data Breach Policy Implementation Guide
The response to any breach of personally identifiable information (PII) can have a critical impact on the BD
Mortgage Group LLCrsquos reputation and how trustworthy the public perceives the company Thus exceptional care
must be taken when responding to data breach incidents Not all incidents result in data breaches and not all data
breaches require notification This guide is to assist the Data Breach Team in developing an appropriate response
to a data breach based on the specific characteristics of the incident
Background
This Data Breach Policy Implementation Guide is based on the Presidentrsquos Identity Theft Task Force
recommendations that provide a menu of steps for the company to consider so that it may pursue a risk-based
tailored response to data breach incidents
Definition of Breach
A breach is a loss of control compromise unauthorized disclosure unauthorized acquisition unauthorized
access or any similar term referring to situations where persons other than authorized users and for an authorized
purpose have access or potential access to PII in usable form whether physical or electronic
Reporting Breaches and Breach Response Team
Breach is immediately reported to
bull Chief Privacy Officer (CPO)
bull Chief Information Officer (CIO)
bull Chief IT Security Office (ITSO)
bull Associate Director for Communications
bull Chief Office of Analysis and Executive Support (OAES)
bull As warranted
bull Chief Office of Security
bull General Counsel
bull Law Enforcement
Risk Assessment Process
Risk is a function of the probability or likelihood of a privacy violation and the resulting impact of that violation
To assign a risk score assess the probability of the event (data breach) occurring and then assess the impact or
harm caused to an individual and our organization in its ability to achieve its mission
BD MORTGAGE GROUP LLC 19
Likelihood Likelihood Definition
High (H) The nature of the attack and the data indicate that the motivation is criminal intent the security of the data and controls to minimize the likelihood of a privacy violation are ineffective
Medium (M)
The nature of the attack and data indicate that the motivation could be criminal intent but controls are in place that may impede success
Low (L) The nature of the attack and data do not indicate criminal intent and security and controls are in place to prevent or at least significantly impede the likelihood of a privacy violation
To assess likelihood of a breach occurring consider five factors
1 How the loss occurred
2 Data elements breached
3 Ability to access the data - the likelihood the personal information will be or has been compromised ndash made
accessible to and usable by unauthorized persons
4 Ability to mitigate the risk of harm
5 Evidence of data being used for identity theft or other harm
1 How Loss Occurred
H - Online system hacked
H - Data was targeted
M - Device was targeted
M - Device stolen
L - Device lost
2 Data Elements Breached
H - Social Security Number
H - Biometric record
H - Financial account number
H - PIN or security code for financial account
H - Health data
M - Birthdate
M - Government Issued Identification Number (drivers license etc)
L - Name
L - Address
L - Telephone Number
A combination of identifying information and financial or security information should always be considered a
high risk with high likelihood of harm occurring
3 Ability to access data
H ndash paper records or electronic records in a spreadsheet that is not password protected
M ndash electronic records that are password protected only
L ndash electronic records that are password protected and encrypted
4 Ability to mitigate the risk of harm
H ndash no recovery of data
M ndash partial recovery of data
L ndash recovery of data prior to use
BD MORTGAGE GROUP LLC 20
5 Evidence of data being used for identity theft or other harm
H ndash Data published on the web
M ndash Data accessed but no direct evidence of use
L ndash No tangible evidence of data use
After evaluating each factor and assigning an overall probability or likelihood of a breach occurring review and
assess the impact or harm to an individual or our organization
Impact Rating
Impact Definition
High Event (1) may result in human death or serious injury or harm to individual (2) may result in high costs to organization or (3) may significantly violate harm or impede an organizationrsquos mission reputation or interest
Medium Event (1) may result in injury or harm to the individual (2) may result in costs to the organization or (3) may violate harm or impede an organizationrsquos mission reputation or interest
Low Event (1) may result in the loss of some tangible organizational assets or resources or (2) may noticeably affect an organizationrsquos mission reputation or interest
The impact depends on the extent to which the breach poses a risk of identity theft or other substantial harm to an
individual such as embarrassment inconvenience unfairness harm to reputation or the potential for harassment
or prejudice particularly when health or financial benefits information is involved
Financial considerations can be factored in when determining the impact on our organization For instance credit
monitoring is generally estimated at $20 per year per case (individual) The costs associated with implementing
a call center including staff salaries may also be a factor Alternatively the cost of contracting for this service
could be a factor
BD MORTGAGE GROUP LLC 21
Assigning Risk Score
The risk score is determined by cross-referencing the likelihood score with the impact score
Likelihood Impact
Low Medium High
High Medium High High
Medium Low Medium High
Low Low Low Medium
Notification of Individuals
The risk score assigned will help determine if and when we should provide notification If the likelihood of risk
is low there could be more harm or impact on the individual if notification is provided due to the actions the
notified individual may take Thus notification must be weighed with the likelihood of risk No notification may
be required when the risk levels of each of the five factors is low If the likelihood of risk is high and the level of
impact or harm to the individual is medium notification and remedy may be required Alternatively if the
likelihood of risk is low and the level of impact or harm to the individual is high notification only may be required
If the five factors are considered appropriately it is more likely that notification will only be given in those
instances where there is a reasonable risk of harm and will not lead to the overuse of notification and thus the
associated further complications to the individual
Thus consideration should be given to all factors when determining final actions to take when addressing each
incident The table below should only be used as guide and conditions may warrant actions above or below those
associated with the final risk score
Risk Score Necessary Action
High Notify and provide remedy
Medium Notify only
Low Monitor only
Timing of Notification
Notice will be provided within a reasonable time following the discovery of a breach consistent with the legitimate
needs of law enforcement and any measures necessary for the Census Bureau to determine the scope of the breach
and if applicable to restore the reasonable integrity of the systemprocess that was compromised
In some circumstances law enforcement considerations may require a delay in notification if the investigation of
the breach or of an individual affected by the breach requires it and notification would seriously impede the
investigation The delay should not exacerbate risk or harm to any affected individual(s) or be tied to the
completion of the investigation but rather be based on whether it would seriously impede the investigation to
provide the notice promptly
Responsibility for Notification
The notice should come from a senior BD Mortgage Group LLC representative
BD MORTGAGE GROUP LLC 22
Content of Notification
The notice must be clear concise conspicuous easy-to-understand in plain language and should include the
following elements
bull A brief description of what happened including the date(s) of the breach and its discovery
bull A description of the types of personal information that were involved in the breach (eg full name Social
Security number date of birth home address account number disability code etc) to the extent possible
bull What steps if any an individual should take to protect himself from potential harm
bull What BD Mortgage Group LLC is doing if anything to investigate the breach to mitigate losses and to
protect against any further breaches
bull Who and how affected individuals should contact BD Mortgage Group LLC for more information including
a toll-free telephone number e-mail address and postal address
bull Direction to additional guidance available from the Federal Trade Commission at
httpwwwconsumergovidtheft
Minimizing your risk at httpwwwconsumergovidtheftcon_minimizehtm
Publications at httpwwwconsumergovidtheftcon_pubshtm
Method of Communication
Notice of the breach will be provided commensurate to the number of individuals affected by the breach and the
availability of contact information BD Mortgage Group LLC has for the affected individuals Correspondence
must be prominently marked on the exterior reflecting the importance of the communication to help ensure the
recipient does not discard or otherwise ignore the notification
In general the primary means of notification will be by first-class mail to the last known mailing address of the
individual based on BD Mortgage Group LLC records
Where we have reason to believe that the address is no longer current reasonable efforts will be made to update
the address using the US Postal Service National Change of Address (NCOA) database
Substitute notice may be made in instances where BD Mortgage Group LLC does not have sufficient contact
information for those who need to be notified In such instances notice may consist of a conspicuous posting of
the notice on the companyrsquos home page of its web site and include additional information in a Frequently Asked
Questions (FAQ)
BD MORTGAGE GROUP LLC 23
Process for Remediation of a Breach
Remedy is provided when the risk score is High
Credit Monitoring Data Breach Risk Packages (ie Lifelock)
Low Risk Package Low Risk Package Includes
1048707 Social Security Credit Card and 1 Bureau Credit Report Monitoring 1048707 3 Bureau Initial Fraud Alert 1048707 Credit Card Registry 1048707 Online Identity Theft Assistance 1048707 24 x 7 Customer Support
Medium Risk Package Medium Risk includes Low Risk benefits plus 1048707 Instant 1 Bureau Credit Report 1048707 Instant 1 Bureau Credit Score 1048707 Personal Information Directory Monitoring and Deletion 1048707 Identity Theft Consumer Guide 1048707 $25000 ($0 deductible) Identity Theft Insurance
High Risk Package High Risk includes Medium Risk benefits plus 1048707 3 Bureau Credit Report Monitoring 1048707 Instant 3 in 1 Credit Report 1048707 Instant 3 Bureau Credit Scores 1048707 Fraud Resolution amp Identity Restoration Specialist
BD MORTGAGE GROUP LLC 24
Reporting a Data Breach
Security Breach Notification Laws have been enacted in most US states since 2002 These laws were enacted in
response to an escalating number of breaches of consumer databases containing personally identifiable
information The first such law the California data security breach notification law was enacted in 2002 and
became effective on July 1 2003 As related in the bill statement law requires a state agency or a person or
business that conducts business in California that owns or licenses computerized data that includes personal
information as defined to disclose in specified ways any breach of the security of the data as defined to any
resident of California whose unencrypted personal information was or is reasonably believed to have been
acquired by an unauthorized person In addition the law permits delayed notification if a law enforcement
agency determines that it would impede a criminal investigation The law also requires any entity that licenses
such information to notify the owner or licensee of the information of any breach in the security of the data
The California law has been the model for the enactment of similar laws in other states The National Conference
of State Legislatures maintains a list of enacted and proposed security breach notification laws
BD MORTGAGE GROUP LLC 25
BD MORTGAGE GROUP LLC 26
2-90-29 - Information Security Audit
To ensure security of our systems and that we comply with rules for customer information security we conduct
an annual audit of our information technology systems A provider qualified to review our independent
information technology in conjunction with mortgage procedures must conduct this audit
Since we do not have any proprietary information technology but utilize software and services provided by
vendors exclusively we rely on the qualified audits of the technology provided by these vendors This is
conducted in conjunction with our annual vendor approval process
Vendor Category Vendor Name Information Tech Cert Date
Loan Origination System
E-Disclosure
Data Back-up
Web 1003 Application
Pricing and Eligibility
Document Management
E-Fax
Voice-MailTelephony
NetworkInternet Service
Office SupportCleanerLandlord
Courier
In addition we assume that other licensed entities with which we do business have had their plans reviewed and
found acceptable Consequently we do not audit our mortgage lender business partners
Internal Policies for Information Security Management
In addition to these procedures please refer to our internal Information Security Plan and Red Flags for our
ongoing Information Security procedures
BD MORTGAGE GROUP LLC 9
General Records Retention Schedule
Corporate Records
Annual Reports to Secretary of StateAttorney General Permanent
Articles of Incorporation Permanent
Board Meeting and Board Committee Minutes Permanent
Board PoliciesResolutions Permanent
By-laws Permanent
Construction Documents Permanent
Fixed Asset Records Permanent
IRS Application for Tax-Exempt Status (Form 1023) Permanent
IRS Determination Letter Permanent
State Sales Tax Exemption Letter Permanent
Contracts (after expiration) 7 years
Correspondence (general) 3 years
Accounting and Corporate Tax Records
Annual Audits and Financial Statements Permanent
Depreciation Schedules Permanent
General Ledgers Permanent
IRS 990 Tax Returns Permanent
Business Expense Records 7 years
IRS 1099s 7 years
Journal Entries 7 years
Invoices 7 years
Sales Records (box office concessions gift shop) 5 years
Petty Cash Vouchers 3 years
Cash Receipts 3 years
Credit Card Receipts 3 years
Bank Records
Check Registers Permanent
Bank Deposit Slips 7 years
Bank Statements and Reconciliation 7 years
Electronic Fund Transfer Documents 7 years
Payroll and Employment Tax Records
Payroll Registers Permanent
State Unemployment Tax Records Permanent
Earnings Records 7 years
Garnishment Records 7 years
Payroll Tax returns 7 years
W-2 Statements 7 years
Employee Records
Employment and Termination Agreements Permanent
Retirement and Pension Plan Documents Permanent
Records Relating to Promotion Demotion or Discharge 7 years after termination
Accident Reports and Workerrsquos Compensation Records 5 years
Salary Schedules 5 years
Employment Applications 3 years
I-9 Forms 3 years after termination
Time Cards 2 years
Loan File Records
Loan Application Copy File 5 years after completion
Loan Servicing File 5 years after loan payoff
BD MORTGAGE GROUP LLC 10
BD MORTGAGE GROUP LLC 11
Electronic Documents and Records
Electronic documents will be retained as if they were paper documents Therefore any electronic files including
records of donations made online that fall into one of the document types on the above schedule will be
maintained for the appropriate amount of time If a user has sufficient reason to keep an email message the
message should be printed in hard copy and kept in the appropriate file or moved to an ldquoarchiverdquo computer file
folder Backup and recovery methods will be tested on a regular basis
See ndash E-SIGN Policy and Procedure
Emergency Planning
BD Mortgage Group LLCrsquos records will be stored in a safe secure and accessible manner Documents and
financial files that are essential to keeping BD Mortgage Group LLC operating in an emergency will be duplicated
or backed up at least every week and maintained off site
BD MORTGAGE GROUP LLC 12
Document Destruction
BD Mortgage Group LLCrsquos designated ldquoInformation Security and Red Flag ID Theft Planrdquo individual is
responsible for the ongoing process of identifying records which have met the required retention period and
overseeing their destruction Destruction of financial and personnel-related documents will be accomplished by
shredding
Document destruction will be suspended immediately upon any indication of an official investigation or when a
lawsuit is filed or appears imminent Destruction will be reinstated upon conclusion of the investigation
Compliance
Failure on the part of employees to follow this policy can result in possible civil and criminal sanctions against
BD Mortgage Group LLC and its employees and possible disciplinary action against responsible individuals The
chief financial officer and finance committee chair will periodically review these procedures with legal counsel
or the organizationrsquos certified public accountant to ensure that they are in compliance with new or revised
regulations
Onsite Records Storage Policy
Active closed or denied loan application copies exclusive of delivery file documentation subject to the Funding
Warehousing Delivery and Servicing Setup process will be stored in the branch These files will be indexed by
month and alphabetically by borrower last name File cabinets must be locked and keys are maintained by the
operations manager and may be accessed under supervision during business hours
Offsite Records Storage
If due to space concerns there is insufficient room in the branch location to provide file storage off-site records
storage may be utilized through a secure bonded professional records Management Company that is a member
of the American Business Records Management Association Records of each file box sent to Archive must be
maintained current by the operations manager and must be available for immediate inspection within 2 hoursrsquo
notice
The purpose of this policy is to ensure the proper use of BD Mortgage Group LLCrsquos email system and make users
aware of what BD Mortgage Group LLC deems as acceptable and unacceptable use of its email system The BD
Mortgage Group LLC reserves the right to amend this policy at its discretion In case of amendments users will
be informed appropriately
BD MORTGAGE GROUP LLC 13
Electronic Communication
Email is a business communication tool and users are obliged to use this tool in a responsible effective and lawful
manner Although by its nature email seems to be less formal than other written communication the same laws
apply Therefore it is important that users are aware of the legal risks of e-mail
By following the guidelines in this policy the email user can minimize the legal risks involved in the use of e-
mail If any user disregards the rules set out in this Email Policy the user will be fully liable and BD Mortgage
Group LLC will disassociate itself from the user as far as legally possible
The following rules are required by law and are to be strictly adhered to
bull It is strictly prohibited to send or forward emails containing libelous defamatory offensive racist or
obscene remarks If you receive an e-mail of this nature you must promptly notify your supervisor
bull Do not forward a message without acquiring permission from the sender first
bull Do not send unsolicited email messages
bull Do not forge or attempt to forge email messages
bull Do not send email messages using another personrsquos email account
bull Do not copy a message or attachment belonging to another user without permission of the originator
bull Do not disguise or attempt to disguise your identity when sending mail
Best Practices
BD Mortgage Group LLC considers email as an important means of communication and recognizes the
importance of proper email content and speedy replies in conveying a professional image and delivering good
customer service Therefore BD Mortgage Group LLC wishes users to adhere to the following guidelines
Writing emails
bull Signatures must include your name job title and BD Mortgage Group LLC A disclaimer will be added
underneath your signature (see Disclaimer)
bull Use the spell checker before you send out an email
bull Do not send unnecessary attachments Compress attachments larger than 200K before sending them
bull Do not write emails in capitals
bull Do not use cc or bcc fields unless the cc or bcc recipient is aware that you will be copying a mail to
himher and knows what action if any to take
bull If you forward mails state clearly what action you expect the recipient to take
bull Only send emails of which the content could be displayed on a public notice board If they cannot be
displayed publicly in their current state consider rephrasing the email using other means of
communication or protecting information by using a password (see confidential)
bull Only mark emails as important if they really are important
Replying to emails
Emails should be answered within at least 8 working hours but users must endeavor to answer priority emails
within 4 hours
Priority emails are emails from existing customers and business partners
BD MORTGAGE GROUP LLC 14
Newsgroups
Users need to request permission from their supervisor before subscribing to a newsletter or news group
Maintenance
Delete any email messages that you do not need to have a copy of and set your email client to automatically
empty your lsquodeleted itemsrsquo on closing
Personal Use
Although BD Mortgage Group LLC email system is meant for business use BD Mortgage Group LLC allows
the reasonable use of email for personal use if certain guidelines are adhered to
bull Personal use of email should not interfere with work
bull Personal emails must also adhere to the guidelines in this policy
bull Personal emails are kept in a separate folder named lsquoPrivatersquo The emails in this folder must be deleted weekly
so as not to clog up the system
bull The forwarding of chain letters junk mail jokes and executables is strictly forbidden
bull On average users are not allowed to send more than 2 personal emails a day
bull Do not send mass mailings
bull All messages distributed via the companyrsquos email system even personal emails are BD Mortgage Group
LLCrsquos property
Confidential Information
Avoid sending confidential information by e-mail If you do you must secure the information by including it in
a Microsoft Word Excel or PDF file and protect it with a password Then provide the recipient with the password
by means of other communication for instance by telephone
Disclaimer
The following disclaimer will be added to each outgoing email
lsquoThis email and any files transmitted with it are confidential and intended solely for the use of the individual or
entity to which they are addressed If you have received this email in error please notify the system manager
Please note that any views or opinions presented in this email are solely those of the author and do not necessarily
represent those of the company Finally the recipient should check this email and any attachments for the presence
of viruses The company accepts no liability for any damage caused by any virus transmitted by this emailrsquo
System Monitoring
You must have no expectation of privacy in anything you create store send or receive on the companyrsquos computer
system Your emails can be monitored without prior notification if BD Mortgage Group LLC deems this
necessary If there is evidence that you are not adhering to the guidelines set out in this policy the BD Mortgage
Group LLC reserves the right to take disciplinary action including termination andor legal action
BD MORTGAGE GROUP LLC 15
Secure Fax Transmission
The legacy of fax transmission in the mortgage industry is long The risk of using fax transmissions is that the
sender has no idea whether the recipient is attending to the machine while the document is being received printed
and then available for viewing In order to prevent the compromise of secure information never send information
to an unattended facsimile machine If you can confirm that the recipient is standing at the machine it is acceptable
to proceed with communications in this manner
Alternatively we can provide an ldquoE-faxrdquo account for individual users This allows the transmission of facsimiles
via e-mail to a secure login account
For transmitting paper documents always create a password protected document and deliver the password to the
recipient using a different method of communication such as the telephone
Secure Telephone Communications
Vishing is the criminal practice of using social engineering and Voice over IP (VoIP) to gain access to private
personal and financial information from the public for the purpose of financial reward The term is a combination
of voice and phishing Vishing exploits the publics trust in landline telephone services which have traditionally
terminated in physical locations which are known to the telephone company and associated with a bill-payer
The victim is often unaware that VoIP allows for caller ID spoofing inexpensive complex automated systems
and anonymity for the bill-payer Vishing is typically used to steal credit card numbers or other information used
in identity theft schemes from individuals
According to the FBIs Internet Crime Complaint Center (IC3) the number of vishing complaints received by
the center is increasing at what it calls an alarming rate Vishing and phishing are related and both rely on e-
mail as a means of delivering bait but the two use different hooks in order to snag user data
Vishing starts with an e-mail like phishing but requests that end-users contact a particular institution by phone
in order to resolve an issue or re-secure personal data People who call the provided number will be asked to
provide the same types of data phishers attempt to procure Ironically vishing e-mails may even attempt to
reassure recipients of their legitimacy by stating that the institution in question would never request customer
financial data via e-mail or IM
As always the best defense against phishing or vishing is a little common sense If your bank or other financial
institution with which you are affiliated contacts you requesting personal data hang up (or call them) using only
the number provided on the back of your card or official statement If you cant get confirmation that the request
is actually legitimate dont follow up on it
BD MORTGAGE GROUP LLC 16
Social Engineering Scams ndash Internal and External Prevention
One of the most prevalent forms of online scams is referred to as a seemingly benign term social engineering
This practice which is sometimes referred to as phishing refers to using trickery to get people to voluntarily
hand over critical information such as usernames or passwords
In many cases spam filters can easily detect the clumsier social engineering efforts and thus spare computer
users from grief However there are a growing number of sophisticated efforts that are crafted to circumvent the
spam filters - and unsuspecting customers that click into these cleverly disguised emails run the risk of facing
serious repercussions
Social engineering attacks mimic an email notification from a well-known and trusted source financial
institutions LinkedIn PayPal the Better Business Bureau Facebook and so forth The attackers create an email
that looks exactly like the normal system notices that are sent out by those entities but they change the links to
hit their own servers
The most classic example is an email that sends a dire notice with a link to login and check on a potential problem
When a person clicks on the link it takes him or her to a page on the cyber attackerrsquos servers that looks just like
the well-known entitys login page
When a person enters his or her username and password this information is stored in a database on the phony
server while an error box appears that says Invalid username or password please try again This error box
message comes with an OK button that when clicked redirects the person to the real login page
People may not realize there is a problem because passwords are obscured with asterisks so it is natural to assume
there was a typo during the initial password entry However the miscreants now have the persons username and
password
So what does this mean to mortgage bankers if someone gets tricked into thinking a social engineering scam
message really came from Facebook or LinkedIn Quite simply many people have the same usernames and
passwords for multiple websites Thus a person who has unwittingly surrendered his or her personal information
for a Facebook page might not realize that the social engineering scam artists could later use that information to
gain access to online mortgage banking accounts
BD Mortgage Group LLC needs to take a proactive approach in educating customers on how to identify potential
scams that pop up in their email in-boxes Here are some safety tips we send out to all customers
1 Dont click links from emails Instead open a Web browser and specifically go to the site in question and login
directly It is not common for financial institutions to have a click here to login link within their email
communications
2 Be suspicious of serious warnings and dollar amounts posted directly in emails Financial services companies
are not in the habit of sending customers panic-inducing messages of low account balances or other account
discrepancies with details plainly shown in the email Warnings are more discreet and merely direct the customer
to go log in for details
3 Use mouse-overs to view a link before clicking Although not all email software and hardware devices support
them a mouse-over can quickly and easily identify the links within an email message
4 Try not to use the same password at multiple sites Use a password program to store and remember online
access data
BD MORTGAGE GROUP LLC 17
5 Routinely update passwords Updating passwords even once a year is an easy way to stay one step ahead of
the social engineering scammers
Invite customers who are in doubt about the veracity of emails to forward them to BD Mortgage Group LLC for
verification Several sites that have been the subject of social engineering scams including eBay and PayPal have
special email accounts that receive review and keep track of these online frauds These spoof-checking efforts
will help empower the customer to ensure that BD Mortgage Group LLC does not become the victim of the next
big Internet fraud
BD MORTGAGE GROUP LLC 18
Data Breach Policy Implementation Guide
The response to any breach of personally identifiable information (PII) can have a critical impact on the BD
Mortgage Group LLCrsquos reputation and how trustworthy the public perceives the company Thus exceptional care
must be taken when responding to data breach incidents Not all incidents result in data breaches and not all data
breaches require notification This guide is to assist the Data Breach Team in developing an appropriate response
to a data breach based on the specific characteristics of the incident
Background
This Data Breach Policy Implementation Guide is based on the Presidentrsquos Identity Theft Task Force
recommendations that provide a menu of steps for the company to consider so that it may pursue a risk-based
tailored response to data breach incidents
Definition of Breach
A breach is a loss of control compromise unauthorized disclosure unauthorized acquisition unauthorized
access or any similar term referring to situations where persons other than authorized users and for an authorized
purpose have access or potential access to PII in usable form whether physical or electronic
Reporting Breaches and Breach Response Team
Breach is immediately reported to
bull Chief Privacy Officer (CPO)
bull Chief Information Officer (CIO)
bull Chief IT Security Office (ITSO)
bull Associate Director for Communications
bull Chief Office of Analysis and Executive Support (OAES)
bull As warranted
bull Chief Office of Security
bull General Counsel
bull Law Enforcement
Risk Assessment Process
Risk is a function of the probability or likelihood of a privacy violation and the resulting impact of that violation
To assign a risk score assess the probability of the event (data breach) occurring and then assess the impact or
harm caused to an individual and our organization in its ability to achieve its mission
BD MORTGAGE GROUP LLC 19
Likelihood Likelihood Definition
High (H) The nature of the attack and the data indicate that the motivation is criminal intent the security of the data and controls to minimize the likelihood of a privacy violation are ineffective
Medium (M)
The nature of the attack and data indicate that the motivation could be criminal intent but controls are in place that may impede success
Low (L) The nature of the attack and data do not indicate criminal intent and security and controls are in place to prevent or at least significantly impede the likelihood of a privacy violation
To assess likelihood of a breach occurring consider five factors
1 How the loss occurred
2 Data elements breached
3 Ability to access the data - the likelihood the personal information will be or has been compromised ndash made
accessible to and usable by unauthorized persons
4 Ability to mitigate the risk of harm
5 Evidence of data being used for identity theft or other harm
1 How Loss Occurred
H - Online system hacked
H - Data was targeted
M - Device was targeted
M - Device stolen
L - Device lost
2 Data Elements Breached
H - Social Security Number
H - Biometric record
H - Financial account number
H - PIN or security code for financial account
H - Health data
M - Birthdate
M - Government Issued Identification Number (drivers license etc)
L - Name
L - Address
L - Telephone Number
A combination of identifying information and financial or security information should always be considered a
high risk with high likelihood of harm occurring
3 Ability to access data
H ndash paper records or electronic records in a spreadsheet that is not password protected
M ndash electronic records that are password protected only
L ndash electronic records that are password protected and encrypted
4 Ability to mitigate the risk of harm
H ndash no recovery of data
M ndash partial recovery of data
L ndash recovery of data prior to use
BD MORTGAGE GROUP LLC 20
5 Evidence of data being used for identity theft or other harm
H ndash Data published on the web
M ndash Data accessed but no direct evidence of use
L ndash No tangible evidence of data use
After evaluating each factor and assigning an overall probability or likelihood of a breach occurring review and
assess the impact or harm to an individual or our organization
Impact Rating
Impact Definition
High Event (1) may result in human death or serious injury or harm to individual (2) may result in high costs to organization or (3) may significantly violate harm or impede an organizationrsquos mission reputation or interest
Medium Event (1) may result in injury or harm to the individual (2) may result in costs to the organization or (3) may violate harm or impede an organizationrsquos mission reputation or interest
Low Event (1) may result in the loss of some tangible organizational assets or resources or (2) may noticeably affect an organizationrsquos mission reputation or interest
The impact depends on the extent to which the breach poses a risk of identity theft or other substantial harm to an
individual such as embarrassment inconvenience unfairness harm to reputation or the potential for harassment
or prejudice particularly when health or financial benefits information is involved
Financial considerations can be factored in when determining the impact on our organization For instance credit
monitoring is generally estimated at $20 per year per case (individual) The costs associated with implementing
a call center including staff salaries may also be a factor Alternatively the cost of contracting for this service
could be a factor
BD MORTGAGE GROUP LLC 21
Assigning Risk Score
The risk score is determined by cross-referencing the likelihood score with the impact score
Likelihood Impact
Low Medium High
High Medium High High
Medium Low Medium High
Low Low Low Medium
Notification of Individuals
The risk score assigned will help determine if and when we should provide notification If the likelihood of risk
is low there could be more harm or impact on the individual if notification is provided due to the actions the
notified individual may take Thus notification must be weighed with the likelihood of risk No notification may
be required when the risk levels of each of the five factors is low If the likelihood of risk is high and the level of
impact or harm to the individual is medium notification and remedy may be required Alternatively if the
likelihood of risk is low and the level of impact or harm to the individual is high notification only may be required
If the five factors are considered appropriately it is more likely that notification will only be given in those
instances where there is a reasonable risk of harm and will not lead to the overuse of notification and thus the
associated further complications to the individual
Thus consideration should be given to all factors when determining final actions to take when addressing each
incident The table below should only be used as guide and conditions may warrant actions above or below those
associated with the final risk score
Risk Score Necessary Action
High Notify and provide remedy
Medium Notify only
Low Monitor only
Timing of Notification
Notice will be provided within a reasonable time following the discovery of a breach consistent with the legitimate
needs of law enforcement and any measures necessary for the Census Bureau to determine the scope of the breach
and if applicable to restore the reasonable integrity of the systemprocess that was compromised
In some circumstances law enforcement considerations may require a delay in notification if the investigation of
the breach or of an individual affected by the breach requires it and notification would seriously impede the
investigation The delay should not exacerbate risk or harm to any affected individual(s) or be tied to the
completion of the investigation but rather be based on whether it would seriously impede the investigation to
provide the notice promptly
Responsibility for Notification
The notice should come from a senior BD Mortgage Group LLC representative
BD MORTGAGE GROUP LLC 22
Content of Notification
The notice must be clear concise conspicuous easy-to-understand in plain language and should include the
following elements
bull A brief description of what happened including the date(s) of the breach and its discovery
bull A description of the types of personal information that were involved in the breach (eg full name Social
Security number date of birth home address account number disability code etc) to the extent possible
bull What steps if any an individual should take to protect himself from potential harm
bull What BD Mortgage Group LLC is doing if anything to investigate the breach to mitigate losses and to
protect against any further breaches
bull Who and how affected individuals should contact BD Mortgage Group LLC for more information including
a toll-free telephone number e-mail address and postal address
bull Direction to additional guidance available from the Federal Trade Commission at
httpwwwconsumergovidtheft
Minimizing your risk at httpwwwconsumergovidtheftcon_minimizehtm
Publications at httpwwwconsumergovidtheftcon_pubshtm
Method of Communication
Notice of the breach will be provided commensurate to the number of individuals affected by the breach and the
availability of contact information BD Mortgage Group LLC has for the affected individuals Correspondence
must be prominently marked on the exterior reflecting the importance of the communication to help ensure the
recipient does not discard or otherwise ignore the notification
In general the primary means of notification will be by first-class mail to the last known mailing address of the
individual based on BD Mortgage Group LLC records
Where we have reason to believe that the address is no longer current reasonable efforts will be made to update
the address using the US Postal Service National Change of Address (NCOA) database
Substitute notice may be made in instances where BD Mortgage Group LLC does not have sufficient contact
information for those who need to be notified In such instances notice may consist of a conspicuous posting of
the notice on the companyrsquos home page of its web site and include additional information in a Frequently Asked
Questions (FAQ)
BD MORTGAGE GROUP LLC 23
Process for Remediation of a Breach
Remedy is provided when the risk score is High
Credit Monitoring Data Breach Risk Packages (ie Lifelock)
Low Risk Package Low Risk Package Includes
1048707 Social Security Credit Card and 1 Bureau Credit Report Monitoring 1048707 3 Bureau Initial Fraud Alert 1048707 Credit Card Registry 1048707 Online Identity Theft Assistance 1048707 24 x 7 Customer Support
Medium Risk Package Medium Risk includes Low Risk benefits plus 1048707 Instant 1 Bureau Credit Report 1048707 Instant 1 Bureau Credit Score 1048707 Personal Information Directory Monitoring and Deletion 1048707 Identity Theft Consumer Guide 1048707 $25000 ($0 deductible) Identity Theft Insurance
High Risk Package High Risk includes Medium Risk benefits plus 1048707 3 Bureau Credit Report Monitoring 1048707 Instant 3 in 1 Credit Report 1048707 Instant 3 Bureau Credit Scores 1048707 Fraud Resolution amp Identity Restoration Specialist
BD MORTGAGE GROUP LLC 24
Reporting a Data Breach
Security Breach Notification Laws have been enacted in most US states since 2002 These laws were enacted in
response to an escalating number of breaches of consumer databases containing personally identifiable
information The first such law the California data security breach notification law was enacted in 2002 and
became effective on July 1 2003 As related in the bill statement law requires a state agency or a person or
business that conducts business in California that owns or licenses computerized data that includes personal
information as defined to disclose in specified ways any breach of the security of the data as defined to any
resident of California whose unencrypted personal information was or is reasonably believed to have been
acquired by an unauthorized person In addition the law permits delayed notification if a law enforcement
agency determines that it would impede a criminal investigation The law also requires any entity that licenses
such information to notify the owner or licensee of the information of any breach in the security of the data
The California law has been the model for the enactment of similar laws in other states The National Conference
of State Legislatures maintains a list of enacted and proposed security breach notification laws
BD MORTGAGE GROUP LLC 25
BD MORTGAGE GROUP LLC 26
2-90-29 - Information Security Audit
To ensure security of our systems and that we comply with rules for customer information security we conduct
an annual audit of our information technology systems A provider qualified to review our independent
information technology in conjunction with mortgage procedures must conduct this audit
Since we do not have any proprietary information technology but utilize software and services provided by
vendors exclusively we rely on the qualified audits of the technology provided by these vendors This is
conducted in conjunction with our annual vendor approval process
Vendor Category Vendor Name Information Tech Cert Date
Loan Origination System
E-Disclosure
Data Back-up
Web 1003 Application
Pricing and Eligibility
Document Management
E-Fax
Voice-MailTelephony
NetworkInternet Service
Office SupportCleanerLandlord
Courier
In addition we assume that other licensed entities with which we do business have had their plans reviewed and
found acceptable Consequently we do not audit our mortgage lender business partners
Internal Policies for Information Security Management
In addition to these procedures please refer to our internal Information Security Plan and Red Flags for our
ongoing Information Security procedures
BD MORTGAGE GROUP LLC 10
BD MORTGAGE GROUP LLC 11
Electronic Documents and Records
Electronic documents will be retained as if they were paper documents Therefore any electronic files including
records of donations made online that fall into one of the document types on the above schedule will be
maintained for the appropriate amount of time If a user has sufficient reason to keep an email message the
message should be printed in hard copy and kept in the appropriate file or moved to an ldquoarchiverdquo computer file
folder Backup and recovery methods will be tested on a regular basis
See ndash E-SIGN Policy and Procedure
Emergency Planning
BD Mortgage Group LLCrsquos records will be stored in a safe secure and accessible manner Documents and
financial files that are essential to keeping BD Mortgage Group LLC operating in an emergency will be duplicated
or backed up at least every week and maintained off site
BD MORTGAGE GROUP LLC 12
Document Destruction
BD Mortgage Group LLCrsquos designated ldquoInformation Security and Red Flag ID Theft Planrdquo individual is
responsible for the ongoing process of identifying records which have met the required retention period and
overseeing their destruction Destruction of financial and personnel-related documents will be accomplished by
shredding
Document destruction will be suspended immediately upon any indication of an official investigation or when a
lawsuit is filed or appears imminent Destruction will be reinstated upon conclusion of the investigation
Compliance
Failure on the part of employees to follow this policy can result in possible civil and criminal sanctions against
BD Mortgage Group LLC and its employees and possible disciplinary action against responsible individuals The
chief financial officer and finance committee chair will periodically review these procedures with legal counsel
or the organizationrsquos certified public accountant to ensure that they are in compliance with new or revised
regulations
Onsite Records Storage Policy
Active closed or denied loan application copies exclusive of delivery file documentation subject to the Funding
Warehousing Delivery and Servicing Setup process will be stored in the branch These files will be indexed by
month and alphabetically by borrower last name File cabinets must be locked and keys are maintained by the
operations manager and may be accessed under supervision during business hours
Offsite Records Storage
If due to space concerns there is insufficient room in the branch location to provide file storage off-site records
storage may be utilized through a secure bonded professional records Management Company that is a member
of the American Business Records Management Association Records of each file box sent to Archive must be
maintained current by the operations manager and must be available for immediate inspection within 2 hoursrsquo
notice
The purpose of this policy is to ensure the proper use of BD Mortgage Group LLCrsquos email system and make users
aware of what BD Mortgage Group LLC deems as acceptable and unacceptable use of its email system The BD
Mortgage Group LLC reserves the right to amend this policy at its discretion In case of amendments users will
be informed appropriately
BD MORTGAGE GROUP LLC 13
Electronic Communication
Email is a business communication tool and users are obliged to use this tool in a responsible effective and lawful
manner Although by its nature email seems to be less formal than other written communication the same laws
apply Therefore it is important that users are aware of the legal risks of e-mail
By following the guidelines in this policy the email user can minimize the legal risks involved in the use of e-
mail If any user disregards the rules set out in this Email Policy the user will be fully liable and BD Mortgage
Group LLC will disassociate itself from the user as far as legally possible
The following rules are required by law and are to be strictly adhered to
bull It is strictly prohibited to send or forward emails containing libelous defamatory offensive racist or
obscene remarks If you receive an e-mail of this nature you must promptly notify your supervisor
bull Do not forward a message without acquiring permission from the sender first
bull Do not send unsolicited email messages
bull Do not forge or attempt to forge email messages
bull Do not send email messages using another personrsquos email account
bull Do not copy a message or attachment belonging to another user without permission of the originator
bull Do not disguise or attempt to disguise your identity when sending mail
Best Practices
BD Mortgage Group LLC considers email as an important means of communication and recognizes the
importance of proper email content and speedy replies in conveying a professional image and delivering good
customer service Therefore BD Mortgage Group LLC wishes users to adhere to the following guidelines
Writing emails
bull Signatures must include your name job title and BD Mortgage Group LLC A disclaimer will be added
underneath your signature (see Disclaimer)
bull Use the spell checker before you send out an email
bull Do not send unnecessary attachments Compress attachments larger than 200K before sending them
bull Do not write emails in capitals
bull Do not use cc or bcc fields unless the cc or bcc recipient is aware that you will be copying a mail to
himher and knows what action if any to take
bull If you forward mails state clearly what action you expect the recipient to take
bull Only send emails of which the content could be displayed on a public notice board If they cannot be
displayed publicly in their current state consider rephrasing the email using other means of
communication or protecting information by using a password (see confidential)
bull Only mark emails as important if they really are important
Replying to emails
Emails should be answered within at least 8 working hours but users must endeavor to answer priority emails
within 4 hours
Priority emails are emails from existing customers and business partners
BD MORTGAGE GROUP LLC 14
Newsgroups
Users need to request permission from their supervisor before subscribing to a newsletter or news group
Maintenance
Delete any email messages that you do not need to have a copy of and set your email client to automatically
empty your lsquodeleted itemsrsquo on closing
Personal Use
Although BD Mortgage Group LLC email system is meant for business use BD Mortgage Group LLC allows
the reasonable use of email for personal use if certain guidelines are adhered to
bull Personal use of email should not interfere with work
bull Personal emails must also adhere to the guidelines in this policy
bull Personal emails are kept in a separate folder named lsquoPrivatersquo The emails in this folder must be deleted weekly
so as not to clog up the system
bull The forwarding of chain letters junk mail jokes and executables is strictly forbidden
bull On average users are not allowed to send more than 2 personal emails a day
bull Do not send mass mailings
bull All messages distributed via the companyrsquos email system even personal emails are BD Mortgage Group
LLCrsquos property
Confidential Information
Avoid sending confidential information by e-mail If you do you must secure the information by including it in
a Microsoft Word Excel or PDF file and protect it with a password Then provide the recipient with the password
by means of other communication for instance by telephone
Disclaimer
The following disclaimer will be added to each outgoing email
lsquoThis email and any files transmitted with it are confidential and intended solely for the use of the individual or
entity to which they are addressed If you have received this email in error please notify the system manager
Please note that any views or opinions presented in this email are solely those of the author and do not necessarily
represent those of the company Finally the recipient should check this email and any attachments for the presence
of viruses The company accepts no liability for any damage caused by any virus transmitted by this emailrsquo
System Monitoring
You must have no expectation of privacy in anything you create store send or receive on the companyrsquos computer
system Your emails can be monitored without prior notification if BD Mortgage Group LLC deems this
necessary If there is evidence that you are not adhering to the guidelines set out in this policy the BD Mortgage
Group LLC reserves the right to take disciplinary action including termination andor legal action
BD MORTGAGE GROUP LLC 15
Secure Fax Transmission
The legacy of fax transmission in the mortgage industry is long The risk of using fax transmissions is that the
sender has no idea whether the recipient is attending to the machine while the document is being received printed
and then available for viewing In order to prevent the compromise of secure information never send information
to an unattended facsimile machine If you can confirm that the recipient is standing at the machine it is acceptable
to proceed with communications in this manner
Alternatively we can provide an ldquoE-faxrdquo account for individual users This allows the transmission of facsimiles
via e-mail to a secure login account
For transmitting paper documents always create a password protected document and deliver the password to the
recipient using a different method of communication such as the telephone
Secure Telephone Communications
Vishing is the criminal practice of using social engineering and Voice over IP (VoIP) to gain access to private
personal and financial information from the public for the purpose of financial reward The term is a combination
of voice and phishing Vishing exploits the publics trust in landline telephone services which have traditionally
terminated in physical locations which are known to the telephone company and associated with a bill-payer
The victim is often unaware that VoIP allows for caller ID spoofing inexpensive complex automated systems
and anonymity for the bill-payer Vishing is typically used to steal credit card numbers or other information used
in identity theft schemes from individuals
According to the FBIs Internet Crime Complaint Center (IC3) the number of vishing complaints received by
the center is increasing at what it calls an alarming rate Vishing and phishing are related and both rely on e-
mail as a means of delivering bait but the two use different hooks in order to snag user data
Vishing starts with an e-mail like phishing but requests that end-users contact a particular institution by phone
in order to resolve an issue or re-secure personal data People who call the provided number will be asked to
provide the same types of data phishers attempt to procure Ironically vishing e-mails may even attempt to
reassure recipients of their legitimacy by stating that the institution in question would never request customer
financial data via e-mail or IM
As always the best defense against phishing or vishing is a little common sense If your bank or other financial
institution with which you are affiliated contacts you requesting personal data hang up (or call them) using only
the number provided on the back of your card or official statement If you cant get confirmation that the request
is actually legitimate dont follow up on it
BD MORTGAGE GROUP LLC 16
Social Engineering Scams ndash Internal and External Prevention
One of the most prevalent forms of online scams is referred to as a seemingly benign term social engineering
This practice which is sometimes referred to as phishing refers to using trickery to get people to voluntarily
hand over critical information such as usernames or passwords
In many cases spam filters can easily detect the clumsier social engineering efforts and thus spare computer
users from grief However there are a growing number of sophisticated efforts that are crafted to circumvent the
spam filters - and unsuspecting customers that click into these cleverly disguised emails run the risk of facing
serious repercussions
Social engineering attacks mimic an email notification from a well-known and trusted source financial
institutions LinkedIn PayPal the Better Business Bureau Facebook and so forth The attackers create an email
that looks exactly like the normal system notices that are sent out by those entities but they change the links to
hit their own servers
The most classic example is an email that sends a dire notice with a link to login and check on a potential problem
When a person clicks on the link it takes him or her to a page on the cyber attackerrsquos servers that looks just like
the well-known entitys login page
When a person enters his or her username and password this information is stored in a database on the phony
server while an error box appears that says Invalid username or password please try again This error box
message comes with an OK button that when clicked redirects the person to the real login page
People may not realize there is a problem because passwords are obscured with asterisks so it is natural to assume
there was a typo during the initial password entry However the miscreants now have the persons username and
password
So what does this mean to mortgage bankers if someone gets tricked into thinking a social engineering scam
message really came from Facebook or LinkedIn Quite simply many people have the same usernames and
passwords for multiple websites Thus a person who has unwittingly surrendered his or her personal information
for a Facebook page might not realize that the social engineering scam artists could later use that information to
gain access to online mortgage banking accounts
BD Mortgage Group LLC needs to take a proactive approach in educating customers on how to identify potential
scams that pop up in their email in-boxes Here are some safety tips we send out to all customers
1 Dont click links from emails Instead open a Web browser and specifically go to the site in question and login
directly It is not common for financial institutions to have a click here to login link within their email
communications
2 Be suspicious of serious warnings and dollar amounts posted directly in emails Financial services companies
are not in the habit of sending customers panic-inducing messages of low account balances or other account
discrepancies with details plainly shown in the email Warnings are more discreet and merely direct the customer
to go log in for details
3 Use mouse-overs to view a link before clicking Although not all email software and hardware devices support
them a mouse-over can quickly and easily identify the links within an email message
4 Try not to use the same password at multiple sites Use a password program to store and remember online
access data
BD MORTGAGE GROUP LLC 17
5 Routinely update passwords Updating passwords even once a year is an easy way to stay one step ahead of
the social engineering scammers
Invite customers who are in doubt about the veracity of emails to forward them to BD Mortgage Group LLC for
verification Several sites that have been the subject of social engineering scams including eBay and PayPal have
special email accounts that receive review and keep track of these online frauds These spoof-checking efforts
will help empower the customer to ensure that BD Mortgage Group LLC does not become the victim of the next
big Internet fraud
BD MORTGAGE GROUP LLC 18
Data Breach Policy Implementation Guide
The response to any breach of personally identifiable information (PII) can have a critical impact on the BD
Mortgage Group LLCrsquos reputation and how trustworthy the public perceives the company Thus exceptional care
must be taken when responding to data breach incidents Not all incidents result in data breaches and not all data
breaches require notification This guide is to assist the Data Breach Team in developing an appropriate response
to a data breach based on the specific characteristics of the incident
Background
This Data Breach Policy Implementation Guide is based on the Presidentrsquos Identity Theft Task Force
recommendations that provide a menu of steps for the company to consider so that it may pursue a risk-based
tailored response to data breach incidents
Definition of Breach
A breach is a loss of control compromise unauthorized disclosure unauthorized acquisition unauthorized
access or any similar term referring to situations where persons other than authorized users and for an authorized
purpose have access or potential access to PII in usable form whether physical or electronic
Reporting Breaches and Breach Response Team
Breach is immediately reported to
bull Chief Privacy Officer (CPO)
bull Chief Information Officer (CIO)
bull Chief IT Security Office (ITSO)
bull Associate Director for Communications
bull Chief Office of Analysis and Executive Support (OAES)
bull As warranted
bull Chief Office of Security
bull General Counsel
bull Law Enforcement
Risk Assessment Process
Risk is a function of the probability or likelihood of a privacy violation and the resulting impact of that violation
To assign a risk score assess the probability of the event (data breach) occurring and then assess the impact or
harm caused to an individual and our organization in its ability to achieve its mission
BD MORTGAGE GROUP LLC 19
Likelihood Likelihood Definition
High (H) The nature of the attack and the data indicate that the motivation is criminal intent the security of the data and controls to minimize the likelihood of a privacy violation are ineffective
Medium (M)
The nature of the attack and data indicate that the motivation could be criminal intent but controls are in place that may impede success
Low (L) The nature of the attack and data do not indicate criminal intent and security and controls are in place to prevent or at least significantly impede the likelihood of a privacy violation
To assess likelihood of a breach occurring consider five factors
1 How the loss occurred
2 Data elements breached
3 Ability to access the data - the likelihood the personal information will be or has been compromised ndash made
accessible to and usable by unauthorized persons
4 Ability to mitigate the risk of harm
5 Evidence of data being used for identity theft or other harm
1 How Loss Occurred
H - Online system hacked
H - Data was targeted
M - Device was targeted
M - Device stolen
L - Device lost
2 Data Elements Breached
H - Social Security Number
H - Biometric record
H - Financial account number
H - PIN or security code for financial account
H - Health data
M - Birthdate
M - Government Issued Identification Number (drivers license etc)
L - Name
L - Address
L - Telephone Number
A combination of identifying information and financial or security information should always be considered a
high risk with high likelihood of harm occurring
3 Ability to access data
H ndash paper records or electronic records in a spreadsheet that is not password protected
M ndash electronic records that are password protected only
L ndash electronic records that are password protected and encrypted
4 Ability to mitigate the risk of harm
H ndash no recovery of data
M ndash partial recovery of data
L ndash recovery of data prior to use
BD MORTGAGE GROUP LLC 20
5 Evidence of data being used for identity theft or other harm
H ndash Data published on the web
M ndash Data accessed but no direct evidence of use
L ndash No tangible evidence of data use
After evaluating each factor and assigning an overall probability or likelihood of a breach occurring review and
assess the impact or harm to an individual or our organization
Impact Rating
Impact Definition
High Event (1) may result in human death or serious injury or harm to individual (2) may result in high costs to organization or (3) may significantly violate harm or impede an organizationrsquos mission reputation or interest
Medium Event (1) may result in injury or harm to the individual (2) may result in costs to the organization or (3) may violate harm or impede an organizationrsquos mission reputation or interest
Low Event (1) may result in the loss of some tangible organizational assets or resources or (2) may noticeably affect an organizationrsquos mission reputation or interest
The impact depends on the extent to which the breach poses a risk of identity theft or other substantial harm to an
individual such as embarrassment inconvenience unfairness harm to reputation or the potential for harassment
or prejudice particularly when health or financial benefits information is involved
Financial considerations can be factored in when determining the impact on our organization For instance credit
monitoring is generally estimated at $20 per year per case (individual) The costs associated with implementing
a call center including staff salaries may also be a factor Alternatively the cost of contracting for this service
could be a factor
BD MORTGAGE GROUP LLC 21
Assigning Risk Score
The risk score is determined by cross-referencing the likelihood score with the impact score
Likelihood Impact
Low Medium High
High Medium High High
Medium Low Medium High
Low Low Low Medium
Notification of Individuals
The risk score assigned will help determine if and when we should provide notification If the likelihood of risk
is low there could be more harm or impact on the individual if notification is provided due to the actions the
notified individual may take Thus notification must be weighed with the likelihood of risk No notification may
be required when the risk levels of each of the five factors is low If the likelihood of risk is high and the level of
impact or harm to the individual is medium notification and remedy may be required Alternatively if the
likelihood of risk is low and the level of impact or harm to the individual is high notification only may be required
If the five factors are considered appropriately it is more likely that notification will only be given in those
instances where there is a reasonable risk of harm and will not lead to the overuse of notification and thus the
associated further complications to the individual
Thus consideration should be given to all factors when determining final actions to take when addressing each
incident The table below should only be used as guide and conditions may warrant actions above or below those
associated with the final risk score
Risk Score Necessary Action
High Notify and provide remedy
Medium Notify only
Low Monitor only
Timing of Notification
Notice will be provided within a reasonable time following the discovery of a breach consistent with the legitimate
needs of law enforcement and any measures necessary for the Census Bureau to determine the scope of the breach
and if applicable to restore the reasonable integrity of the systemprocess that was compromised
In some circumstances law enforcement considerations may require a delay in notification if the investigation of
the breach or of an individual affected by the breach requires it and notification would seriously impede the
investigation The delay should not exacerbate risk or harm to any affected individual(s) or be tied to the
completion of the investigation but rather be based on whether it would seriously impede the investigation to
provide the notice promptly
Responsibility for Notification
The notice should come from a senior BD Mortgage Group LLC representative
BD MORTGAGE GROUP LLC 22
Content of Notification
The notice must be clear concise conspicuous easy-to-understand in plain language and should include the
following elements
bull A brief description of what happened including the date(s) of the breach and its discovery
bull A description of the types of personal information that were involved in the breach (eg full name Social
Security number date of birth home address account number disability code etc) to the extent possible
bull What steps if any an individual should take to protect himself from potential harm
bull What BD Mortgage Group LLC is doing if anything to investigate the breach to mitigate losses and to
protect against any further breaches
bull Who and how affected individuals should contact BD Mortgage Group LLC for more information including
a toll-free telephone number e-mail address and postal address
bull Direction to additional guidance available from the Federal Trade Commission at
httpwwwconsumergovidtheft
Minimizing your risk at httpwwwconsumergovidtheftcon_minimizehtm
Publications at httpwwwconsumergovidtheftcon_pubshtm
Method of Communication
Notice of the breach will be provided commensurate to the number of individuals affected by the breach and the
availability of contact information BD Mortgage Group LLC has for the affected individuals Correspondence
must be prominently marked on the exterior reflecting the importance of the communication to help ensure the
recipient does not discard or otherwise ignore the notification
In general the primary means of notification will be by first-class mail to the last known mailing address of the
individual based on BD Mortgage Group LLC records
Where we have reason to believe that the address is no longer current reasonable efforts will be made to update
the address using the US Postal Service National Change of Address (NCOA) database
Substitute notice may be made in instances where BD Mortgage Group LLC does not have sufficient contact
information for those who need to be notified In such instances notice may consist of a conspicuous posting of
the notice on the companyrsquos home page of its web site and include additional information in a Frequently Asked
Questions (FAQ)
BD MORTGAGE GROUP LLC 23
Process for Remediation of a Breach
Remedy is provided when the risk score is High
Credit Monitoring Data Breach Risk Packages (ie Lifelock)
Low Risk Package Low Risk Package Includes
1048707 Social Security Credit Card and 1 Bureau Credit Report Monitoring 1048707 3 Bureau Initial Fraud Alert 1048707 Credit Card Registry 1048707 Online Identity Theft Assistance 1048707 24 x 7 Customer Support
Medium Risk Package Medium Risk includes Low Risk benefits plus 1048707 Instant 1 Bureau Credit Report 1048707 Instant 1 Bureau Credit Score 1048707 Personal Information Directory Monitoring and Deletion 1048707 Identity Theft Consumer Guide 1048707 $25000 ($0 deductible) Identity Theft Insurance
High Risk Package High Risk includes Medium Risk benefits plus 1048707 3 Bureau Credit Report Monitoring 1048707 Instant 3 in 1 Credit Report 1048707 Instant 3 Bureau Credit Scores 1048707 Fraud Resolution amp Identity Restoration Specialist
BD MORTGAGE GROUP LLC 24
Reporting a Data Breach
Security Breach Notification Laws have been enacted in most US states since 2002 These laws were enacted in
response to an escalating number of breaches of consumer databases containing personally identifiable
information The first such law the California data security breach notification law was enacted in 2002 and
became effective on July 1 2003 As related in the bill statement law requires a state agency or a person or
business that conducts business in California that owns or licenses computerized data that includes personal
information as defined to disclose in specified ways any breach of the security of the data as defined to any
resident of California whose unencrypted personal information was or is reasonably believed to have been
acquired by an unauthorized person In addition the law permits delayed notification if a law enforcement
agency determines that it would impede a criminal investigation The law also requires any entity that licenses
such information to notify the owner or licensee of the information of any breach in the security of the data
The California law has been the model for the enactment of similar laws in other states The National Conference
of State Legislatures maintains a list of enacted and proposed security breach notification laws
BD MORTGAGE GROUP LLC 25
BD MORTGAGE GROUP LLC 26
2-90-29 - Information Security Audit
To ensure security of our systems and that we comply with rules for customer information security we conduct
an annual audit of our information technology systems A provider qualified to review our independent
information technology in conjunction with mortgage procedures must conduct this audit
Since we do not have any proprietary information technology but utilize software and services provided by
vendors exclusively we rely on the qualified audits of the technology provided by these vendors This is
conducted in conjunction with our annual vendor approval process
Vendor Category Vendor Name Information Tech Cert Date
Loan Origination System
E-Disclosure
Data Back-up
Web 1003 Application
Pricing and Eligibility
Document Management
E-Fax
Voice-MailTelephony
NetworkInternet Service
Office SupportCleanerLandlord
Courier
In addition we assume that other licensed entities with which we do business have had their plans reviewed and
found acceptable Consequently we do not audit our mortgage lender business partners
Internal Policies for Information Security Management
In addition to these procedures please refer to our internal Information Security Plan and Red Flags for our
ongoing Information Security procedures
BD MORTGAGE GROUP LLC 11
Electronic Documents and Records
Electronic documents will be retained as if they were paper documents Therefore any electronic files including
records of donations made online that fall into one of the document types on the above schedule will be
maintained for the appropriate amount of time If a user has sufficient reason to keep an email message the
message should be printed in hard copy and kept in the appropriate file or moved to an ldquoarchiverdquo computer file
folder Backup and recovery methods will be tested on a regular basis
See ndash E-SIGN Policy and Procedure
Emergency Planning
BD Mortgage Group LLCrsquos records will be stored in a safe secure and accessible manner Documents and
financial files that are essential to keeping BD Mortgage Group LLC operating in an emergency will be duplicated
or backed up at least every week and maintained off site
BD MORTGAGE GROUP LLC 12
Document Destruction
BD Mortgage Group LLCrsquos designated ldquoInformation Security and Red Flag ID Theft Planrdquo individual is
responsible for the ongoing process of identifying records which have met the required retention period and
overseeing their destruction Destruction of financial and personnel-related documents will be accomplished by
shredding
Document destruction will be suspended immediately upon any indication of an official investigation or when a
lawsuit is filed or appears imminent Destruction will be reinstated upon conclusion of the investigation
Compliance
Failure on the part of employees to follow this policy can result in possible civil and criminal sanctions against
BD Mortgage Group LLC and its employees and possible disciplinary action against responsible individuals The
chief financial officer and finance committee chair will periodically review these procedures with legal counsel
or the organizationrsquos certified public accountant to ensure that they are in compliance with new or revised
regulations
Onsite Records Storage Policy
Active closed or denied loan application copies exclusive of delivery file documentation subject to the Funding
Warehousing Delivery and Servicing Setup process will be stored in the branch These files will be indexed by
month and alphabetically by borrower last name File cabinets must be locked and keys are maintained by the
operations manager and may be accessed under supervision during business hours
Offsite Records Storage
If due to space concerns there is insufficient room in the branch location to provide file storage off-site records
storage may be utilized through a secure bonded professional records Management Company that is a member
of the American Business Records Management Association Records of each file box sent to Archive must be
maintained current by the operations manager and must be available for immediate inspection within 2 hoursrsquo
notice
The purpose of this policy is to ensure the proper use of BD Mortgage Group LLCrsquos email system and make users
aware of what BD Mortgage Group LLC deems as acceptable and unacceptable use of its email system The BD
Mortgage Group LLC reserves the right to amend this policy at its discretion In case of amendments users will
be informed appropriately
BD MORTGAGE GROUP LLC 13
Electronic Communication
Email is a business communication tool and users are obliged to use this tool in a responsible effective and lawful
manner Although by its nature email seems to be less formal than other written communication the same laws
apply Therefore it is important that users are aware of the legal risks of e-mail
By following the guidelines in this policy the email user can minimize the legal risks involved in the use of e-
mail If any user disregards the rules set out in this Email Policy the user will be fully liable and BD Mortgage
Group LLC will disassociate itself from the user as far as legally possible
The following rules are required by law and are to be strictly adhered to
bull It is strictly prohibited to send or forward emails containing libelous defamatory offensive racist or
obscene remarks If you receive an e-mail of this nature you must promptly notify your supervisor
bull Do not forward a message without acquiring permission from the sender first
bull Do not send unsolicited email messages
bull Do not forge or attempt to forge email messages
bull Do not send email messages using another personrsquos email account
bull Do not copy a message or attachment belonging to another user without permission of the originator
bull Do not disguise or attempt to disguise your identity when sending mail
Best Practices
BD Mortgage Group LLC considers email as an important means of communication and recognizes the
importance of proper email content and speedy replies in conveying a professional image and delivering good
customer service Therefore BD Mortgage Group LLC wishes users to adhere to the following guidelines
Writing emails
bull Signatures must include your name job title and BD Mortgage Group LLC A disclaimer will be added
underneath your signature (see Disclaimer)
bull Use the spell checker before you send out an email
bull Do not send unnecessary attachments Compress attachments larger than 200K before sending them
bull Do not write emails in capitals
bull Do not use cc or bcc fields unless the cc or bcc recipient is aware that you will be copying a mail to
himher and knows what action if any to take
bull If you forward mails state clearly what action you expect the recipient to take
bull Only send emails of which the content could be displayed on a public notice board If they cannot be
displayed publicly in their current state consider rephrasing the email using other means of
communication or protecting information by using a password (see confidential)
bull Only mark emails as important if they really are important
Replying to emails
Emails should be answered within at least 8 working hours but users must endeavor to answer priority emails
within 4 hours
Priority emails are emails from existing customers and business partners
BD MORTGAGE GROUP LLC 14
Newsgroups
Users need to request permission from their supervisor before subscribing to a newsletter or news group
Maintenance
Delete any email messages that you do not need to have a copy of and set your email client to automatically
empty your lsquodeleted itemsrsquo on closing
Personal Use
Although BD Mortgage Group LLC email system is meant for business use BD Mortgage Group LLC allows
the reasonable use of email for personal use if certain guidelines are adhered to
bull Personal use of email should not interfere with work
bull Personal emails must also adhere to the guidelines in this policy
bull Personal emails are kept in a separate folder named lsquoPrivatersquo The emails in this folder must be deleted weekly
so as not to clog up the system
bull The forwarding of chain letters junk mail jokes and executables is strictly forbidden
bull On average users are not allowed to send more than 2 personal emails a day
bull Do not send mass mailings
bull All messages distributed via the companyrsquos email system even personal emails are BD Mortgage Group
LLCrsquos property
Confidential Information
Avoid sending confidential information by e-mail If you do you must secure the information by including it in
a Microsoft Word Excel or PDF file and protect it with a password Then provide the recipient with the password
by means of other communication for instance by telephone
Disclaimer
The following disclaimer will be added to each outgoing email
lsquoThis email and any files transmitted with it are confidential and intended solely for the use of the individual or
entity to which they are addressed If you have received this email in error please notify the system manager
Please note that any views or opinions presented in this email are solely those of the author and do not necessarily
represent those of the company Finally the recipient should check this email and any attachments for the presence
of viruses The company accepts no liability for any damage caused by any virus transmitted by this emailrsquo
System Monitoring
You must have no expectation of privacy in anything you create store send or receive on the companyrsquos computer
system Your emails can be monitored without prior notification if BD Mortgage Group LLC deems this
necessary If there is evidence that you are not adhering to the guidelines set out in this policy the BD Mortgage
Group LLC reserves the right to take disciplinary action including termination andor legal action
BD MORTGAGE GROUP LLC 15
Secure Fax Transmission
The legacy of fax transmission in the mortgage industry is long The risk of using fax transmissions is that the
sender has no idea whether the recipient is attending to the machine while the document is being received printed
and then available for viewing In order to prevent the compromise of secure information never send information
to an unattended facsimile machine If you can confirm that the recipient is standing at the machine it is acceptable
to proceed with communications in this manner
Alternatively we can provide an ldquoE-faxrdquo account for individual users This allows the transmission of facsimiles
via e-mail to a secure login account
For transmitting paper documents always create a password protected document and deliver the password to the
recipient using a different method of communication such as the telephone
Secure Telephone Communications
Vishing is the criminal practice of using social engineering and Voice over IP (VoIP) to gain access to private
personal and financial information from the public for the purpose of financial reward The term is a combination
of voice and phishing Vishing exploits the publics trust in landline telephone services which have traditionally
terminated in physical locations which are known to the telephone company and associated with a bill-payer
The victim is often unaware that VoIP allows for caller ID spoofing inexpensive complex automated systems
and anonymity for the bill-payer Vishing is typically used to steal credit card numbers or other information used
in identity theft schemes from individuals
According to the FBIs Internet Crime Complaint Center (IC3) the number of vishing complaints received by
the center is increasing at what it calls an alarming rate Vishing and phishing are related and both rely on e-
mail as a means of delivering bait but the two use different hooks in order to snag user data
Vishing starts with an e-mail like phishing but requests that end-users contact a particular institution by phone
in order to resolve an issue or re-secure personal data People who call the provided number will be asked to
provide the same types of data phishers attempt to procure Ironically vishing e-mails may even attempt to
reassure recipients of their legitimacy by stating that the institution in question would never request customer
financial data via e-mail or IM
As always the best defense against phishing or vishing is a little common sense If your bank or other financial
institution with which you are affiliated contacts you requesting personal data hang up (or call them) using only
the number provided on the back of your card or official statement If you cant get confirmation that the request
is actually legitimate dont follow up on it
BD MORTGAGE GROUP LLC 16
Social Engineering Scams ndash Internal and External Prevention
One of the most prevalent forms of online scams is referred to as a seemingly benign term social engineering
This practice which is sometimes referred to as phishing refers to using trickery to get people to voluntarily
hand over critical information such as usernames or passwords
In many cases spam filters can easily detect the clumsier social engineering efforts and thus spare computer
users from grief However there are a growing number of sophisticated efforts that are crafted to circumvent the
spam filters - and unsuspecting customers that click into these cleverly disguised emails run the risk of facing
serious repercussions
Social engineering attacks mimic an email notification from a well-known and trusted source financial
institutions LinkedIn PayPal the Better Business Bureau Facebook and so forth The attackers create an email
that looks exactly like the normal system notices that are sent out by those entities but they change the links to
hit their own servers
The most classic example is an email that sends a dire notice with a link to login and check on a potential problem
When a person clicks on the link it takes him or her to a page on the cyber attackerrsquos servers that looks just like
the well-known entitys login page
When a person enters his or her username and password this information is stored in a database on the phony
server while an error box appears that says Invalid username or password please try again This error box
message comes with an OK button that when clicked redirects the person to the real login page
People may not realize there is a problem because passwords are obscured with asterisks so it is natural to assume
there was a typo during the initial password entry However the miscreants now have the persons username and
password
So what does this mean to mortgage bankers if someone gets tricked into thinking a social engineering scam
message really came from Facebook or LinkedIn Quite simply many people have the same usernames and
passwords for multiple websites Thus a person who has unwittingly surrendered his or her personal information
for a Facebook page might not realize that the social engineering scam artists could later use that information to
gain access to online mortgage banking accounts
BD Mortgage Group LLC needs to take a proactive approach in educating customers on how to identify potential
scams that pop up in their email in-boxes Here are some safety tips we send out to all customers
1 Dont click links from emails Instead open a Web browser and specifically go to the site in question and login
directly It is not common for financial institutions to have a click here to login link within their email
communications
2 Be suspicious of serious warnings and dollar amounts posted directly in emails Financial services companies
are not in the habit of sending customers panic-inducing messages of low account balances or other account
discrepancies with details plainly shown in the email Warnings are more discreet and merely direct the customer
to go log in for details
3 Use mouse-overs to view a link before clicking Although not all email software and hardware devices support
them a mouse-over can quickly and easily identify the links within an email message
4 Try not to use the same password at multiple sites Use a password program to store and remember online
access data
BD MORTGAGE GROUP LLC 17
5 Routinely update passwords Updating passwords even once a year is an easy way to stay one step ahead of
the social engineering scammers
Invite customers who are in doubt about the veracity of emails to forward them to BD Mortgage Group LLC for
verification Several sites that have been the subject of social engineering scams including eBay and PayPal have
special email accounts that receive review and keep track of these online frauds These spoof-checking efforts
will help empower the customer to ensure that BD Mortgage Group LLC does not become the victim of the next
big Internet fraud
BD MORTGAGE GROUP LLC 18
Data Breach Policy Implementation Guide
The response to any breach of personally identifiable information (PII) can have a critical impact on the BD
Mortgage Group LLCrsquos reputation and how trustworthy the public perceives the company Thus exceptional care
must be taken when responding to data breach incidents Not all incidents result in data breaches and not all data
breaches require notification This guide is to assist the Data Breach Team in developing an appropriate response
to a data breach based on the specific characteristics of the incident
Background
This Data Breach Policy Implementation Guide is based on the Presidentrsquos Identity Theft Task Force
recommendations that provide a menu of steps for the company to consider so that it may pursue a risk-based
tailored response to data breach incidents
Definition of Breach
A breach is a loss of control compromise unauthorized disclosure unauthorized acquisition unauthorized
access or any similar term referring to situations where persons other than authorized users and for an authorized
purpose have access or potential access to PII in usable form whether physical or electronic
Reporting Breaches and Breach Response Team
Breach is immediately reported to
bull Chief Privacy Officer (CPO)
bull Chief Information Officer (CIO)
bull Chief IT Security Office (ITSO)
bull Associate Director for Communications
bull Chief Office of Analysis and Executive Support (OAES)
bull As warranted
bull Chief Office of Security
bull General Counsel
bull Law Enforcement
Risk Assessment Process
Risk is a function of the probability or likelihood of a privacy violation and the resulting impact of that violation
To assign a risk score assess the probability of the event (data breach) occurring and then assess the impact or
harm caused to an individual and our organization in its ability to achieve its mission
BD MORTGAGE GROUP LLC 19
Likelihood Likelihood Definition
High (H) The nature of the attack and the data indicate that the motivation is criminal intent the security of the data and controls to minimize the likelihood of a privacy violation are ineffective
Medium (M)
The nature of the attack and data indicate that the motivation could be criminal intent but controls are in place that may impede success
Low (L) The nature of the attack and data do not indicate criminal intent and security and controls are in place to prevent or at least significantly impede the likelihood of a privacy violation
To assess likelihood of a breach occurring consider five factors
1 How the loss occurred
2 Data elements breached
3 Ability to access the data - the likelihood the personal information will be or has been compromised ndash made
accessible to and usable by unauthorized persons
4 Ability to mitigate the risk of harm
5 Evidence of data being used for identity theft or other harm
1 How Loss Occurred
H - Online system hacked
H - Data was targeted
M - Device was targeted
M - Device stolen
L - Device lost
2 Data Elements Breached
H - Social Security Number
H - Biometric record
H - Financial account number
H - PIN or security code for financial account
H - Health data
M - Birthdate
M - Government Issued Identification Number (drivers license etc)
L - Name
L - Address
L - Telephone Number
A combination of identifying information and financial or security information should always be considered a
high risk with high likelihood of harm occurring
3 Ability to access data
H ndash paper records or electronic records in a spreadsheet that is not password protected
M ndash electronic records that are password protected only
L ndash electronic records that are password protected and encrypted
4 Ability to mitigate the risk of harm
H ndash no recovery of data
M ndash partial recovery of data
L ndash recovery of data prior to use
BD MORTGAGE GROUP LLC 20
5 Evidence of data being used for identity theft or other harm
H ndash Data published on the web
M ndash Data accessed but no direct evidence of use
L ndash No tangible evidence of data use
After evaluating each factor and assigning an overall probability or likelihood of a breach occurring review and
assess the impact or harm to an individual or our organization
Impact Rating
Impact Definition
High Event (1) may result in human death or serious injury or harm to individual (2) may result in high costs to organization or (3) may significantly violate harm or impede an organizationrsquos mission reputation or interest
Medium Event (1) may result in injury or harm to the individual (2) may result in costs to the organization or (3) may violate harm or impede an organizationrsquos mission reputation or interest
Low Event (1) may result in the loss of some tangible organizational assets or resources or (2) may noticeably affect an organizationrsquos mission reputation or interest
The impact depends on the extent to which the breach poses a risk of identity theft or other substantial harm to an
individual such as embarrassment inconvenience unfairness harm to reputation or the potential for harassment
or prejudice particularly when health or financial benefits information is involved
Financial considerations can be factored in when determining the impact on our organization For instance credit
monitoring is generally estimated at $20 per year per case (individual) The costs associated with implementing
a call center including staff salaries may also be a factor Alternatively the cost of contracting for this service
could be a factor
BD MORTGAGE GROUP LLC 21
Assigning Risk Score
The risk score is determined by cross-referencing the likelihood score with the impact score
Likelihood Impact
Low Medium High
High Medium High High
Medium Low Medium High
Low Low Low Medium
Notification of Individuals
The risk score assigned will help determine if and when we should provide notification If the likelihood of risk
is low there could be more harm or impact on the individual if notification is provided due to the actions the
notified individual may take Thus notification must be weighed with the likelihood of risk No notification may
be required when the risk levels of each of the five factors is low If the likelihood of risk is high and the level of
impact or harm to the individual is medium notification and remedy may be required Alternatively if the
likelihood of risk is low and the level of impact or harm to the individual is high notification only may be required
If the five factors are considered appropriately it is more likely that notification will only be given in those
instances where there is a reasonable risk of harm and will not lead to the overuse of notification and thus the
associated further complications to the individual
Thus consideration should be given to all factors when determining final actions to take when addressing each
incident The table below should only be used as guide and conditions may warrant actions above or below those
associated with the final risk score
Risk Score Necessary Action
High Notify and provide remedy
Medium Notify only
Low Monitor only
Timing of Notification
Notice will be provided within a reasonable time following the discovery of a breach consistent with the legitimate
needs of law enforcement and any measures necessary for the Census Bureau to determine the scope of the breach
and if applicable to restore the reasonable integrity of the systemprocess that was compromised
In some circumstances law enforcement considerations may require a delay in notification if the investigation of
the breach or of an individual affected by the breach requires it and notification would seriously impede the
investigation The delay should not exacerbate risk or harm to any affected individual(s) or be tied to the
completion of the investigation but rather be based on whether it would seriously impede the investigation to
provide the notice promptly
Responsibility for Notification
The notice should come from a senior BD Mortgage Group LLC representative
BD MORTGAGE GROUP LLC 22
Content of Notification
The notice must be clear concise conspicuous easy-to-understand in plain language and should include the
following elements
bull A brief description of what happened including the date(s) of the breach and its discovery
bull A description of the types of personal information that were involved in the breach (eg full name Social
Security number date of birth home address account number disability code etc) to the extent possible
bull What steps if any an individual should take to protect himself from potential harm
bull What BD Mortgage Group LLC is doing if anything to investigate the breach to mitigate losses and to
protect against any further breaches
bull Who and how affected individuals should contact BD Mortgage Group LLC for more information including
a toll-free telephone number e-mail address and postal address
bull Direction to additional guidance available from the Federal Trade Commission at
httpwwwconsumergovidtheft
Minimizing your risk at httpwwwconsumergovidtheftcon_minimizehtm
Publications at httpwwwconsumergovidtheftcon_pubshtm
Method of Communication
Notice of the breach will be provided commensurate to the number of individuals affected by the breach and the
availability of contact information BD Mortgage Group LLC has for the affected individuals Correspondence
must be prominently marked on the exterior reflecting the importance of the communication to help ensure the
recipient does not discard or otherwise ignore the notification
In general the primary means of notification will be by first-class mail to the last known mailing address of the
individual based on BD Mortgage Group LLC records
Where we have reason to believe that the address is no longer current reasonable efforts will be made to update
the address using the US Postal Service National Change of Address (NCOA) database
Substitute notice may be made in instances where BD Mortgage Group LLC does not have sufficient contact
information for those who need to be notified In such instances notice may consist of a conspicuous posting of
the notice on the companyrsquos home page of its web site and include additional information in a Frequently Asked
Questions (FAQ)
BD MORTGAGE GROUP LLC 23
Process for Remediation of a Breach
Remedy is provided when the risk score is High
Credit Monitoring Data Breach Risk Packages (ie Lifelock)
Low Risk Package Low Risk Package Includes
1048707 Social Security Credit Card and 1 Bureau Credit Report Monitoring 1048707 3 Bureau Initial Fraud Alert 1048707 Credit Card Registry 1048707 Online Identity Theft Assistance 1048707 24 x 7 Customer Support
Medium Risk Package Medium Risk includes Low Risk benefits plus 1048707 Instant 1 Bureau Credit Report 1048707 Instant 1 Bureau Credit Score 1048707 Personal Information Directory Monitoring and Deletion 1048707 Identity Theft Consumer Guide 1048707 $25000 ($0 deductible) Identity Theft Insurance
High Risk Package High Risk includes Medium Risk benefits plus 1048707 3 Bureau Credit Report Monitoring 1048707 Instant 3 in 1 Credit Report 1048707 Instant 3 Bureau Credit Scores 1048707 Fraud Resolution amp Identity Restoration Specialist
BD MORTGAGE GROUP LLC 24
Reporting a Data Breach
Security Breach Notification Laws have been enacted in most US states since 2002 These laws were enacted in
response to an escalating number of breaches of consumer databases containing personally identifiable
information The first such law the California data security breach notification law was enacted in 2002 and
became effective on July 1 2003 As related in the bill statement law requires a state agency or a person or
business that conducts business in California that owns or licenses computerized data that includes personal
information as defined to disclose in specified ways any breach of the security of the data as defined to any
resident of California whose unencrypted personal information was or is reasonably believed to have been
acquired by an unauthorized person In addition the law permits delayed notification if a law enforcement
agency determines that it would impede a criminal investigation The law also requires any entity that licenses
such information to notify the owner or licensee of the information of any breach in the security of the data
The California law has been the model for the enactment of similar laws in other states The National Conference
of State Legislatures maintains a list of enacted and proposed security breach notification laws
BD MORTGAGE GROUP LLC 25
BD MORTGAGE GROUP LLC 26
2-90-29 - Information Security Audit
To ensure security of our systems and that we comply with rules for customer information security we conduct
an annual audit of our information technology systems A provider qualified to review our independent
information technology in conjunction with mortgage procedures must conduct this audit
Since we do not have any proprietary information technology but utilize software and services provided by
vendors exclusively we rely on the qualified audits of the technology provided by these vendors This is
conducted in conjunction with our annual vendor approval process
Vendor Category Vendor Name Information Tech Cert Date
Loan Origination System
E-Disclosure
Data Back-up
Web 1003 Application
Pricing and Eligibility
Document Management
E-Fax
Voice-MailTelephony
NetworkInternet Service
Office SupportCleanerLandlord
Courier
In addition we assume that other licensed entities with which we do business have had their plans reviewed and
found acceptable Consequently we do not audit our mortgage lender business partners
Internal Policies for Information Security Management
In addition to these procedures please refer to our internal Information Security Plan and Red Flags for our
ongoing Information Security procedures
BD MORTGAGE GROUP LLC 12
Document Destruction
BD Mortgage Group LLCrsquos designated ldquoInformation Security and Red Flag ID Theft Planrdquo individual is
responsible for the ongoing process of identifying records which have met the required retention period and
overseeing their destruction Destruction of financial and personnel-related documents will be accomplished by
shredding
Document destruction will be suspended immediately upon any indication of an official investigation or when a
lawsuit is filed or appears imminent Destruction will be reinstated upon conclusion of the investigation
Compliance
Failure on the part of employees to follow this policy can result in possible civil and criminal sanctions against
BD Mortgage Group LLC and its employees and possible disciplinary action against responsible individuals The
chief financial officer and finance committee chair will periodically review these procedures with legal counsel
or the organizationrsquos certified public accountant to ensure that they are in compliance with new or revised
regulations
Onsite Records Storage Policy
Active closed or denied loan application copies exclusive of delivery file documentation subject to the Funding
Warehousing Delivery and Servicing Setup process will be stored in the branch These files will be indexed by
month and alphabetically by borrower last name File cabinets must be locked and keys are maintained by the
operations manager and may be accessed under supervision during business hours
Offsite Records Storage
If due to space concerns there is insufficient room in the branch location to provide file storage off-site records
storage may be utilized through a secure bonded professional records Management Company that is a member
of the American Business Records Management Association Records of each file box sent to Archive must be
maintained current by the operations manager and must be available for immediate inspection within 2 hoursrsquo
notice
The purpose of this policy is to ensure the proper use of BD Mortgage Group LLCrsquos email system and make users
aware of what BD Mortgage Group LLC deems as acceptable and unacceptable use of its email system The BD
Mortgage Group LLC reserves the right to amend this policy at its discretion In case of amendments users will
be informed appropriately
BD MORTGAGE GROUP LLC 13
Electronic Communication
Email is a business communication tool and users are obliged to use this tool in a responsible effective and lawful
manner Although by its nature email seems to be less formal than other written communication the same laws
apply Therefore it is important that users are aware of the legal risks of e-mail
By following the guidelines in this policy the email user can minimize the legal risks involved in the use of e-
mail If any user disregards the rules set out in this Email Policy the user will be fully liable and BD Mortgage
Group LLC will disassociate itself from the user as far as legally possible
The following rules are required by law and are to be strictly adhered to
bull It is strictly prohibited to send or forward emails containing libelous defamatory offensive racist or
obscene remarks If you receive an e-mail of this nature you must promptly notify your supervisor
bull Do not forward a message without acquiring permission from the sender first
bull Do not send unsolicited email messages
bull Do not forge or attempt to forge email messages
bull Do not send email messages using another personrsquos email account
bull Do not copy a message or attachment belonging to another user without permission of the originator
bull Do not disguise or attempt to disguise your identity when sending mail
Best Practices
BD Mortgage Group LLC considers email as an important means of communication and recognizes the
importance of proper email content and speedy replies in conveying a professional image and delivering good
customer service Therefore BD Mortgage Group LLC wishes users to adhere to the following guidelines
Writing emails
bull Signatures must include your name job title and BD Mortgage Group LLC A disclaimer will be added
underneath your signature (see Disclaimer)
bull Use the spell checker before you send out an email
bull Do not send unnecessary attachments Compress attachments larger than 200K before sending them
bull Do not write emails in capitals
bull Do not use cc or bcc fields unless the cc or bcc recipient is aware that you will be copying a mail to
himher and knows what action if any to take
bull If you forward mails state clearly what action you expect the recipient to take
bull Only send emails of which the content could be displayed on a public notice board If they cannot be
displayed publicly in their current state consider rephrasing the email using other means of
communication or protecting information by using a password (see confidential)
bull Only mark emails as important if they really are important
Replying to emails
Emails should be answered within at least 8 working hours but users must endeavor to answer priority emails
within 4 hours
Priority emails are emails from existing customers and business partners
BD MORTGAGE GROUP LLC 14
Newsgroups
Users need to request permission from their supervisor before subscribing to a newsletter or news group
Maintenance
Delete any email messages that you do not need to have a copy of and set your email client to automatically
empty your lsquodeleted itemsrsquo on closing
Personal Use
Although BD Mortgage Group LLC email system is meant for business use BD Mortgage Group LLC allows
the reasonable use of email for personal use if certain guidelines are adhered to
bull Personal use of email should not interfere with work
bull Personal emails must also adhere to the guidelines in this policy
bull Personal emails are kept in a separate folder named lsquoPrivatersquo The emails in this folder must be deleted weekly
so as not to clog up the system
bull The forwarding of chain letters junk mail jokes and executables is strictly forbidden
bull On average users are not allowed to send more than 2 personal emails a day
bull Do not send mass mailings
bull All messages distributed via the companyrsquos email system even personal emails are BD Mortgage Group
LLCrsquos property
Confidential Information
Avoid sending confidential information by e-mail If you do you must secure the information by including it in
a Microsoft Word Excel or PDF file and protect it with a password Then provide the recipient with the password
by means of other communication for instance by telephone
Disclaimer
The following disclaimer will be added to each outgoing email
lsquoThis email and any files transmitted with it are confidential and intended solely for the use of the individual or
entity to which they are addressed If you have received this email in error please notify the system manager
Please note that any views or opinions presented in this email are solely those of the author and do not necessarily
represent those of the company Finally the recipient should check this email and any attachments for the presence
of viruses The company accepts no liability for any damage caused by any virus transmitted by this emailrsquo
System Monitoring
You must have no expectation of privacy in anything you create store send or receive on the companyrsquos computer
system Your emails can be monitored without prior notification if BD Mortgage Group LLC deems this
necessary If there is evidence that you are not adhering to the guidelines set out in this policy the BD Mortgage
Group LLC reserves the right to take disciplinary action including termination andor legal action
BD MORTGAGE GROUP LLC 15
Secure Fax Transmission
The legacy of fax transmission in the mortgage industry is long The risk of using fax transmissions is that the
sender has no idea whether the recipient is attending to the machine while the document is being received printed
and then available for viewing In order to prevent the compromise of secure information never send information
to an unattended facsimile machine If you can confirm that the recipient is standing at the machine it is acceptable
to proceed with communications in this manner
Alternatively we can provide an ldquoE-faxrdquo account for individual users This allows the transmission of facsimiles
via e-mail to a secure login account
For transmitting paper documents always create a password protected document and deliver the password to the
recipient using a different method of communication such as the telephone
Secure Telephone Communications
Vishing is the criminal practice of using social engineering and Voice over IP (VoIP) to gain access to private
personal and financial information from the public for the purpose of financial reward The term is a combination
of voice and phishing Vishing exploits the publics trust in landline telephone services which have traditionally
terminated in physical locations which are known to the telephone company and associated with a bill-payer
The victim is often unaware that VoIP allows for caller ID spoofing inexpensive complex automated systems
and anonymity for the bill-payer Vishing is typically used to steal credit card numbers or other information used
in identity theft schemes from individuals
According to the FBIs Internet Crime Complaint Center (IC3) the number of vishing complaints received by
the center is increasing at what it calls an alarming rate Vishing and phishing are related and both rely on e-
mail as a means of delivering bait but the two use different hooks in order to snag user data
Vishing starts with an e-mail like phishing but requests that end-users contact a particular institution by phone
in order to resolve an issue or re-secure personal data People who call the provided number will be asked to
provide the same types of data phishers attempt to procure Ironically vishing e-mails may even attempt to
reassure recipients of their legitimacy by stating that the institution in question would never request customer
financial data via e-mail or IM
As always the best defense against phishing or vishing is a little common sense If your bank or other financial
institution with which you are affiliated contacts you requesting personal data hang up (or call them) using only
the number provided on the back of your card or official statement If you cant get confirmation that the request
is actually legitimate dont follow up on it
BD MORTGAGE GROUP LLC 16
Social Engineering Scams ndash Internal and External Prevention
One of the most prevalent forms of online scams is referred to as a seemingly benign term social engineering
This practice which is sometimes referred to as phishing refers to using trickery to get people to voluntarily
hand over critical information such as usernames or passwords
In many cases spam filters can easily detect the clumsier social engineering efforts and thus spare computer
users from grief However there are a growing number of sophisticated efforts that are crafted to circumvent the
spam filters - and unsuspecting customers that click into these cleverly disguised emails run the risk of facing
serious repercussions
Social engineering attacks mimic an email notification from a well-known and trusted source financial
institutions LinkedIn PayPal the Better Business Bureau Facebook and so forth The attackers create an email
that looks exactly like the normal system notices that are sent out by those entities but they change the links to
hit their own servers
The most classic example is an email that sends a dire notice with a link to login and check on a potential problem
When a person clicks on the link it takes him or her to a page on the cyber attackerrsquos servers that looks just like
the well-known entitys login page
When a person enters his or her username and password this information is stored in a database on the phony
server while an error box appears that says Invalid username or password please try again This error box
message comes with an OK button that when clicked redirects the person to the real login page
People may not realize there is a problem because passwords are obscured with asterisks so it is natural to assume
there was a typo during the initial password entry However the miscreants now have the persons username and
password
So what does this mean to mortgage bankers if someone gets tricked into thinking a social engineering scam
message really came from Facebook or LinkedIn Quite simply many people have the same usernames and
passwords for multiple websites Thus a person who has unwittingly surrendered his or her personal information
for a Facebook page might not realize that the social engineering scam artists could later use that information to
gain access to online mortgage banking accounts
BD Mortgage Group LLC needs to take a proactive approach in educating customers on how to identify potential
scams that pop up in their email in-boxes Here are some safety tips we send out to all customers
1 Dont click links from emails Instead open a Web browser and specifically go to the site in question and login
directly It is not common for financial institutions to have a click here to login link within their email
communications
2 Be suspicious of serious warnings and dollar amounts posted directly in emails Financial services companies
are not in the habit of sending customers panic-inducing messages of low account balances or other account
discrepancies with details plainly shown in the email Warnings are more discreet and merely direct the customer
to go log in for details
3 Use mouse-overs to view a link before clicking Although not all email software and hardware devices support
them a mouse-over can quickly and easily identify the links within an email message
4 Try not to use the same password at multiple sites Use a password program to store and remember online
access data
BD MORTGAGE GROUP LLC 17
5 Routinely update passwords Updating passwords even once a year is an easy way to stay one step ahead of
the social engineering scammers
Invite customers who are in doubt about the veracity of emails to forward them to BD Mortgage Group LLC for
verification Several sites that have been the subject of social engineering scams including eBay and PayPal have
special email accounts that receive review and keep track of these online frauds These spoof-checking efforts
will help empower the customer to ensure that BD Mortgage Group LLC does not become the victim of the next
big Internet fraud
BD MORTGAGE GROUP LLC 18
Data Breach Policy Implementation Guide
The response to any breach of personally identifiable information (PII) can have a critical impact on the BD
Mortgage Group LLCrsquos reputation and how trustworthy the public perceives the company Thus exceptional care
must be taken when responding to data breach incidents Not all incidents result in data breaches and not all data
breaches require notification This guide is to assist the Data Breach Team in developing an appropriate response
to a data breach based on the specific characteristics of the incident
Background
This Data Breach Policy Implementation Guide is based on the Presidentrsquos Identity Theft Task Force
recommendations that provide a menu of steps for the company to consider so that it may pursue a risk-based
tailored response to data breach incidents
Definition of Breach
A breach is a loss of control compromise unauthorized disclosure unauthorized acquisition unauthorized
access or any similar term referring to situations where persons other than authorized users and for an authorized
purpose have access or potential access to PII in usable form whether physical or electronic
Reporting Breaches and Breach Response Team
Breach is immediately reported to
bull Chief Privacy Officer (CPO)
bull Chief Information Officer (CIO)
bull Chief IT Security Office (ITSO)
bull Associate Director for Communications
bull Chief Office of Analysis and Executive Support (OAES)
bull As warranted
bull Chief Office of Security
bull General Counsel
bull Law Enforcement
Risk Assessment Process
Risk is a function of the probability or likelihood of a privacy violation and the resulting impact of that violation
To assign a risk score assess the probability of the event (data breach) occurring and then assess the impact or
harm caused to an individual and our organization in its ability to achieve its mission
BD MORTGAGE GROUP LLC 19
Likelihood Likelihood Definition
High (H) The nature of the attack and the data indicate that the motivation is criminal intent the security of the data and controls to minimize the likelihood of a privacy violation are ineffective
Medium (M)
The nature of the attack and data indicate that the motivation could be criminal intent but controls are in place that may impede success
Low (L) The nature of the attack and data do not indicate criminal intent and security and controls are in place to prevent or at least significantly impede the likelihood of a privacy violation
To assess likelihood of a breach occurring consider five factors
1 How the loss occurred
2 Data elements breached
3 Ability to access the data - the likelihood the personal information will be or has been compromised ndash made
accessible to and usable by unauthorized persons
4 Ability to mitigate the risk of harm
5 Evidence of data being used for identity theft or other harm
1 How Loss Occurred
H - Online system hacked
H - Data was targeted
M - Device was targeted
M - Device stolen
L - Device lost
2 Data Elements Breached
H - Social Security Number
H - Biometric record
H - Financial account number
H - PIN or security code for financial account
H - Health data
M - Birthdate
M - Government Issued Identification Number (drivers license etc)
L - Name
L - Address
L - Telephone Number
A combination of identifying information and financial or security information should always be considered a
high risk with high likelihood of harm occurring
3 Ability to access data
H ndash paper records or electronic records in a spreadsheet that is not password protected
M ndash electronic records that are password protected only
L ndash electronic records that are password protected and encrypted
4 Ability to mitigate the risk of harm
H ndash no recovery of data
M ndash partial recovery of data
L ndash recovery of data prior to use
BD MORTGAGE GROUP LLC 20
5 Evidence of data being used for identity theft or other harm
H ndash Data published on the web
M ndash Data accessed but no direct evidence of use
L ndash No tangible evidence of data use
After evaluating each factor and assigning an overall probability or likelihood of a breach occurring review and
assess the impact or harm to an individual or our organization
Impact Rating
Impact Definition
High Event (1) may result in human death or serious injury or harm to individual (2) may result in high costs to organization or (3) may significantly violate harm or impede an organizationrsquos mission reputation or interest
Medium Event (1) may result in injury or harm to the individual (2) may result in costs to the organization or (3) may violate harm or impede an organizationrsquos mission reputation or interest
Low Event (1) may result in the loss of some tangible organizational assets or resources or (2) may noticeably affect an organizationrsquos mission reputation or interest
The impact depends on the extent to which the breach poses a risk of identity theft or other substantial harm to an
individual such as embarrassment inconvenience unfairness harm to reputation or the potential for harassment
or prejudice particularly when health or financial benefits information is involved
Financial considerations can be factored in when determining the impact on our organization For instance credit
monitoring is generally estimated at $20 per year per case (individual) The costs associated with implementing
a call center including staff salaries may also be a factor Alternatively the cost of contracting for this service
could be a factor
BD MORTGAGE GROUP LLC 21
Assigning Risk Score
The risk score is determined by cross-referencing the likelihood score with the impact score
Likelihood Impact
Low Medium High
High Medium High High
Medium Low Medium High
Low Low Low Medium
Notification of Individuals
The risk score assigned will help determine if and when we should provide notification If the likelihood of risk
is low there could be more harm or impact on the individual if notification is provided due to the actions the
notified individual may take Thus notification must be weighed with the likelihood of risk No notification may
be required when the risk levels of each of the five factors is low If the likelihood of risk is high and the level of
impact or harm to the individual is medium notification and remedy may be required Alternatively if the
likelihood of risk is low and the level of impact or harm to the individual is high notification only may be required
If the five factors are considered appropriately it is more likely that notification will only be given in those
instances where there is a reasonable risk of harm and will not lead to the overuse of notification and thus the
associated further complications to the individual
Thus consideration should be given to all factors when determining final actions to take when addressing each
incident The table below should only be used as guide and conditions may warrant actions above or below those
associated with the final risk score
Risk Score Necessary Action
High Notify and provide remedy
Medium Notify only
Low Monitor only
Timing of Notification
Notice will be provided within a reasonable time following the discovery of a breach consistent with the legitimate
needs of law enforcement and any measures necessary for the Census Bureau to determine the scope of the breach
and if applicable to restore the reasonable integrity of the systemprocess that was compromised
In some circumstances law enforcement considerations may require a delay in notification if the investigation of
the breach or of an individual affected by the breach requires it and notification would seriously impede the
investigation The delay should not exacerbate risk or harm to any affected individual(s) or be tied to the
completion of the investigation but rather be based on whether it would seriously impede the investigation to
provide the notice promptly
Responsibility for Notification
The notice should come from a senior BD Mortgage Group LLC representative
BD MORTGAGE GROUP LLC 22
Content of Notification
The notice must be clear concise conspicuous easy-to-understand in plain language and should include the
following elements
bull A brief description of what happened including the date(s) of the breach and its discovery
bull A description of the types of personal information that were involved in the breach (eg full name Social
Security number date of birth home address account number disability code etc) to the extent possible
bull What steps if any an individual should take to protect himself from potential harm
bull What BD Mortgage Group LLC is doing if anything to investigate the breach to mitigate losses and to
protect against any further breaches
bull Who and how affected individuals should contact BD Mortgage Group LLC for more information including
a toll-free telephone number e-mail address and postal address
bull Direction to additional guidance available from the Federal Trade Commission at
httpwwwconsumergovidtheft
Minimizing your risk at httpwwwconsumergovidtheftcon_minimizehtm
Publications at httpwwwconsumergovidtheftcon_pubshtm
Method of Communication
Notice of the breach will be provided commensurate to the number of individuals affected by the breach and the
availability of contact information BD Mortgage Group LLC has for the affected individuals Correspondence
must be prominently marked on the exterior reflecting the importance of the communication to help ensure the
recipient does not discard or otherwise ignore the notification
In general the primary means of notification will be by first-class mail to the last known mailing address of the
individual based on BD Mortgage Group LLC records
Where we have reason to believe that the address is no longer current reasonable efforts will be made to update
the address using the US Postal Service National Change of Address (NCOA) database
Substitute notice may be made in instances where BD Mortgage Group LLC does not have sufficient contact
information for those who need to be notified In such instances notice may consist of a conspicuous posting of
the notice on the companyrsquos home page of its web site and include additional information in a Frequently Asked
Questions (FAQ)
BD MORTGAGE GROUP LLC 23
Process for Remediation of a Breach
Remedy is provided when the risk score is High
Credit Monitoring Data Breach Risk Packages (ie Lifelock)
Low Risk Package Low Risk Package Includes
1048707 Social Security Credit Card and 1 Bureau Credit Report Monitoring 1048707 3 Bureau Initial Fraud Alert 1048707 Credit Card Registry 1048707 Online Identity Theft Assistance 1048707 24 x 7 Customer Support
Medium Risk Package Medium Risk includes Low Risk benefits plus 1048707 Instant 1 Bureau Credit Report 1048707 Instant 1 Bureau Credit Score 1048707 Personal Information Directory Monitoring and Deletion 1048707 Identity Theft Consumer Guide 1048707 $25000 ($0 deductible) Identity Theft Insurance
High Risk Package High Risk includes Medium Risk benefits plus 1048707 3 Bureau Credit Report Monitoring 1048707 Instant 3 in 1 Credit Report 1048707 Instant 3 Bureau Credit Scores 1048707 Fraud Resolution amp Identity Restoration Specialist
BD MORTGAGE GROUP LLC 24
Reporting a Data Breach
Security Breach Notification Laws have been enacted in most US states since 2002 These laws were enacted in
response to an escalating number of breaches of consumer databases containing personally identifiable
information The first such law the California data security breach notification law was enacted in 2002 and
became effective on July 1 2003 As related in the bill statement law requires a state agency or a person or
business that conducts business in California that owns or licenses computerized data that includes personal
information as defined to disclose in specified ways any breach of the security of the data as defined to any
resident of California whose unencrypted personal information was or is reasonably believed to have been
acquired by an unauthorized person In addition the law permits delayed notification if a law enforcement
agency determines that it would impede a criminal investigation The law also requires any entity that licenses
such information to notify the owner or licensee of the information of any breach in the security of the data
The California law has been the model for the enactment of similar laws in other states The National Conference
of State Legislatures maintains a list of enacted and proposed security breach notification laws
BD MORTGAGE GROUP LLC 25
BD MORTGAGE GROUP LLC 26
2-90-29 - Information Security Audit
To ensure security of our systems and that we comply with rules for customer information security we conduct
an annual audit of our information technology systems A provider qualified to review our independent
information technology in conjunction with mortgage procedures must conduct this audit
Since we do not have any proprietary information technology but utilize software and services provided by
vendors exclusively we rely on the qualified audits of the technology provided by these vendors This is
conducted in conjunction with our annual vendor approval process
Vendor Category Vendor Name Information Tech Cert Date
Loan Origination System
E-Disclosure
Data Back-up
Web 1003 Application
Pricing and Eligibility
Document Management
E-Fax
Voice-MailTelephony
NetworkInternet Service
Office SupportCleanerLandlord
Courier
In addition we assume that other licensed entities with which we do business have had their plans reviewed and
found acceptable Consequently we do not audit our mortgage lender business partners
Internal Policies for Information Security Management
In addition to these procedures please refer to our internal Information Security Plan and Red Flags for our
ongoing Information Security procedures
BD MORTGAGE GROUP LLC 13
Electronic Communication
Email is a business communication tool and users are obliged to use this tool in a responsible effective and lawful
manner Although by its nature email seems to be less formal than other written communication the same laws
apply Therefore it is important that users are aware of the legal risks of e-mail
By following the guidelines in this policy the email user can minimize the legal risks involved in the use of e-
mail If any user disregards the rules set out in this Email Policy the user will be fully liable and BD Mortgage
Group LLC will disassociate itself from the user as far as legally possible
The following rules are required by law and are to be strictly adhered to
bull It is strictly prohibited to send or forward emails containing libelous defamatory offensive racist or
obscene remarks If you receive an e-mail of this nature you must promptly notify your supervisor
bull Do not forward a message without acquiring permission from the sender first
bull Do not send unsolicited email messages
bull Do not forge or attempt to forge email messages
bull Do not send email messages using another personrsquos email account
bull Do not copy a message or attachment belonging to another user without permission of the originator
bull Do not disguise or attempt to disguise your identity when sending mail
Best Practices
BD Mortgage Group LLC considers email as an important means of communication and recognizes the
importance of proper email content and speedy replies in conveying a professional image and delivering good
customer service Therefore BD Mortgage Group LLC wishes users to adhere to the following guidelines
Writing emails
bull Signatures must include your name job title and BD Mortgage Group LLC A disclaimer will be added
underneath your signature (see Disclaimer)
bull Use the spell checker before you send out an email
bull Do not send unnecessary attachments Compress attachments larger than 200K before sending them
bull Do not write emails in capitals
bull Do not use cc or bcc fields unless the cc or bcc recipient is aware that you will be copying a mail to
himher and knows what action if any to take
bull If you forward mails state clearly what action you expect the recipient to take
bull Only send emails of which the content could be displayed on a public notice board If they cannot be
displayed publicly in their current state consider rephrasing the email using other means of
communication or protecting information by using a password (see confidential)
bull Only mark emails as important if they really are important
Replying to emails
Emails should be answered within at least 8 working hours but users must endeavor to answer priority emails
within 4 hours
Priority emails are emails from existing customers and business partners
BD MORTGAGE GROUP LLC 14
Newsgroups
Users need to request permission from their supervisor before subscribing to a newsletter or news group
Maintenance
Delete any email messages that you do not need to have a copy of and set your email client to automatically
empty your lsquodeleted itemsrsquo on closing
Personal Use
Although BD Mortgage Group LLC email system is meant for business use BD Mortgage Group LLC allows
the reasonable use of email for personal use if certain guidelines are adhered to
bull Personal use of email should not interfere with work
bull Personal emails must also adhere to the guidelines in this policy
bull Personal emails are kept in a separate folder named lsquoPrivatersquo The emails in this folder must be deleted weekly
so as not to clog up the system
bull The forwarding of chain letters junk mail jokes and executables is strictly forbidden
bull On average users are not allowed to send more than 2 personal emails a day
bull Do not send mass mailings
bull All messages distributed via the companyrsquos email system even personal emails are BD Mortgage Group
LLCrsquos property
Confidential Information
Avoid sending confidential information by e-mail If you do you must secure the information by including it in
a Microsoft Word Excel or PDF file and protect it with a password Then provide the recipient with the password
by means of other communication for instance by telephone
Disclaimer
The following disclaimer will be added to each outgoing email
lsquoThis email and any files transmitted with it are confidential and intended solely for the use of the individual or
entity to which they are addressed If you have received this email in error please notify the system manager
Please note that any views or opinions presented in this email are solely those of the author and do not necessarily
represent those of the company Finally the recipient should check this email and any attachments for the presence
of viruses The company accepts no liability for any damage caused by any virus transmitted by this emailrsquo
System Monitoring
You must have no expectation of privacy in anything you create store send or receive on the companyrsquos computer
system Your emails can be monitored without prior notification if BD Mortgage Group LLC deems this
necessary If there is evidence that you are not adhering to the guidelines set out in this policy the BD Mortgage
Group LLC reserves the right to take disciplinary action including termination andor legal action
BD MORTGAGE GROUP LLC 15
Secure Fax Transmission
The legacy of fax transmission in the mortgage industry is long The risk of using fax transmissions is that the
sender has no idea whether the recipient is attending to the machine while the document is being received printed
and then available for viewing In order to prevent the compromise of secure information never send information
to an unattended facsimile machine If you can confirm that the recipient is standing at the machine it is acceptable
to proceed with communications in this manner
Alternatively we can provide an ldquoE-faxrdquo account for individual users This allows the transmission of facsimiles
via e-mail to a secure login account
For transmitting paper documents always create a password protected document and deliver the password to the
recipient using a different method of communication such as the telephone
Secure Telephone Communications
Vishing is the criminal practice of using social engineering and Voice over IP (VoIP) to gain access to private
personal and financial information from the public for the purpose of financial reward The term is a combination
of voice and phishing Vishing exploits the publics trust in landline telephone services which have traditionally
terminated in physical locations which are known to the telephone company and associated with a bill-payer
The victim is often unaware that VoIP allows for caller ID spoofing inexpensive complex automated systems
and anonymity for the bill-payer Vishing is typically used to steal credit card numbers or other information used
in identity theft schemes from individuals
According to the FBIs Internet Crime Complaint Center (IC3) the number of vishing complaints received by
the center is increasing at what it calls an alarming rate Vishing and phishing are related and both rely on e-
mail as a means of delivering bait but the two use different hooks in order to snag user data
Vishing starts with an e-mail like phishing but requests that end-users contact a particular institution by phone
in order to resolve an issue or re-secure personal data People who call the provided number will be asked to
provide the same types of data phishers attempt to procure Ironically vishing e-mails may even attempt to
reassure recipients of their legitimacy by stating that the institution in question would never request customer
financial data via e-mail or IM
As always the best defense against phishing or vishing is a little common sense If your bank or other financial
institution with which you are affiliated contacts you requesting personal data hang up (or call them) using only
the number provided on the back of your card or official statement If you cant get confirmation that the request
is actually legitimate dont follow up on it
BD MORTGAGE GROUP LLC 16
Social Engineering Scams ndash Internal and External Prevention
One of the most prevalent forms of online scams is referred to as a seemingly benign term social engineering
This practice which is sometimes referred to as phishing refers to using trickery to get people to voluntarily
hand over critical information such as usernames or passwords
In many cases spam filters can easily detect the clumsier social engineering efforts and thus spare computer
users from grief However there are a growing number of sophisticated efforts that are crafted to circumvent the
spam filters - and unsuspecting customers that click into these cleverly disguised emails run the risk of facing
serious repercussions
Social engineering attacks mimic an email notification from a well-known and trusted source financial
institutions LinkedIn PayPal the Better Business Bureau Facebook and so forth The attackers create an email
that looks exactly like the normal system notices that are sent out by those entities but they change the links to
hit their own servers
The most classic example is an email that sends a dire notice with a link to login and check on a potential problem
When a person clicks on the link it takes him or her to a page on the cyber attackerrsquos servers that looks just like
the well-known entitys login page
When a person enters his or her username and password this information is stored in a database on the phony
server while an error box appears that says Invalid username or password please try again This error box
message comes with an OK button that when clicked redirects the person to the real login page
People may not realize there is a problem because passwords are obscured with asterisks so it is natural to assume
there was a typo during the initial password entry However the miscreants now have the persons username and
password
So what does this mean to mortgage bankers if someone gets tricked into thinking a social engineering scam
message really came from Facebook or LinkedIn Quite simply many people have the same usernames and
passwords for multiple websites Thus a person who has unwittingly surrendered his or her personal information
for a Facebook page might not realize that the social engineering scam artists could later use that information to
gain access to online mortgage banking accounts
BD Mortgage Group LLC needs to take a proactive approach in educating customers on how to identify potential
scams that pop up in their email in-boxes Here are some safety tips we send out to all customers
1 Dont click links from emails Instead open a Web browser and specifically go to the site in question and login
directly It is not common for financial institutions to have a click here to login link within their email
communications
2 Be suspicious of serious warnings and dollar amounts posted directly in emails Financial services companies
are not in the habit of sending customers panic-inducing messages of low account balances or other account
discrepancies with details plainly shown in the email Warnings are more discreet and merely direct the customer
to go log in for details
3 Use mouse-overs to view a link before clicking Although not all email software and hardware devices support
them a mouse-over can quickly and easily identify the links within an email message
4 Try not to use the same password at multiple sites Use a password program to store and remember online
access data
BD MORTGAGE GROUP LLC 17
5 Routinely update passwords Updating passwords even once a year is an easy way to stay one step ahead of
the social engineering scammers
Invite customers who are in doubt about the veracity of emails to forward them to BD Mortgage Group LLC for
verification Several sites that have been the subject of social engineering scams including eBay and PayPal have
special email accounts that receive review and keep track of these online frauds These spoof-checking efforts
will help empower the customer to ensure that BD Mortgage Group LLC does not become the victim of the next
big Internet fraud
BD MORTGAGE GROUP LLC 18
Data Breach Policy Implementation Guide
The response to any breach of personally identifiable information (PII) can have a critical impact on the BD
Mortgage Group LLCrsquos reputation and how trustworthy the public perceives the company Thus exceptional care
must be taken when responding to data breach incidents Not all incidents result in data breaches and not all data
breaches require notification This guide is to assist the Data Breach Team in developing an appropriate response
to a data breach based on the specific characteristics of the incident
Background
This Data Breach Policy Implementation Guide is based on the Presidentrsquos Identity Theft Task Force
recommendations that provide a menu of steps for the company to consider so that it may pursue a risk-based
tailored response to data breach incidents
Definition of Breach
A breach is a loss of control compromise unauthorized disclosure unauthorized acquisition unauthorized
access or any similar term referring to situations where persons other than authorized users and for an authorized
purpose have access or potential access to PII in usable form whether physical or electronic
Reporting Breaches and Breach Response Team
Breach is immediately reported to
bull Chief Privacy Officer (CPO)
bull Chief Information Officer (CIO)
bull Chief IT Security Office (ITSO)
bull Associate Director for Communications
bull Chief Office of Analysis and Executive Support (OAES)
bull As warranted
bull Chief Office of Security
bull General Counsel
bull Law Enforcement
Risk Assessment Process
Risk is a function of the probability or likelihood of a privacy violation and the resulting impact of that violation
To assign a risk score assess the probability of the event (data breach) occurring and then assess the impact or
harm caused to an individual and our organization in its ability to achieve its mission
BD MORTGAGE GROUP LLC 19
Likelihood Likelihood Definition
High (H) The nature of the attack and the data indicate that the motivation is criminal intent the security of the data and controls to minimize the likelihood of a privacy violation are ineffective
Medium (M)
The nature of the attack and data indicate that the motivation could be criminal intent but controls are in place that may impede success
Low (L) The nature of the attack and data do not indicate criminal intent and security and controls are in place to prevent or at least significantly impede the likelihood of a privacy violation
To assess likelihood of a breach occurring consider five factors
1 How the loss occurred
2 Data elements breached
3 Ability to access the data - the likelihood the personal information will be or has been compromised ndash made
accessible to and usable by unauthorized persons
4 Ability to mitigate the risk of harm
5 Evidence of data being used for identity theft or other harm
1 How Loss Occurred
H - Online system hacked
H - Data was targeted
M - Device was targeted
M - Device stolen
L - Device lost
2 Data Elements Breached
H - Social Security Number
H - Biometric record
H - Financial account number
H - PIN or security code for financial account
H - Health data
M - Birthdate
M - Government Issued Identification Number (drivers license etc)
L - Name
L - Address
L - Telephone Number
A combination of identifying information and financial or security information should always be considered a
high risk with high likelihood of harm occurring
3 Ability to access data
H ndash paper records or electronic records in a spreadsheet that is not password protected
M ndash electronic records that are password protected only
L ndash electronic records that are password protected and encrypted
4 Ability to mitigate the risk of harm
H ndash no recovery of data
M ndash partial recovery of data
L ndash recovery of data prior to use
BD MORTGAGE GROUP LLC 20
5 Evidence of data being used for identity theft or other harm
H ndash Data published on the web
M ndash Data accessed but no direct evidence of use
L ndash No tangible evidence of data use
After evaluating each factor and assigning an overall probability or likelihood of a breach occurring review and
assess the impact or harm to an individual or our organization
Impact Rating
Impact Definition
High Event (1) may result in human death or serious injury or harm to individual (2) may result in high costs to organization or (3) may significantly violate harm or impede an organizationrsquos mission reputation or interest
Medium Event (1) may result in injury or harm to the individual (2) may result in costs to the organization or (3) may violate harm or impede an organizationrsquos mission reputation or interest
Low Event (1) may result in the loss of some tangible organizational assets or resources or (2) may noticeably affect an organizationrsquos mission reputation or interest
The impact depends on the extent to which the breach poses a risk of identity theft or other substantial harm to an
individual such as embarrassment inconvenience unfairness harm to reputation or the potential for harassment
or prejudice particularly when health or financial benefits information is involved
Financial considerations can be factored in when determining the impact on our organization For instance credit
monitoring is generally estimated at $20 per year per case (individual) The costs associated with implementing
a call center including staff salaries may also be a factor Alternatively the cost of contracting for this service
could be a factor
BD MORTGAGE GROUP LLC 21
Assigning Risk Score
The risk score is determined by cross-referencing the likelihood score with the impact score
Likelihood Impact
Low Medium High
High Medium High High
Medium Low Medium High
Low Low Low Medium
Notification of Individuals
The risk score assigned will help determine if and when we should provide notification If the likelihood of risk
is low there could be more harm or impact on the individual if notification is provided due to the actions the
notified individual may take Thus notification must be weighed with the likelihood of risk No notification may
be required when the risk levels of each of the five factors is low If the likelihood of risk is high and the level of
impact or harm to the individual is medium notification and remedy may be required Alternatively if the
likelihood of risk is low and the level of impact or harm to the individual is high notification only may be required
If the five factors are considered appropriately it is more likely that notification will only be given in those
instances where there is a reasonable risk of harm and will not lead to the overuse of notification and thus the
associated further complications to the individual
Thus consideration should be given to all factors when determining final actions to take when addressing each
incident The table below should only be used as guide and conditions may warrant actions above or below those
associated with the final risk score
Risk Score Necessary Action
High Notify and provide remedy
Medium Notify only
Low Monitor only
Timing of Notification
Notice will be provided within a reasonable time following the discovery of a breach consistent with the legitimate
needs of law enforcement and any measures necessary for the Census Bureau to determine the scope of the breach
and if applicable to restore the reasonable integrity of the systemprocess that was compromised
In some circumstances law enforcement considerations may require a delay in notification if the investigation of
the breach or of an individual affected by the breach requires it and notification would seriously impede the
investigation The delay should not exacerbate risk or harm to any affected individual(s) or be tied to the
completion of the investigation but rather be based on whether it would seriously impede the investigation to
provide the notice promptly
Responsibility for Notification
The notice should come from a senior BD Mortgage Group LLC representative
BD MORTGAGE GROUP LLC 22
Content of Notification
The notice must be clear concise conspicuous easy-to-understand in plain language and should include the
following elements
bull A brief description of what happened including the date(s) of the breach and its discovery
bull A description of the types of personal information that were involved in the breach (eg full name Social
Security number date of birth home address account number disability code etc) to the extent possible
bull What steps if any an individual should take to protect himself from potential harm
bull What BD Mortgage Group LLC is doing if anything to investigate the breach to mitigate losses and to
protect against any further breaches
bull Who and how affected individuals should contact BD Mortgage Group LLC for more information including
a toll-free telephone number e-mail address and postal address
bull Direction to additional guidance available from the Federal Trade Commission at
httpwwwconsumergovidtheft
Minimizing your risk at httpwwwconsumergovidtheftcon_minimizehtm
Publications at httpwwwconsumergovidtheftcon_pubshtm
Method of Communication
Notice of the breach will be provided commensurate to the number of individuals affected by the breach and the
availability of contact information BD Mortgage Group LLC has for the affected individuals Correspondence
must be prominently marked on the exterior reflecting the importance of the communication to help ensure the
recipient does not discard or otherwise ignore the notification
In general the primary means of notification will be by first-class mail to the last known mailing address of the
individual based on BD Mortgage Group LLC records
Where we have reason to believe that the address is no longer current reasonable efforts will be made to update
the address using the US Postal Service National Change of Address (NCOA) database
Substitute notice may be made in instances where BD Mortgage Group LLC does not have sufficient contact
information for those who need to be notified In such instances notice may consist of a conspicuous posting of
the notice on the companyrsquos home page of its web site and include additional information in a Frequently Asked
Questions (FAQ)
BD MORTGAGE GROUP LLC 23
Process for Remediation of a Breach
Remedy is provided when the risk score is High
Credit Monitoring Data Breach Risk Packages (ie Lifelock)
Low Risk Package Low Risk Package Includes
1048707 Social Security Credit Card and 1 Bureau Credit Report Monitoring 1048707 3 Bureau Initial Fraud Alert 1048707 Credit Card Registry 1048707 Online Identity Theft Assistance 1048707 24 x 7 Customer Support
Medium Risk Package Medium Risk includes Low Risk benefits plus 1048707 Instant 1 Bureau Credit Report 1048707 Instant 1 Bureau Credit Score 1048707 Personal Information Directory Monitoring and Deletion 1048707 Identity Theft Consumer Guide 1048707 $25000 ($0 deductible) Identity Theft Insurance
High Risk Package High Risk includes Medium Risk benefits plus 1048707 3 Bureau Credit Report Monitoring 1048707 Instant 3 in 1 Credit Report 1048707 Instant 3 Bureau Credit Scores 1048707 Fraud Resolution amp Identity Restoration Specialist
BD MORTGAGE GROUP LLC 24
Reporting a Data Breach
Security Breach Notification Laws have been enacted in most US states since 2002 These laws were enacted in
response to an escalating number of breaches of consumer databases containing personally identifiable
information The first such law the California data security breach notification law was enacted in 2002 and
became effective on July 1 2003 As related in the bill statement law requires a state agency or a person or
business that conducts business in California that owns or licenses computerized data that includes personal
information as defined to disclose in specified ways any breach of the security of the data as defined to any
resident of California whose unencrypted personal information was or is reasonably believed to have been
acquired by an unauthorized person In addition the law permits delayed notification if a law enforcement
agency determines that it would impede a criminal investigation The law also requires any entity that licenses
such information to notify the owner or licensee of the information of any breach in the security of the data
The California law has been the model for the enactment of similar laws in other states The National Conference
of State Legislatures maintains a list of enacted and proposed security breach notification laws
BD MORTGAGE GROUP LLC 25
BD MORTGAGE GROUP LLC 26
2-90-29 - Information Security Audit
To ensure security of our systems and that we comply with rules for customer information security we conduct
an annual audit of our information technology systems A provider qualified to review our independent
information technology in conjunction with mortgage procedures must conduct this audit
Since we do not have any proprietary information technology but utilize software and services provided by
vendors exclusively we rely on the qualified audits of the technology provided by these vendors This is
conducted in conjunction with our annual vendor approval process
Vendor Category Vendor Name Information Tech Cert Date
Loan Origination System
E-Disclosure
Data Back-up
Web 1003 Application
Pricing and Eligibility
Document Management
E-Fax
Voice-MailTelephony
NetworkInternet Service
Office SupportCleanerLandlord
Courier
In addition we assume that other licensed entities with which we do business have had their plans reviewed and
found acceptable Consequently we do not audit our mortgage lender business partners
Internal Policies for Information Security Management
In addition to these procedures please refer to our internal Information Security Plan and Red Flags for our
ongoing Information Security procedures
BD MORTGAGE GROUP LLC 14
Newsgroups
Users need to request permission from their supervisor before subscribing to a newsletter or news group
Maintenance
Delete any email messages that you do not need to have a copy of and set your email client to automatically
empty your lsquodeleted itemsrsquo on closing
Personal Use
Although BD Mortgage Group LLC email system is meant for business use BD Mortgage Group LLC allows
the reasonable use of email for personal use if certain guidelines are adhered to
bull Personal use of email should not interfere with work
bull Personal emails must also adhere to the guidelines in this policy
bull Personal emails are kept in a separate folder named lsquoPrivatersquo The emails in this folder must be deleted weekly
so as not to clog up the system
bull The forwarding of chain letters junk mail jokes and executables is strictly forbidden
bull On average users are not allowed to send more than 2 personal emails a day
bull Do not send mass mailings
bull All messages distributed via the companyrsquos email system even personal emails are BD Mortgage Group
LLCrsquos property
Confidential Information
Avoid sending confidential information by e-mail If you do you must secure the information by including it in
a Microsoft Word Excel or PDF file and protect it with a password Then provide the recipient with the password
by means of other communication for instance by telephone
Disclaimer
The following disclaimer will be added to each outgoing email
lsquoThis email and any files transmitted with it are confidential and intended solely for the use of the individual or
entity to which they are addressed If you have received this email in error please notify the system manager
Please note that any views or opinions presented in this email are solely those of the author and do not necessarily
represent those of the company Finally the recipient should check this email and any attachments for the presence
of viruses The company accepts no liability for any damage caused by any virus transmitted by this emailrsquo
System Monitoring
You must have no expectation of privacy in anything you create store send or receive on the companyrsquos computer
system Your emails can be monitored without prior notification if BD Mortgage Group LLC deems this
necessary If there is evidence that you are not adhering to the guidelines set out in this policy the BD Mortgage
Group LLC reserves the right to take disciplinary action including termination andor legal action
BD MORTGAGE GROUP LLC 15
Secure Fax Transmission
The legacy of fax transmission in the mortgage industry is long The risk of using fax transmissions is that the
sender has no idea whether the recipient is attending to the machine while the document is being received printed
and then available for viewing In order to prevent the compromise of secure information never send information
to an unattended facsimile machine If you can confirm that the recipient is standing at the machine it is acceptable
to proceed with communications in this manner
Alternatively we can provide an ldquoE-faxrdquo account for individual users This allows the transmission of facsimiles
via e-mail to a secure login account
For transmitting paper documents always create a password protected document and deliver the password to the
recipient using a different method of communication such as the telephone
Secure Telephone Communications
Vishing is the criminal practice of using social engineering and Voice over IP (VoIP) to gain access to private
personal and financial information from the public for the purpose of financial reward The term is a combination
of voice and phishing Vishing exploits the publics trust in landline telephone services which have traditionally
terminated in physical locations which are known to the telephone company and associated with a bill-payer
The victim is often unaware that VoIP allows for caller ID spoofing inexpensive complex automated systems
and anonymity for the bill-payer Vishing is typically used to steal credit card numbers or other information used
in identity theft schemes from individuals
According to the FBIs Internet Crime Complaint Center (IC3) the number of vishing complaints received by
the center is increasing at what it calls an alarming rate Vishing and phishing are related and both rely on e-
mail as a means of delivering bait but the two use different hooks in order to snag user data
Vishing starts with an e-mail like phishing but requests that end-users contact a particular institution by phone
in order to resolve an issue or re-secure personal data People who call the provided number will be asked to
provide the same types of data phishers attempt to procure Ironically vishing e-mails may even attempt to
reassure recipients of their legitimacy by stating that the institution in question would never request customer
financial data via e-mail or IM
As always the best defense against phishing or vishing is a little common sense If your bank or other financial
institution with which you are affiliated contacts you requesting personal data hang up (or call them) using only
the number provided on the back of your card or official statement If you cant get confirmation that the request
is actually legitimate dont follow up on it
BD MORTGAGE GROUP LLC 16
Social Engineering Scams ndash Internal and External Prevention
One of the most prevalent forms of online scams is referred to as a seemingly benign term social engineering
This practice which is sometimes referred to as phishing refers to using trickery to get people to voluntarily
hand over critical information such as usernames or passwords
In many cases spam filters can easily detect the clumsier social engineering efforts and thus spare computer
users from grief However there are a growing number of sophisticated efforts that are crafted to circumvent the
spam filters - and unsuspecting customers that click into these cleverly disguised emails run the risk of facing
serious repercussions
Social engineering attacks mimic an email notification from a well-known and trusted source financial
institutions LinkedIn PayPal the Better Business Bureau Facebook and so forth The attackers create an email
that looks exactly like the normal system notices that are sent out by those entities but they change the links to
hit their own servers
The most classic example is an email that sends a dire notice with a link to login and check on a potential problem
When a person clicks on the link it takes him or her to a page on the cyber attackerrsquos servers that looks just like
the well-known entitys login page
When a person enters his or her username and password this information is stored in a database on the phony
server while an error box appears that says Invalid username or password please try again This error box
message comes with an OK button that when clicked redirects the person to the real login page
People may not realize there is a problem because passwords are obscured with asterisks so it is natural to assume
there was a typo during the initial password entry However the miscreants now have the persons username and
password
So what does this mean to mortgage bankers if someone gets tricked into thinking a social engineering scam
message really came from Facebook or LinkedIn Quite simply many people have the same usernames and
passwords for multiple websites Thus a person who has unwittingly surrendered his or her personal information
for a Facebook page might not realize that the social engineering scam artists could later use that information to
gain access to online mortgage banking accounts
BD Mortgage Group LLC needs to take a proactive approach in educating customers on how to identify potential
scams that pop up in their email in-boxes Here are some safety tips we send out to all customers
1 Dont click links from emails Instead open a Web browser and specifically go to the site in question and login
directly It is not common for financial institutions to have a click here to login link within their email
communications
2 Be suspicious of serious warnings and dollar amounts posted directly in emails Financial services companies
are not in the habit of sending customers panic-inducing messages of low account balances or other account
discrepancies with details plainly shown in the email Warnings are more discreet and merely direct the customer
to go log in for details
3 Use mouse-overs to view a link before clicking Although not all email software and hardware devices support
them a mouse-over can quickly and easily identify the links within an email message
4 Try not to use the same password at multiple sites Use a password program to store and remember online
access data
BD MORTGAGE GROUP LLC 17
5 Routinely update passwords Updating passwords even once a year is an easy way to stay one step ahead of
the social engineering scammers
Invite customers who are in doubt about the veracity of emails to forward them to BD Mortgage Group LLC for
verification Several sites that have been the subject of social engineering scams including eBay and PayPal have
special email accounts that receive review and keep track of these online frauds These spoof-checking efforts
will help empower the customer to ensure that BD Mortgage Group LLC does not become the victim of the next
big Internet fraud
BD MORTGAGE GROUP LLC 18
Data Breach Policy Implementation Guide
The response to any breach of personally identifiable information (PII) can have a critical impact on the BD
Mortgage Group LLCrsquos reputation and how trustworthy the public perceives the company Thus exceptional care
must be taken when responding to data breach incidents Not all incidents result in data breaches and not all data
breaches require notification This guide is to assist the Data Breach Team in developing an appropriate response
to a data breach based on the specific characteristics of the incident
Background
This Data Breach Policy Implementation Guide is based on the Presidentrsquos Identity Theft Task Force
recommendations that provide a menu of steps for the company to consider so that it may pursue a risk-based
tailored response to data breach incidents
Definition of Breach
A breach is a loss of control compromise unauthorized disclosure unauthorized acquisition unauthorized
access or any similar term referring to situations where persons other than authorized users and for an authorized
purpose have access or potential access to PII in usable form whether physical or electronic
Reporting Breaches and Breach Response Team
Breach is immediately reported to
bull Chief Privacy Officer (CPO)
bull Chief Information Officer (CIO)
bull Chief IT Security Office (ITSO)
bull Associate Director for Communications
bull Chief Office of Analysis and Executive Support (OAES)
bull As warranted
bull Chief Office of Security
bull General Counsel
bull Law Enforcement
Risk Assessment Process
Risk is a function of the probability or likelihood of a privacy violation and the resulting impact of that violation
To assign a risk score assess the probability of the event (data breach) occurring and then assess the impact or
harm caused to an individual and our organization in its ability to achieve its mission
BD MORTGAGE GROUP LLC 19
Likelihood Likelihood Definition
High (H) The nature of the attack and the data indicate that the motivation is criminal intent the security of the data and controls to minimize the likelihood of a privacy violation are ineffective
Medium (M)
The nature of the attack and data indicate that the motivation could be criminal intent but controls are in place that may impede success
Low (L) The nature of the attack and data do not indicate criminal intent and security and controls are in place to prevent or at least significantly impede the likelihood of a privacy violation
To assess likelihood of a breach occurring consider five factors
1 How the loss occurred
2 Data elements breached
3 Ability to access the data - the likelihood the personal information will be or has been compromised ndash made
accessible to and usable by unauthorized persons
4 Ability to mitigate the risk of harm
5 Evidence of data being used for identity theft or other harm
1 How Loss Occurred
H - Online system hacked
H - Data was targeted
M - Device was targeted
M - Device stolen
L - Device lost
2 Data Elements Breached
H - Social Security Number
H - Biometric record
H - Financial account number
H - PIN or security code for financial account
H - Health data
M - Birthdate
M - Government Issued Identification Number (drivers license etc)
L - Name
L - Address
L - Telephone Number
A combination of identifying information and financial or security information should always be considered a
high risk with high likelihood of harm occurring
3 Ability to access data
H ndash paper records or electronic records in a spreadsheet that is not password protected
M ndash electronic records that are password protected only
L ndash electronic records that are password protected and encrypted
4 Ability to mitigate the risk of harm
H ndash no recovery of data
M ndash partial recovery of data
L ndash recovery of data prior to use
BD MORTGAGE GROUP LLC 20
5 Evidence of data being used for identity theft or other harm
H ndash Data published on the web
M ndash Data accessed but no direct evidence of use
L ndash No tangible evidence of data use
After evaluating each factor and assigning an overall probability or likelihood of a breach occurring review and
assess the impact or harm to an individual or our organization
Impact Rating
Impact Definition
High Event (1) may result in human death or serious injury or harm to individual (2) may result in high costs to organization or (3) may significantly violate harm or impede an organizationrsquos mission reputation or interest
Medium Event (1) may result in injury or harm to the individual (2) may result in costs to the organization or (3) may violate harm or impede an organizationrsquos mission reputation or interest
Low Event (1) may result in the loss of some tangible organizational assets or resources or (2) may noticeably affect an organizationrsquos mission reputation or interest
The impact depends on the extent to which the breach poses a risk of identity theft or other substantial harm to an
individual such as embarrassment inconvenience unfairness harm to reputation or the potential for harassment
or prejudice particularly when health or financial benefits information is involved
Financial considerations can be factored in when determining the impact on our organization For instance credit
monitoring is generally estimated at $20 per year per case (individual) The costs associated with implementing
a call center including staff salaries may also be a factor Alternatively the cost of contracting for this service
could be a factor
BD MORTGAGE GROUP LLC 21
Assigning Risk Score
The risk score is determined by cross-referencing the likelihood score with the impact score
Likelihood Impact
Low Medium High
High Medium High High
Medium Low Medium High
Low Low Low Medium
Notification of Individuals
The risk score assigned will help determine if and when we should provide notification If the likelihood of risk
is low there could be more harm or impact on the individual if notification is provided due to the actions the
notified individual may take Thus notification must be weighed with the likelihood of risk No notification may
be required when the risk levels of each of the five factors is low If the likelihood of risk is high and the level of
impact or harm to the individual is medium notification and remedy may be required Alternatively if the
likelihood of risk is low and the level of impact or harm to the individual is high notification only may be required
If the five factors are considered appropriately it is more likely that notification will only be given in those
instances where there is a reasonable risk of harm and will not lead to the overuse of notification and thus the
associated further complications to the individual
Thus consideration should be given to all factors when determining final actions to take when addressing each
incident The table below should only be used as guide and conditions may warrant actions above or below those
associated with the final risk score
Risk Score Necessary Action
High Notify and provide remedy
Medium Notify only
Low Monitor only
Timing of Notification
Notice will be provided within a reasonable time following the discovery of a breach consistent with the legitimate
needs of law enforcement and any measures necessary for the Census Bureau to determine the scope of the breach
and if applicable to restore the reasonable integrity of the systemprocess that was compromised
In some circumstances law enforcement considerations may require a delay in notification if the investigation of
the breach or of an individual affected by the breach requires it and notification would seriously impede the
investigation The delay should not exacerbate risk or harm to any affected individual(s) or be tied to the
completion of the investigation but rather be based on whether it would seriously impede the investigation to
provide the notice promptly
Responsibility for Notification
The notice should come from a senior BD Mortgage Group LLC representative
BD MORTGAGE GROUP LLC 22
Content of Notification
The notice must be clear concise conspicuous easy-to-understand in plain language and should include the
following elements
bull A brief description of what happened including the date(s) of the breach and its discovery
bull A description of the types of personal information that were involved in the breach (eg full name Social
Security number date of birth home address account number disability code etc) to the extent possible
bull What steps if any an individual should take to protect himself from potential harm
bull What BD Mortgage Group LLC is doing if anything to investigate the breach to mitigate losses and to
protect against any further breaches
bull Who and how affected individuals should contact BD Mortgage Group LLC for more information including
a toll-free telephone number e-mail address and postal address
bull Direction to additional guidance available from the Federal Trade Commission at
httpwwwconsumergovidtheft
Minimizing your risk at httpwwwconsumergovidtheftcon_minimizehtm
Publications at httpwwwconsumergovidtheftcon_pubshtm
Method of Communication
Notice of the breach will be provided commensurate to the number of individuals affected by the breach and the
availability of contact information BD Mortgage Group LLC has for the affected individuals Correspondence
must be prominently marked on the exterior reflecting the importance of the communication to help ensure the
recipient does not discard or otherwise ignore the notification
In general the primary means of notification will be by first-class mail to the last known mailing address of the
individual based on BD Mortgage Group LLC records
Where we have reason to believe that the address is no longer current reasonable efforts will be made to update
the address using the US Postal Service National Change of Address (NCOA) database
Substitute notice may be made in instances where BD Mortgage Group LLC does not have sufficient contact
information for those who need to be notified In such instances notice may consist of a conspicuous posting of
the notice on the companyrsquos home page of its web site and include additional information in a Frequently Asked
Questions (FAQ)
BD MORTGAGE GROUP LLC 23
Process for Remediation of a Breach
Remedy is provided when the risk score is High
Credit Monitoring Data Breach Risk Packages (ie Lifelock)
Low Risk Package Low Risk Package Includes
1048707 Social Security Credit Card and 1 Bureau Credit Report Monitoring 1048707 3 Bureau Initial Fraud Alert 1048707 Credit Card Registry 1048707 Online Identity Theft Assistance 1048707 24 x 7 Customer Support
Medium Risk Package Medium Risk includes Low Risk benefits plus 1048707 Instant 1 Bureau Credit Report 1048707 Instant 1 Bureau Credit Score 1048707 Personal Information Directory Monitoring and Deletion 1048707 Identity Theft Consumer Guide 1048707 $25000 ($0 deductible) Identity Theft Insurance
High Risk Package High Risk includes Medium Risk benefits plus 1048707 3 Bureau Credit Report Monitoring 1048707 Instant 3 in 1 Credit Report 1048707 Instant 3 Bureau Credit Scores 1048707 Fraud Resolution amp Identity Restoration Specialist
BD MORTGAGE GROUP LLC 24
Reporting a Data Breach
Security Breach Notification Laws have been enacted in most US states since 2002 These laws were enacted in
response to an escalating number of breaches of consumer databases containing personally identifiable
information The first such law the California data security breach notification law was enacted in 2002 and
became effective on July 1 2003 As related in the bill statement law requires a state agency or a person or
business that conducts business in California that owns or licenses computerized data that includes personal
information as defined to disclose in specified ways any breach of the security of the data as defined to any
resident of California whose unencrypted personal information was or is reasonably believed to have been
acquired by an unauthorized person In addition the law permits delayed notification if a law enforcement
agency determines that it would impede a criminal investigation The law also requires any entity that licenses
such information to notify the owner or licensee of the information of any breach in the security of the data
The California law has been the model for the enactment of similar laws in other states The National Conference
of State Legislatures maintains a list of enacted and proposed security breach notification laws
BD MORTGAGE GROUP LLC 25
BD MORTGAGE GROUP LLC 26
2-90-29 - Information Security Audit
To ensure security of our systems and that we comply with rules for customer information security we conduct
an annual audit of our information technology systems A provider qualified to review our independent
information technology in conjunction with mortgage procedures must conduct this audit
Since we do not have any proprietary information technology but utilize software and services provided by
vendors exclusively we rely on the qualified audits of the technology provided by these vendors This is
conducted in conjunction with our annual vendor approval process
Vendor Category Vendor Name Information Tech Cert Date
Loan Origination System
E-Disclosure
Data Back-up
Web 1003 Application
Pricing and Eligibility
Document Management
E-Fax
Voice-MailTelephony
NetworkInternet Service
Office SupportCleanerLandlord
Courier
In addition we assume that other licensed entities with which we do business have had their plans reviewed and
found acceptable Consequently we do not audit our mortgage lender business partners
Internal Policies for Information Security Management
In addition to these procedures please refer to our internal Information Security Plan and Red Flags for our
ongoing Information Security procedures
BD MORTGAGE GROUP LLC 15
Secure Fax Transmission
The legacy of fax transmission in the mortgage industry is long The risk of using fax transmissions is that the
sender has no idea whether the recipient is attending to the machine while the document is being received printed
and then available for viewing In order to prevent the compromise of secure information never send information
to an unattended facsimile machine If you can confirm that the recipient is standing at the machine it is acceptable
to proceed with communications in this manner
Alternatively we can provide an ldquoE-faxrdquo account for individual users This allows the transmission of facsimiles
via e-mail to a secure login account
For transmitting paper documents always create a password protected document and deliver the password to the
recipient using a different method of communication such as the telephone
Secure Telephone Communications
Vishing is the criminal practice of using social engineering and Voice over IP (VoIP) to gain access to private
personal and financial information from the public for the purpose of financial reward The term is a combination
of voice and phishing Vishing exploits the publics trust in landline telephone services which have traditionally
terminated in physical locations which are known to the telephone company and associated with a bill-payer
The victim is often unaware that VoIP allows for caller ID spoofing inexpensive complex automated systems
and anonymity for the bill-payer Vishing is typically used to steal credit card numbers or other information used
in identity theft schemes from individuals
According to the FBIs Internet Crime Complaint Center (IC3) the number of vishing complaints received by
the center is increasing at what it calls an alarming rate Vishing and phishing are related and both rely on e-
mail as a means of delivering bait but the two use different hooks in order to snag user data
Vishing starts with an e-mail like phishing but requests that end-users contact a particular institution by phone
in order to resolve an issue or re-secure personal data People who call the provided number will be asked to
provide the same types of data phishers attempt to procure Ironically vishing e-mails may even attempt to
reassure recipients of their legitimacy by stating that the institution in question would never request customer
financial data via e-mail or IM
As always the best defense against phishing or vishing is a little common sense If your bank or other financial
institution with which you are affiliated contacts you requesting personal data hang up (or call them) using only
the number provided on the back of your card or official statement If you cant get confirmation that the request
is actually legitimate dont follow up on it
BD MORTGAGE GROUP LLC 16
Social Engineering Scams ndash Internal and External Prevention
One of the most prevalent forms of online scams is referred to as a seemingly benign term social engineering
This practice which is sometimes referred to as phishing refers to using trickery to get people to voluntarily
hand over critical information such as usernames or passwords
In many cases spam filters can easily detect the clumsier social engineering efforts and thus spare computer
users from grief However there are a growing number of sophisticated efforts that are crafted to circumvent the
spam filters - and unsuspecting customers that click into these cleverly disguised emails run the risk of facing
serious repercussions
Social engineering attacks mimic an email notification from a well-known and trusted source financial
institutions LinkedIn PayPal the Better Business Bureau Facebook and so forth The attackers create an email
that looks exactly like the normal system notices that are sent out by those entities but they change the links to
hit their own servers
The most classic example is an email that sends a dire notice with a link to login and check on a potential problem
When a person clicks on the link it takes him or her to a page on the cyber attackerrsquos servers that looks just like
the well-known entitys login page
When a person enters his or her username and password this information is stored in a database on the phony
server while an error box appears that says Invalid username or password please try again This error box
message comes with an OK button that when clicked redirects the person to the real login page
People may not realize there is a problem because passwords are obscured with asterisks so it is natural to assume
there was a typo during the initial password entry However the miscreants now have the persons username and
password
So what does this mean to mortgage bankers if someone gets tricked into thinking a social engineering scam
message really came from Facebook or LinkedIn Quite simply many people have the same usernames and
passwords for multiple websites Thus a person who has unwittingly surrendered his or her personal information
for a Facebook page might not realize that the social engineering scam artists could later use that information to
gain access to online mortgage banking accounts
BD Mortgage Group LLC needs to take a proactive approach in educating customers on how to identify potential
scams that pop up in their email in-boxes Here are some safety tips we send out to all customers
1 Dont click links from emails Instead open a Web browser and specifically go to the site in question and login
directly It is not common for financial institutions to have a click here to login link within their email
communications
2 Be suspicious of serious warnings and dollar amounts posted directly in emails Financial services companies
are not in the habit of sending customers panic-inducing messages of low account balances or other account
discrepancies with details plainly shown in the email Warnings are more discreet and merely direct the customer
to go log in for details
3 Use mouse-overs to view a link before clicking Although not all email software and hardware devices support
them a mouse-over can quickly and easily identify the links within an email message
4 Try not to use the same password at multiple sites Use a password program to store and remember online
access data
BD MORTGAGE GROUP LLC 17
5 Routinely update passwords Updating passwords even once a year is an easy way to stay one step ahead of
the social engineering scammers
Invite customers who are in doubt about the veracity of emails to forward them to BD Mortgage Group LLC for
verification Several sites that have been the subject of social engineering scams including eBay and PayPal have
special email accounts that receive review and keep track of these online frauds These spoof-checking efforts
will help empower the customer to ensure that BD Mortgage Group LLC does not become the victim of the next
big Internet fraud
BD MORTGAGE GROUP LLC 18
Data Breach Policy Implementation Guide
The response to any breach of personally identifiable information (PII) can have a critical impact on the BD
Mortgage Group LLCrsquos reputation and how trustworthy the public perceives the company Thus exceptional care
must be taken when responding to data breach incidents Not all incidents result in data breaches and not all data
breaches require notification This guide is to assist the Data Breach Team in developing an appropriate response
to a data breach based on the specific characteristics of the incident
Background
This Data Breach Policy Implementation Guide is based on the Presidentrsquos Identity Theft Task Force
recommendations that provide a menu of steps for the company to consider so that it may pursue a risk-based
tailored response to data breach incidents
Definition of Breach
A breach is a loss of control compromise unauthorized disclosure unauthorized acquisition unauthorized
access or any similar term referring to situations where persons other than authorized users and for an authorized
purpose have access or potential access to PII in usable form whether physical or electronic
Reporting Breaches and Breach Response Team
Breach is immediately reported to
bull Chief Privacy Officer (CPO)
bull Chief Information Officer (CIO)
bull Chief IT Security Office (ITSO)
bull Associate Director for Communications
bull Chief Office of Analysis and Executive Support (OAES)
bull As warranted
bull Chief Office of Security
bull General Counsel
bull Law Enforcement
Risk Assessment Process
Risk is a function of the probability or likelihood of a privacy violation and the resulting impact of that violation
To assign a risk score assess the probability of the event (data breach) occurring and then assess the impact or
harm caused to an individual and our organization in its ability to achieve its mission
BD MORTGAGE GROUP LLC 19
Likelihood Likelihood Definition
High (H) The nature of the attack and the data indicate that the motivation is criminal intent the security of the data and controls to minimize the likelihood of a privacy violation are ineffective
Medium (M)
The nature of the attack and data indicate that the motivation could be criminal intent but controls are in place that may impede success
Low (L) The nature of the attack and data do not indicate criminal intent and security and controls are in place to prevent or at least significantly impede the likelihood of a privacy violation
To assess likelihood of a breach occurring consider five factors
1 How the loss occurred
2 Data elements breached
3 Ability to access the data - the likelihood the personal information will be or has been compromised ndash made
accessible to and usable by unauthorized persons
4 Ability to mitigate the risk of harm
5 Evidence of data being used for identity theft or other harm
1 How Loss Occurred
H - Online system hacked
H - Data was targeted
M - Device was targeted
M - Device stolen
L - Device lost
2 Data Elements Breached
H - Social Security Number
H - Biometric record
H - Financial account number
H - PIN or security code for financial account
H - Health data
M - Birthdate
M - Government Issued Identification Number (drivers license etc)
L - Name
L - Address
L - Telephone Number
A combination of identifying information and financial or security information should always be considered a
high risk with high likelihood of harm occurring
3 Ability to access data
H ndash paper records or electronic records in a spreadsheet that is not password protected
M ndash electronic records that are password protected only
L ndash electronic records that are password protected and encrypted
4 Ability to mitigate the risk of harm
H ndash no recovery of data
M ndash partial recovery of data
L ndash recovery of data prior to use
BD MORTGAGE GROUP LLC 20
5 Evidence of data being used for identity theft or other harm
H ndash Data published on the web
M ndash Data accessed but no direct evidence of use
L ndash No tangible evidence of data use
After evaluating each factor and assigning an overall probability or likelihood of a breach occurring review and
assess the impact or harm to an individual or our organization
Impact Rating
Impact Definition
High Event (1) may result in human death or serious injury or harm to individual (2) may result in high costs to organization or (3) may significantly violate harm or impede an organizationrsquos mission reputation or interest
Medium Event (1) may result in injury or harm to the individual (2) may result in costs to the organization or (3) may violate harm or impede an organizationrsquos mission reputation or interest
Low Event (1) may result in the loss of some tangible organizational assets or resources or (2) may noticeably affect an organizationrsquos mission reputation or interest
The impact depends on the extent to which the breach poses a risk of identity theft or other substantial harm to an
individual such as embarrassment inconvenience unfairness harm to reputation or the potential for harassment
or prejudice particularly when health or financial benefits information is involved
Financial considerations can be factored in when determining the impact on our organization For instance credit
monitoring is generally estimated at $20 per year per case (individual) The costs associated with implementing
a call center including staff salaries may also be a factor Alternatively the cost of contracting for this service
could be a factor
BD MORTGAGE GROUP LLC 21
Assigning Risk Score
The risk score is determined by cross-referencing the likelihood score with the impact score
Likelihood Impact
Low Medium High
High Medium High High
Medium Low Medium High
Low Low Low Medium
Notification of Individuals
The risk score assigned will help determine if and when we should provide notification If the likelihood of risk
is low there could be more harm or impact on the individual if notification is provided due to the actions the
notified individual may take Thus notification must be weighed with the likelihood of risk No notification may
be required when the risk levels of each of the five factors is low If the likelihood of risk is high and the level of
impact or harm to the individual is medium notification and remedy may be required Alternatively if the
likelihood of risk is low and the level of impact or harm to the individual is high notification only may be required
If the five factors are considered appropriately it is more likely that notification will only be given in those
instances where there is a reasonable risk of harm and will not lead to the overuse of notification and thus the
associated further complications to the individual
Thus consideration should be given to all factors when determining final actions to take when addressing each
incident The table below should only be used as guide and conditions may warrant actions above or below those
associated with the final risk score
Risk Score Necessary Action
High Notify and provide remedy
Medium Notify only
Low Monitor only
Timing of Notification
Notice will be provided within a reasonable time following the discovery of a breach consistent with the legitimate
needs of law enforcement and any measures necessary for the Census Bureau to determine the scope of the breach
and if applicable to restore the reasonable integrity of the systemprocess that was compromised
In some circumstances law enforcement considerations may require a delay in notification if the investigation of
the breach or of an individual affected by the breach requires it and notification would seriously impede the
investigation The delay should not exacerbate risk or harm to any affected individual(s) or be tied to the
completion of the investigation but rather be based on whether it would seriously impede the investigation to
provide the notice promptly
Responsibility for Notification
The notice should come from a senior BD Mortgage Group LLC representative
BD MORTGAGE GROUP LLC 22
Content of Notification
The notice must be clear concise conspicuous easy-to-understand in plain language and should include the
following elements
bull A brief description of what happened including the date(s) of the breach and its discovery
bull A description of the types of personal information that were involved in the breach (eg full name Social
Security number date of birth home address account number disability code etc) to the extent possible
bull What steps if any an individual should take to protect himself from potential harm
bull What BD Mortgage Group LLC is doing if anything to investigate the breach to mitigate losses and to
protect against any further breaches
bull Who and how affected individuals should contact BD Mortgage Group LLC for more information including
a toll-free telephone number e-mail address and postal address
bull Direction to additional guidance available from the Federal Trade Commission at
httpwwwconsumergovidtheft
Minimizing your risk at httpwwwconsumergovidtheftcon_minimizehtm
Publications at httpwwwconsumergovidtheftcon_pubshtm
Method of Communication
Notice of the breach will be provided commensurate to the number of individuals affected by the breach and the
availability of contact information BD Mortgage Group LLC has for the affected individuals Correspondence
must be prominently marked on the exterior reflecting the importance of the communication to help ensure the
recipient does not discard or otherwise ignore the notification
In general the primary means of notification will be by first-class mail to the last known mailing address of the
individual based on BD Mortgage Group LLC records
Where we have reason to believe that the address is no longer current reasonable efforts will be made to update
the address using the US Postal Service National Change of Address (NCOA) database
Substitute notice may be made in instances where BD Mortgage Group LLC does not have sufficient contact
information for those who need to be notified In such instances notice may consist of a conspicuous posting of
the notice on the companyrsquos home page of its web site and include additional information in a Frequently Asked
Questions (FAQ)
BD MORTGAGE GROUP LLC 23
Process for Remediation of a Breach
Remedy is provided when the risk score is High
Credit Monitoring Data Breach Risk Packages (ie Lifelock)
Low Risk Package Low Risk Package Includes
1048707 Social Security Credit Card and 1 Bureau Credit Report Monitoring 1048707 3 Bureau Initial Fraud Alert 1048707 Credit Card Registry 1048707 Online Identity Theft Assistance 1048707 24 x 7 Customer Support
Medium Risk Package Medium Risk includes Low Risk benefits plus 1048707 Instant 1 Bureau Credit Report 1048707 Instant 1 Bureau Credit Score 1048707 Personal Information Directory Monitoring and Deletion 1048707 Identity Theft Consumer Guide 1048707 $25000 ($0 deductible) Identity Theft Insurance
High Risk Package High Risk includes Medium Risk benefits plus 1048707 3 Bureau Credit Report Monitoring 1048707 Instant 3 in 1 Credit Report 1048707 Instant 3 Bureau Credit Scores 1048707 Fraud Resolution amp Identity Restoration Specialist
BD MORTGAGE GROUP LLC 24
Reporting a Data Breach
Security Breach Notification Laws have been enacted in most US states since 2002 These laws were enacted in
response to an escalating number of breaches of consumer databases containing personally identifiable
information The first such law the California data security breach notification law was enacted in 2002 and
became effective on July 1 2003 As related in the bill statement law requires a state agency or a person or
business that conducts business in California that owns or licenses computerized data that includes personal
information as defined to disclose in specified ways any breach of the security of the data as defined to any
resident of California whose unencrypted personal information was or is reasonably believed to have been
acquired by an unauthorized person In addition the law permits delayed notification if a law enforcement
agency determines that it would impede a criminal investigation The law also requires any entity that licenses
such information to notify the owner or licensee of the information of any breach in the security of the data
The California law has been the model for the enactment of similar laws in other states The National Conference
of State Legislatures maintains a list of enacted and proposed security breach notification laws
BD MORTGAGE GROUP LLC 25
BD MORTGAGE GROUP LLC 26
2-90-29 - Information Security Audit
To ensure security of our systems and that we comply with rules for customer information security we conduct
an annual audit of our information technology systems A provider qualified to review our independent
information technology in conjunction with mortgage procedures must conduct this audit
Since we do not have any proprietary information technology but utilize software and services provided by
vendors exclusively we rely on the qualified audits of the technology provided by these vendors This is
conducted in conjunction with our annual vendor approval process
Vendor Category Vendor Name Information Tech Cert Date
Loan Origination System
E-Disclosure
Data Back-up
Web 1003 Application
Pricing and Eligibility
Document Management
E-Fax
Voice-MailTelephony
NetworkInternet Service
Office SupportCleanerLandlord
Courier
In addition we assume that other licensed entities with which we do business have had their plans reviewed and
found acceptable Consequently we do not audit our mortgage lender business partners
Internal Policies for Information Security Management
In addition to these procedures please refer to our internal Information Security Plan and Red Flags for our
ongoing Information Security procedures
BD MORTGAGE GROUP LLC 16
Social Engineering Scams ndash Internal and External Prevention
One of the most prevalent forms of online scams is referred to as a seemingly benign term social engineering
This practice which is sometimes referred to as phishing refers to using trickery to get people to voluntarily
hand over critical information such as usernames or passwords
In many cases spam filters can easily detect the clumsier social engineering efforts and thus spare computer
users from grief However there are a growing number of sophisticated efforts that are crafted to circumvent the
spam filters - and unsuspecting customers that click into these cleverly disguised emails run the risk of facing
serious repercussions
Social engineering attacks mimic an email notification from a well-known and trusted source financial
institutions LinkedIn PayPal the Better Business Bureau Facebook and so forth The attackers create an email
that looks exactly like the normal system notices that are sent out by those entities but they change the links to
hit their own servers
The most classic example is an email that sends a dire notice with a link to login and check on a potential problem
When a person clicks on the link it takes him or her to a page on the cyber attackerrsquos servers that looks just like
the well-known entitys login page
When a person enters his or her username and password this information is stored in a database on the phony
server while an error box appears that says Invalid username or password please try again This error box
message comes with an OK button that when clicked redirects the person to the real login page
People may not realize there is a problem because passwords are obscured with asterisks so it is natural to assume
there was a typo during the initial password entry However the miscreants now have the persons username and
password
So what does this mean to mortgage bankers if someone gets tricked into thinking a social engineering scam
message really came from Facebook or LinkedIn Quite simply many people have the same usernames and
passwords for multiple websites Thus a person who has unwittingly surrendered his or her personal information
for a Facebook page might not realize that the social engineering scam artists could later use that information to
gain access to online mortgage banking accounts
BD Mortgage Group LLC needs to take a proactive approach in educating customers on how to identify potential
scams that pop up in their email in-boxes Here are some safety tips we send out to all customers
1 Dont click links from emails Instead open a Web browser and specifically go to the site in question and login
directly It is not common for financial institutions to have a click here to login link within their email
communications
2 Be suspicious of serious warnings and dollar amounts posted directly in emails Financial services companies
are not in the habit of sending customers panic-inducing messages of low account balances or other account
discrepancies with details plainly shown in the email Warnings are more discreet and merely direct the customer
to go log in for details
3 Use mouse-overs to view a link before clicking Although not all email software and hardware devices support
them a mouse-over can quickly and easily identify the links within an email message
4 Try not to use the same password at multiple sites Use a password program to store and remember online
access data
BD MORTGAGE GROUP LLC 17
5 Routinely update passwords Updating passwords even once a year is an easy way to stay one step ahead of
the social engineering scammers
Invite customers who are in doubt about the veracity of emails to forward them to BD Mortgage Group LLC for
verification Several sites that have been the subject of social engineering scams including eBay and PayPal have
special email accounts that receive review and keep track of these online frauds These spoof-checking efforts
will help empower the customer to ensure that BD Mortgage Group LLC does not become the victim of the next
big Internet fraud
BD MORTGAGE GROUP LLC 18
Data Breach Policy Implementation Guide
The response to any breach of personally identifiable information (PII) can have a critical impact on the BD
Mortgage Group LLCrsquos reputation and how trustworthy the public perceives the company Thus exceptional care
must be taken when responding to data breach incidents Not all incidents result in data breaches and not all data
breaches require notification This guide is to assist the Data Breach Team in developing an appropriate response
to a data breach based on the specific characteristics of the incident
Background
This Data Breach Policy Implementation Guide is based on the Presidentrsquos Identity Theft Task Force
recommendations that provide a menu of steps for the company to consider so that it may pursue a risk-based
tailored response to data breach incidents
Definition of Breach
A breach is a loss of control compromise unauthorized disclosure unauthorized acquisition unauthorized
access or any similar term referring to situations where persons other than authorized users and for an authorized
purpose have access or potential access to PII in usable form whether physical or electronic
Reporting Breaches and Breach Response Team
Breach is immediately reported to
bull Chief Privacy Officer (CPO)
bull Chief Information Officer (CIO)
bull Chief IT Security Office (ITSO)
bull Associate Director for Communications
bull Chief Office of Analysis and Executive Support (OAES)
bull As warranted
bull Chief Office of Security
bull General Counsel
bull Law Enforcement
Risk Assessment Process
Risk is a function of the probability or likelihood of a privacy violation and the resulting impact of that violation
To assign a risk score assess the probability of the event (data breach) occurring and then assess the impact or
harm caused to an individual and our organization in its ability to achieve its mission
BD MORTGAGE GROUP LLC 19
Likelihood Likelihood Definition
High (H) The nature of the attack and the data indicate that the motivation is criminal intent the security of the data and controls to minimize the likelihood of a privacy violation are ineffective
Medium (M)
The nature of the attack and data indicate that the motivation could be criminal intent but controls are in place that may impede success
Low (L) The nature of the attack and data do not indicate criminal intent and security and controls are in place to prevent or at least significantly impede the likelihood of a privacy violation
To assess likelihood of a breach occurring consider five factors
1 How the loss occurred
2 Data elements breached
3 Ability to access the data - the likelihood the personal information will be or has been compromised ndash made
accessible to and usable by unauthorized persons
4 Ability to mitigate the risk of harm
5 Evidence of data being used for identity theft or other harm
1 How Loss Occurred
H - Online system hacked
H - Data was targeted
M - Device was targeted
M - Device stolen
L - Device lost
2 Data Elements Breached
H - Social Security Number
H - Biometric record
H - Financial account number
H - PIN or security code for financial account
H - Health data
M - Birthdate
M - Government Issued Identification Number (drivers license etc)
L - Name
L - Address
L - Telephone Number
A combination of identifying information and financial or security information should always be considered a
high risk with high likelihood of harm occurring
3 Ability to access data
H ndash paper records or electronic records in a spreadsheet that is not password protected
M ndash electronic records that are password protected only
L ndash electronic records that are password protected and encrypted
4 Ability to mitigate the risk of harm
H ndash no recovery of data
M ndash partial recovery of data
L ndash recovery of data prior to use
BD MORTGAGE GROUP LLC 20
5 Evidence of data being used for identity theft or other harm
H ndash Data published on the web
M ndash Data accessed but no direct evidence of use
L ndash No tangible evidence of data use
After evaluating each factor and assigning an overall probability or likelihood of a breach occurring review and
assess the impact or harm to an individual or our organization
Impact Rating
Impact Definition
High Event (1) may result in human death or serious injury or harm to individual (2) may result in high costs to organization or (3) may significantly violate harm or impede an organizationrsquos mission reputation or interest
Medium Event (1) may result in injury or harm to the individual (2) may result in costs to the organization or (3) may violate harm or impede an organizationrsquos mission reputation or interest
Low Event (1) may result in the loss of some tangible organizational assets or resources or (2) may noticeably affect an organizationrsquos mission reputation or interest
The impact depends on the extent to which the breach poses a risk of identity theft or other substantial harm to an
individual such as embarrassment inconvenience unfairness harm to reputation or the potential for harassment
or prejudice particularly when health or financial benefits information is involved
Financial considerations can be factored in when determining the impact on our organization For instance credit
monitoring is generally estimated at $20 per year per case (individual) The costs associated with implementing
a call center including staff salaries may also be a factor Alternatively the cost of contracting for this service
could be a factor
BD MORTGAGE GROUP LLC 21
Assigning Risk Score
The risk score is determined by cross-referencing the likelihood score with the impact score
Likelihood Impact
Low Medium High
High Medium High High
Medium Low Medium High
Low Low Low Medium
Notification of Individuals
The risk score assigned will help determine if and when we should provide notification If the likelihood of risk
is low there could be more harm or impact on the individual if notification is provided due to the actions the
notified individual may take Thus notification must be weighed with the likelihood of risk No notification may
be required when the risk levels of each of the five factors is low If the likelihood of risk is high and the level of
impact or harm to the individual is medium notification and remedy may be required Alternatively if the
likelihood of risk is low and the level of impact or harm to the individual is high notification only may be required
If the five factors are considered appropriately it is more likely that notification will only be given in those
instances where there is a reasonable risk of harm and will not lead to the overuse of notification and thus the
associated further complications to the individual
Thus consideration should be given to all factors when determining final actions to take when addressing each
incident The table below should only be used as guide and conditions may warrant actions above or below those
associated with the final risk score
Risk Score Necessary Action
High Notify and provide remedy
Medium Notify only
Low Monitor only
Timing of Notification
Notice will be provided within a reasonable time following the discovery of a breach consistent with the legitimate
needs of law enforcement and any measures necessary for the Census Bureau to determine the scope of the breach
and if applicable to restore the reasonable integrity of the systemprocess that was compromised
In some circumstances law enforcement considerations may require a delay in notification if the investigation of
the breach or of an individual affected by the breach requires it and notification would seriously impede the
investigation The delay should not exacerbate risk or harm to any affected individual(s) or be tied to the
completion of the investigation but rather be based on whether it would seriously impede the investigation to
provide the notice promptly
Responsibility for Notification
The notice should come from a senior BD Mortgage Group LLC representative
BD MORTGAGE GROUP LLC 22
Content of Notification
The notice must be clear concise conspicuous easy-to-understand in plain language and should include the
following elements
bull A brief description of what happened including the date(s) of the breach and its discovery
bull A description of the types of personal information that were involved in the breach (eg full name Social
Security number date of birth home address account number disability code etc) to the extent possible
bull What steps if any an individual should take to protect himself from potential harm
bull What BD Mortgage Group LLC is doing if anything to investigate the breach to mitigate losses and to
protect against any further breaches
bull Who and how affected individuals should contact BD Mortgage Group LLC for more information including
a toll-free telephone number e-mail address and postal address
bull Direction to additional guidance available from the Federal Trade Commission at
httpwwwconsumergovidtheft
Minimizing your risk at httpwwwconsumergovidtheftcon_minimizehtm
Publications at httpwwwconsumergovidtheftcon_pubshtm
Method of Communication
Notice of the breach will be provided commensurate to the number of individuals affected by the breach and the
availability of contact information BD Mortgage Group LLC has for the affected individuals Correspondence
must be prominently marked on the exterior reflecting the importance of the communication to help ensure the
recipient does not discard or otherwise ignore the notification
In general the primary means of notification will be by first-class mail to the last known mailing address of the
individual based on BD Mortgage Group LLC records
Where we have reason to believe that the address is no longer current reasonable efforts will be made to update
the address using the US Postal Service National Change of Address (NCOA) database
Substitute notice may be made in instances where BD Mortgage Group LLC does not have sufficient contact
information for those who need to be notified In such instances notice may consist of a conspicuous posting of
the notice on the companyrsquos home page of its web site and include additional information in a Frequently Asked
Questions (FAQ)
BD MORTGAGE GROUP LLC 23
Process for Remediation of a Breach
Remedy is provided when the risk score is High
Credit Monitoring Data Breach Risk Packages (ie Lifelock)
Low Risk Package Low Risk Package Includes
1048707 Social Security Credit Card and 1 Bureau Credit Report Monitoring 1048707 3 Bureau Initial Fraud Alert 1048707 Credit Card Registry 1048707 Online Identity Theft Assistance 1048707 24 x 7 Customer Support
Medium Risk Package Medium Risk includes Low Risk benefits plus 1048707 Instant 1 Bureau Credit Report 1048707 Instant 1 Bureau Credit Score 1048707 Personal Information Directory Monitoring and Deletion 1048707 Identity Theft Consumer Guide 1048707 $25000 ($0 deductible) Identity Theft Insurance
High Risk Package High Risk includes Medium Risk benefits plus 1048707 3 Bureau Credit Report Monitoring 1048707 Instant 3 in 1 Credit Report 1048707 Instant 3 Bureau Credit Scores 1048707 Fraud Resolution amp Identity Restoration Specialist
BD MORTGAGE GROUP LLC 24
Reporting a Data Breach
Security Breach Notification Laws have been enacted in most US states since 2002 These laws were enacted in
response to an escalating number of breaches of consumer databases containing personally identifiable
information The first such law the California data security breach notification law was enacted in 2002 and
became effective on July 1 2003 As related in the bill statement law requires a state agency or a person or
business that conducts business in California that owns or licenses computerized data that includes personal
information as defined to disclose in specified ways any breach of the security of the data as defined to any
resident of California whose unencrypted personal information was or is reasonably believed to have been
acquired by an unauthorized person In addition the law permits delayed notification if a law enforcement
agency determines that it would impede a criminal investigation The law also requires any entity that licenses
such information to notify the owner or licensee of the information of any breach in the security of the data
The California law has been the model for the enactment of similar laws in other states The National Conference
of State Legislatures maintains a list of enacted and proposed security breach notification laws
BD MORTGAGE GROUP LLC 25
BD MORTGAGE GROUP LLC 26
2-90-29 - Information Security Audit
To ensure security of our systems and that we comply with rules for customer information security we conduct
an annual audit of our information technology systems A provider qualified to review our independent
information technology in conjunction with mortgage procedures must conduct this audit
Since we do not have any proprietary information technology but utilize software and services provided by
vendors exclusively we rely on the qualified audits of the technology provided by these vendors This is
conducted in conjunction with our annual vendor approval process
Vendor Category Vendor Name Information Tech Cert Date
Loan Origination System
E-Disclosure
Data Back-up
Web 1003 Application
Pricing and Eligibility
Document Management
E-Fax
Voice-MailTelephony
NetworkInternet Service
Office SupportCleanerLandlord
Courier
In addition we assume that other licensed entities with which we do business have had their plans reviewed and
found acceptable Consequently we do not audit our mortgage lender business partners
Internal Policies for Information Security Management
In addition to these procedures please refer to our internal Information Security Plan and Red Flags for our
ongoing Information Security procedures
BD MORTGAGE GROUP LLC 17
5 Routinely update passwords Updating passwords even once a year is an easy way to stay one step ahead of
the social engineering scammers
Invite customers who are in doubt about the veracity of emails to forward them to BD Mortgage Group LLC for
verification Several sites that have been the subject of social engineering scams including eBay and PayPal have
special email accounts that receive review and keep track of these online frauds These spoof-checking efforts
will help empower the customer to ensure that BD Mortgage Group LLC does not become the victim of the next
big Internet fraud
BD MORTGAGE GROUP LLC 18
Data Breach Policy Implementation Guide
The response to any breach of personally identifiable information (PII) can have a critical impact on the BD
Mortgage Group LLCrsquos reputation and how trustworthy the public perceives the company Thus exceptional care
must be taken when responding to data breach incidents Not all incidents result in data breaches and not all data
breaches require notification This guide is to assist the Data Breach Team in developing an appropriate response
to a data breach based on the specific characteristics of the incident
Background
This Data Breach Policy Implementation Guide is based on the Presidentrsquos Identity Theft Task Force
recommendations that provide a menu of steps for the company to consider so that it may pursue a risk-based
tailored response to data breach incidents
Definition of Breach
A breach is a loss of control compromise unauthorized disclosure unauthorized acquisition unauthorized
access or any similar term referring to situations where persons other than authorized users and for an authorized
purpose have access or potential access to PII in usable form whether physical or electronic
Reporting Breaches and Breach Response Team
Breach is immediately reported to
bull Chief Privacy Officer (CPO)
bull Chief Information Officer (CIO)
bull Chief IT Security Office (ITSO)
bull Associate Director for Communications
bull Chief Office of Analysis and Executive Support (OAES)
bull As warranted
bull Chief Office of Security
bull General Counsel
bull Law Enforcement
Risk Assessment Process
Risk is a function of the probability or likelihood of a privacy violation and the resulting impact of that violation
To assign a risk score assess the probability of the event (data breach) occurring and then assess the impact or
harm caused to an individual and our organization in its ability to achieve its mission
BD MORTGAGE GROUP LLC 19
Likelihood Likelihood Definition
High (H) The nature of the attack and the data indicate that the motivation is criminal intent the security of the data and controls to minimize the likelihood of a privacy violation are ineffective
Medium (M)
The nature of the attack and data indicate that the motivation could be criminal intent but controls are in place that may impede success
Low (L) The nature of the attack and data do not indicate criminal intent and security and controls are in place to prevent or at least significantly impede the likelihood of a privacy violation
To assess likelihood of a breach occurring consider five factors
1 How the loss occurred
2 Data elements breached
3 Ability to access the data - the likelihood the personal information will be or has been compromised ndash made
accessible to and usable by unauthorized persons
4 Ability to mitigate the risk of harm
5 Evidence of data being used for identity theft or other harm
1 How Loss Occurred
H - Online system hacked
H - Data was targeted
M - Device was targeted
M - Device stolen
L - Device lost
2 Data Elements Breached
H - Social Security Number
H - Biometric record
H - Financial account number
H - PIN or security code for financial account
H - Health data
M - Birthdate
M - Government Issued Identification Number (drivers license etc)
L - Name
L - Address
L - Telephone Number
A combination of identifying information and financial or security information should always be considered a
high risk with high likelihood of harm occurring
3 Ability to access data
H ndash paper records or electronic records in a spreadsheet that is not password protected
M ndash electronic records that are password protected only
L ndash electronic records that are password protected and encrypted
4 Ability to mitigate the risk of harm
H ndash no recovery of data
M ndash partial recovery of data
L ndash recovery of data prior to use
BD MORTGAGE GROUP LLC 20
5 Evidence of data being used for identity theft or other harm
H ndash Data published on the web
M ndash Data accessed but no direct evidence of use
L ndash No tangible evidence of data use
After evaluating each factor and assigning an overall probability or likelihood of a breach occurring review and
assess the impact or harm to an individual or our organization
Impact Rating
Impact Definition
High Event (1) may result in human death or serious injury or harm to individual (2) may result in high costs to organization or (3) may significantly violate harm or impede an organizationrsquos mission reputation or interest
Medium Event (1) may result in injury or harm to the individual (2) may result in costs to the organization or (3) may violate harm or impede an organizationrsquos mission reputation or interest
Low Event (1) may result in the loss of some tangible organizational assets or resources or (2) may noticeably affect an organizationrsquos mission reputation or interest
The impact depends on the extent to which the breach poses a risk of identity theft or other substantial harm to an
individual such as embarrassment inconvenience unfairness harm to reputation or the potential for harassment
or prejudice particularly when health or financial benefits information is involved
Financial considerations can be factored in when determining the impact on our organization For instance credit
monitoring is generally estimated at $20 per year per case (individual) The costs associated with implementing
a call center including staff salaries may also be a factor Alternatively the cost of contracting for this service
could be a factor
BD MORTGAGE GROUP LLC 21
Assigning Risk Score
The risk score is determined by cross-referencing the likelihood score with the impact score
Likelihood Impact
Low Medium High
High Medium High High
Medium Low Medium High
Low Low Low Medium
Notification of Individuals
The risk score assigned will help determine if and when we should provide notification If the likelihood of risk
is low there could be more harm or impact on the individual if notification is provided due to the actions the
notified individual may take Thus notification must be weighed with the likelihood of risk No notification may
be required when the risk levels of each of the five factors is low If the likelihood of risk is high and the level of
impact or harm to the individual is medium notification and remedy may be required Alternatively if the
likelihood of risk is low and the level of impact or harm to the individual is high notification only may be required
If the five factors are considered appropriately it is more likely that notification will only be given in those
instances where there is a reasonable risk of harm and will not lead to the overuse of notification and thus the
associated further complications to the individual
Thus consideration should be given to all factors when determining final actions to take when addressing each
incident The table below should only be used as guide and conditions may warrant actions above or below those
associated with the final risk score
Risk Score Necessary Action
High Notify and provide remedy
Medium Notify only
Low Monitor only
Timing of Notification
Notice will be provided within a reasonable time following the discovery of a breach consistent with the legitimate
needs of law enforcement and any measures necessary for the Census Bureau to determine the scope of the breach
and if applicable to restore the reasonable integrity of the systemprocess that was compromised
In some circumstances law enforcement considerations may require a delay in notification if the investigation of
the breach or of an individual affected by the breach requires it and notification would seriously impede the
investigation The delay should not exacerbate risk or harm to any affected individual(s) or be tied to the
completion of the investigation but rather be based on whether it would seriously impede the investigation to
provide the notice promptly
Responsibility for Notification
The notice should come from a senior BD Mortgage Group LLC representative
BD MORTGAGE GROUP LLC 22
Content of Notification
The notice must be clear concise conspicuous easy-to-understand in plain language and should include the
following elements
bull A brief description of what happened including the date(s) of the breach and its discovery
bull A description of the types of personal information that were involved in the breach (eg full name Social
Security number date of birth home address account number disability code etc) to the extent possible
bull What steps if any an individual should take to protect himself from potential harm
bull What BD Mortgage Group LLC is doing if anything to investigate the breach to mitigate losses and to
protect against any further breaches
bull Who and how affected individuals should contact BD Mortgage Group LLC for more information including
a toll-free telephone number e-mail address and postal address
bull Direction to additional guidance available from the Federal Trade Commission at
httpwwwconsumergovidtheft
Minimizing your risk at httpwwwconsumergovidtheftcon_minimizehtm
Publications at httpwwwconsumergovidtheftcon_pubshtm
Method of Communication
Notice of the breach will be provided commensurate to the number of individuals affected by the breach and the
availability of contact information BD Mortgage Group LLC has for the affected individuals Correspondence
must be prominently marked on the exterior reflecting the importance of the communication to help ensure the
recipient does not discard or otherwise ignore the notification
In general the primary means of notification will be by first-class mail to the last known mailing address of the
individual based on BD Mortgage Group LLC records
Where we have reason to believe that the address is no longer current reasonable efforts will be made to update
the address using the US Postal Service National Change of Address (NCOA) database
Substitute notice may be made in instances where BD Mortgage Group LLC does not have sufficient contact
information for those who need to be notified In such instances notice may consist of a conspicuous posting of
the notice on the companyrsquos home page of its web site and include additional information in a Frequently Asked
Questions (FAQ)
BD MORTGAGE GROUP LLC 23
Process for Remediation of a Breach
Remedy is provided when the risk score is High
Credit Monitoring Data Breach Risk Packages (ie Lifelock)
Low Risk Package Low Risk Package Includes
1048707 Social Security Credit Card and 1 Bureau Credit Report Monitoring 1048707 3 Bureau Initial Fraud Alert 1048707 Credit Card Registry 1048707 Online Identity Theft Assistance 1048707 24 x 7 Customer Support
Medium Risk Package Medium Risk includes Low Risk benefits plus 1048707 Instant 1 Bureau Credit Report 1048707 Instant 1 Bureau Credit Score 1048707 Personal Information Directory Monitoring and Deletion 1048707 Identity Theft Consumer Guide 1048707 $25000 ($0 deductible) Identity Theft Insurance
High Risk Package High Risk includes Medium Risk benefits plus 1048707 3 Bureau Credit Report Monitoring 1048707 Instant 3 in 1 Credit Report 1048707 Instant 3 Bureau Credit Scores 1048707 Fraud Resolution amp Identity Restoration Specialist
BD MORTGAGE GROUP LLC 24
Reporting a Data Breach
Security Breach Notification Laws have been enacted in most US states since 2002 These laws were enacted in
response to an escalating number of breaches of consumer databases containing personally identifiable
information The first such law the California data security breach notification law was enacted in 2002 and
became effective on July 1 2003 As related in the bill statement law requires a state agency or a person or
business that conducts business in California that owns or licenses computerized data that includes personal
information as defined to disclose in specified ways any breach of the security of the data as defined to any
resident of California whose unencrypted personal information was or is reasonably believed to have been
acquired by an unauthorized person In addition the law permits delayed notification if a law enforcement
agency determines that it would impede a criminal investigation The law also requires any entity that licenses
such information to notify the owner or licensee of the information of any breach in the security of the data
The California law has been the model for the enactment of similar laws in other states The National Conference
of State Legislatures maintains a list of enacted and proposed security breach notification laws
BD MORTGAGE GROUP LLC 25
BD MORTGAGE GROUP LLC 26
2-90-29 - Information Security Audit
To ensure security of our systems and that we comply with rules for customer information security we conduct
an annual audit of our information technology systems A provider qualified to review our independent
information technology in conjunction with mortgage procedures must conduct this audit
Since we do not have any proprietary information technology but utilize software and services provided by
vendors exclusively we rely on the qualified audits of the technology provided by these vendors This is
conducted in conjunction with our annual vendor approval process
Vendor Category Vendor Name Information Tech Cert Date
Loan Origination System
E-Disclosure
Data Back-up
Web 1003 Application
Pricing and Eligibility
Document Management
E-Fax
Voice-MailTelephony
NetworkInternet Service
Office SupportCleanerLandlord
Courier
In addition we assume that other licensed entities with which we do business have had their plans reviewed and
found acceptable Consequently we do not audit our mortgage lender business partners
Internal Policies for Information Security Management
In addition to these procedures please refer to our internal Information Security Plan and Red Flags for our
ongoing Information Security procedures
BD MORTGAGE GROUP LLC 18
Data Breach Policy Implementation Guide
The response to any breach of personally identifiable information (PII) can have a critical impact on the BD
Mortgage Group LLCrsquos reputation and how trustworthy the public perceives the company Thus exceptional care
must be taken when responding to data breach incidents Not all incidents result in data breaches and not all data
breaches require notification This guide is to assist the Data Breach Team in developing an appropriate response
to a data breach based on the specific characteristics of the incident
Background
This Data Breach Policy Implementation Guide is based on the Presidentrsquos Identity Theft Task Force
recommendations that provide a menu of steps for the company to consider so that it may pursue a risk-based
tailored response to data breach incidents
Definition of Breach
A breach is a loss of control compromise unauthorized disclosure unauthorized acquisition unauthorized
access or any similar term referring to situations where persons other than authorized users and for an authorized
purpose have access or potential access to PII in usable form whether physical or electronic
Reporting Breaches and Breach Response Team
Breach is immediately reported to
bull Chief Privacy Officer (CPO)
bull Chief Information Officer (CIO)
bull Chief IT Security Office (ITSO)
bull Associate Director for Communications
bull Chief Office of Analysis and Executive Support (OAES)
bull As warranted
bull Chief Office of Security
bull General Counsel
bull Law Enforcement
Risk Assessment Process
Risk is a function of the probability or likelihood of a privacy violation and the resulting impact of that violation
To assign a risk score assess the probability of the event (data breach) occurring and then assess the impact or
harm caused to an individual and our organization in its ability to achieve its mission
BD MORTGAGE GROUP LLC 19
Likelihood Likelihood Definition
High (H) The nature of the attack and the data indicate that the motivation is criminal intent the security of the data and controls to minimize the likelihood of a privacy violation are ineffective
Medium (M)
The nature of the attack and data indicate that the motivation could be criminal intent but controls are in place that may impede success
Low (L) The nature of the attack and data do not indicate criminal intent and security and controls are in place to prevent or at least significantly impede the likelihood of a privacy violation
To assess likelihood of a breach occurring consider five factors
1 How the loss occurred
2 Data elements breached
3 Ability to access the data - the likelihood the personal information will be or has been compromised ndash made
accessible to and usable by unauthorized persons
4 Ability to mitigate the risk of harm
5 Evidence of data being used for identity theft or other harm
1 How Loss Occurred
H - Online system hacked
H - Data was targeted
M - Device was targeted
M - Device stolen
L - Device lost
2 Data Elements Breached
H - Social Security Number
H - Biometric record
H - Financial account number
H - PIN or security code for financial account
H - Health data
M - Birthdate
M - Government Issued Identification Number (drivers license etc)
L - Name
L - Address
L - Telephone Number
A combination of identifying information and financial or security information should always be considered a
high risk with high likelihood of harm occurring
3 Ability to access data
H ndash paper records or electronic records in a spreadsheet that is not password protected
M ndash electronic records that are password protected only
L ndash electronic records that are password protected and encrypted
4 Ability to mitigate the risk of harm
H ndash no recovery of data
M ndash partial recovery of data
L ndash recovery of data prior to use
BD MORTGAGE GROUP LLC 20
5 Evidence of data being used for identity theft or other harm
H ndash Data published on the web
M ndash Data accessed but no direct evidence of use
L ndash No tangible evidence of data use
After evaluating each factor and assigning an overall probability or likelihood of a breach occurring review and
assess the impact or harm to an individual or our organization
Impact Rating
Impact Definition
High Event (1) may result in human death or serious injury or harm to individual (2) may result in high costs to organization or (3) may significantly violate harm or impede an organizationrsquos mission reputation or interest
Medium Event (1) may result in injury or harm to the individual (2) may result in costs to the organization or (3) may violate harm or impede an organizationrsquos mission reputation or interest
Low Event (1) may result in the loss of some tangible organizational assets or resources or (2) may noticeably affect an organizationrsquos mission reputation or interest
The impact depends on the extent to which the breach poses a risk of identity theft or other substantial harm to an
individual such as embarrassment inconvenience unfairness harm to reputation or the potential for harassment
or prejudice particularly when health or financial benefits information is involved
Financial considerations can be factored in when determining the impact on our organization For instance credit
monitoring is generally estimated at $20 per year per case (individual) The costs associated with implementing
a call center including staff salaries may also be a factor Alternatively the cost of contracting for this service
could be a factor
BD MORTGAGE GROUP LLC 21
Assigning Risk Score
The risk score is determined by cross-referencing the likelihood score with the impact score
Likelihood Impact
Low Medium High
High Medium High High
Medium Low Medium High
Low Low Low Medium
Notification of Individuals
The risk score assigned will help determine if and when we should provide notification If the likelihood of risk
is low there could be more harm or impact on the individual if notification is provided due to the actions the
notified individual may take Thus notification must be weighed with the likelihood of risk No notification may
be required when the risk levels of each of the five factors is low If the likelihood of risk is high and the level of
impact or harm to the individual is medium notification and remedy may be required Alternatively if the
likelihood of risk is low and the level of impact or harm to the individual is high notification only may be required
If the five factors are considered appropriately it is more likely that notification will only be given in those
instances where there is a reasonable risk of harm and will not lead to the overuse of notification and thus the
associated further complications to the individual
Thus consideration should be given to all factors when determining final actions to take when addressing each
incident The table below should only be used as guide and conditions may warrant actions above or below those
associated with the final risk score
Risk Score Necessary Action
High Notify and provide remedy
Medium Notify only
Low Monitor only
Timing of Notification
Notice will be provided within a reasonable time following the discovery of a breach consistent with the legitimate
needs of law enforcement and any measures necessary for the Census Bureau to determine the scope of the breach
and if applicable to restore the reasonable integrity of the systemprocess that was compromised
In some circumstances law enforcement considerations may require a delay in notification if the investigation of
the breach or of an individual affected by the breach requires it and notification would seriously impede the
investigation The delay should not exacerbate risk or harm to any affected individual(s) or be tied to the
completion of the investigation but rather be based on whether it would seriously impede the investigation to
provide the notice promptly
Responsibility for Notification
The notice should come from a senior BD Mortgage Group LLC representative
BD MORTGAGE GROUP LLC 22
Content of Notification
The notice must be clear concise conspicuous easy-to-understand in plain language and should include the
following elements
bull A brief description of what happened including the date(s) of the breach and its discovery
bull A description of the types of personal information that were involved in the breach (eg full name Social
Security number date of birth home address account number disability code etc) to the extent possible
bull What steps if any an individual should take to protect himself from potential harm
bull What BD Mortgage Group LLC is doing if anything to investigate the breach to mitigate losses and to
protect against any further breaches
bull Who and how affected individuals should contact BD Mortgage Group LLC for more information including
a toll-free telephone number e-mail address and postal address
bull Direction to additional guidance available from the Federal Trade Commission at
httpwwwconsumergovidtheft
Minimizing your risk at httpwwwconsumergovidtheftcon_minimizehtm
Publications at httpwwwconsumergovidtheftcon_pubshtm
Method of Communication
Notice of the breach will be provided commensurate to the number of individuals affected by the breach and the
availability of contact information BD Mortgage Group LLC has for the affected individuals Correspondence
must be prominently marked on the exterior reflecting the importance of the communication to help ensure the
recipient does not discard or otherwise ignore the notification
In general the primary means of notification will be by first-class mail to the last known mailing address of the
individual based on BD Mortgage Group LLC records
Where we have reason to believe that the address is no longer current reasonable efforts will be made to update
the address using the US Postal Service National Change of Address (NCOA) database
Substitute notice may be made in instances where BD Mortgage Group LLC does not have sufficient contact
information for those who need to be notified In such instances notice may consist of a conspicuous posting of
the notice on the companyrsquos home page of its web site and include additional information in a Frequently Asked
Questions (FAQ)
BD MORTGAGE GROUP LLC 23
Process for Remediation of a Breach
Remedy is provided when the risk score is High
Credit Monitoring Data Breach Risk Packages (ie Lifelock)
Low Risk Package Low Risk Package Includes
1048707 Social Security Credit Card and 1 Bureau Credit Report Monitoring 1048707 3 Bureau Initial Fraud Alert 1048707 Credit Card Registry 1048707 Online Identity Theft Assistance 1048707 24 x 7 Customer Support
Medium Risk Package Medium Risk includes Low Risk benefits plus 1048707 Instant 1 Bureau Credit Report 1048707 Instant 1 Bureau Credit Score 1048707 Personal Information Directory Monitoring and Deletion 1048707 Identity Theft Consumer Guide 1048707 $25000 ($0 deductible) Identity Theft Insurance
High Risk Package High Risk includes Medium Risk benefits plus 1048707 3 Bureau Credit Report Monitoring 1048707 Instant 3 in 1 Credit Report 1048707 Instant 3 Bureau Credit Scores 1048707 Fraud Resolution amp Identity Restoration Specialist
BD MORTGAGE GROUP LLC 24
Reporting a Data Breach
Security Breach Notification Laws have been enacted in most US states since 2002 These laws were enacted in
response to an escalating number of breaches of consumer databases containing personally identifiable
information The first such law the California data security breach notification law was enacted in 2002 and
became effective on July 1 2003 As related in the bill statement law requires a state agency or a person or
business that conducts business in California that owns or licenses computerized data that includes personal
information as defined to disclose in specified ways any breach of the security of the data as defined to any
resident of California whose unencrypted personal information was or is reasonably believed to have been
acquired by an unauthorized person In addition the law permits delayed notification if a law enforcement
agency determines that it would impede a criminal investigation The law also requires any entity that licenses
such information to notify the owner or licensee of the information of any breach in the security of the data
The California law has been the model for the enactment of similar laws in other states The National Conference
of State Legislatures maintains a list of enacted and proposed security breach notification laws
BD MORTGAGE GROUP LLC 25
BD MORTGAGE GROUP LLC 26
2-90-29 - Information Security Audit
To ensure security of our systems and that we comply with rules for customer information security we conduct
an annual audit of our information technology systems A provider qualified to review our independent
information technology in conjunction with mortgage procedures must conduct this audit
Since we do not have any proprietary information technology but utilize software and services provided by
vendors exclusively we rely on the qualified audits of the technology provided by these vendors This is
conducted in conjunction with our annual vendor approval process
Vendor Category Vendor Name Information Tech Cert Date
Loan Origination System
E-Disclosure
Data Back-up
Web 1003 Application
Pricing and Eligibility
Document Management
E-Fax
Voice-MailTelephony
NetworkInternet Service
Office SupportCleanerLandlord
Courier
In addition we assume that other licensed entities with which we do business have had their plans reviewed and
found acceptable Consequently we do not audit our mortgage lender business partners
Internal Policies for Information Security Management
In addition to these procedures please refer to our internal Information Security Plan and Red Flags for our
ongoing Information Security procedures
BD MORTGAGE GROUP LLC 19
Likelihood Likelihood Definition
High (H) The nature of the attack and the data indicate that the motivation is criminal intent the security of the data and controls to minimize the likelihood of a privacy violation are ineffective
Medium (M)
The nature of the attack and data indicate that the motivation could be criminal intent but controls are in place that may impede success
Low (L) The nature of the attack and data do not indicate criminal intent and security and controls are in place to prevent or at least significantly impede the likelihood of a privacy violation
To assess likelihood of a breach occurring consider five factors
1 How the loss occurred
2 Data elements breached
3 Ability to access the data - the likelihood the personal information will be or has been compromised ndash made
accessible to and usable by unauthorized persons
4 Ability to mitigate the risk of harm
5 Evidence of data being used for identity theft or other harm
1 How Loss Occurred
H - Online system hacked
H - Data was targeted
M - Device was targeted
M - Device stolen
L - Device lost
2 Data Elements Breached
H - Social Security Number
H - Biometric record
H - Financial account number
H - PIN or security code for financial account
H - Health data
M - Birthdate
M - Government Issued Identification Number (drivers license etc)
L - Name
L - Address
L - Telephone Number
A combination of identifying information and financial or security information should always be considered a
high risk with high likelihood of harm occurring
3 Ability to access data
H ndash paper records or electronic records in a spreadsheet that is not password protected
M ndash electronic records that are password protected only
L ndash electronic records that are password protected and encrypted
4 Ability to mitigate the risk of harm
H ndash no recovery of data
M ndash partial recovery of data
L ndash recovery of data prior to use
BD MORTGAGE GROUP LLC 20
5 Evidence of data being used for identity theft or other harm
H ndash Data published on the web
M ndash Data accessed but no direct evidence of use
L ndash No tangible evidence of data use
After evaluating each factor and assigning an overall probability or likelihood of a breach occurring review and
assess the impact or harm to an individual or our organization
Impact Rating
Impact Definition
High Event (1) may result in human death or serious injury or harm to individual (2) may result in high costs to organization or (3) may significantly violate harm or impede an organizationrsquos mission reputation or interest
Medium Event (1) may result in injury or harm to the individual (2) may result in costs to the organization or (3) may violate harm or impede an organizationrsquos mission reputation or interest
Low Event (1) may result in the loss of some tangible organizational assets or resources or (2) may noticeably affect an organizationrsquos mission reputation or interest
The impact depends on the extent to which the breach poses a risk of identity theft or other substantial harm to an
individual such as embarrassment inconvenience unfairness harm to reputation or the potential for harassment
or prejudice particularly when health or financial benefits information is involved
Financial considerations can be factored in when determining the impact on our organization For instance credit
monitoring is generally estimated at $20 per year per case (individual) The costs associated with implementing
a call center including staff salaries may also be a factor Alternatively the cost of contracting for this service
could be a factor
BD MORTGAGE GROUP LLC 21
Assigning Risk Score
The risk score is determined by cross-referencing the likelihood score with the impact score
Likelihood Impact
Low Medium High
High Medium High High
Medium Low Medium High
Low Low Low Medium
Notification of Individuals
The risk score assigned will help determine if and when we should provide notification If the likelihood of risk
is low there could be more harm or impact on the individual if notification is provided due to the actions the
notified individual may take Thus notification must be weighed with the likelihood of risk No notification may
be required when the risk levels of each of the five factors is low If the likelihood of risk is high and the level of
impact or harm to the individual is medium notification and remedy may be required Alternatively if the
likelihood of risk is low and the level of impact or harm to the individual is high notification only may be required
If the five factors are considered appropriately it is more likely that notification will only be given in those
instances where there is a reasonable risk of harm and will not lead to the overuse of notification and thus the
associated further complications to the individual
Thus consideration should be given to all factors when determining final actions to take when addressing each
incident The table below should only be used as guide and conditions may warrant actions above or below those
associated with the final risk score
Risk Score Necessary Action
High Notify and provide remedy
Medium Notify only
Low Monitor only
Timing of Notification
Notice will be provided within a reasonable time following the discovery of a breach consistent with the legitimate
needs of law enforcement and any measures necessary for the Census Bureau to determine the scope of the breach
and if applicable to restore the reasonable integrity of the systemprocess that was compromised
In some circumstances law enforcement considerations may require a delay in notification if the investigation of
the breach or of an individual affected by the breach requires it and notification would seriously impede the
investigation The delay should not exacerbate risk or harm to any affected individual(s) or be tied to the
completion of the investigation but rather be based on whether it would seriously impede the investigation to
provide the notice promptly
Responsibility for Notification
The notice should come from a senior BD Mortgage Group LLC representative
BD MORTGAGE GROUP LLC 22
Content of Notification
The notice must be clear concise conspicuous easy-to-understand in plain language and should include the
following elements
bull A brief description of what happened including the date(s) of the breach and its discovery
bull A description of the types of personal information that were involved in the breach (eg full name Social
Security number date of birth home address account number disability code etc) to the extent possible
bull What steps if any an individual should take to protect himself from potential harm
bull What BD Mortgage Group LLC is doing if anything to investigate the breach to mitigate losses and to
protect against any further breaches
bull Who and how affected individuals should contact BD Mortgage Group LLC for more information including
a toll-free telephone number e-mail address and postal address
bull Direction to additional guidance available from the Federal Trade Commission at
httpwwwconsumergovidtheft
Minimizing your risk at httpwwwconsumergovidtheftcon_minimizehtm
Publications at httpwwwconsumergovidtheftcon_pubshtm
Method of Communication
Notice of the breach will be provided commensurate to the number of individuals affected by the breach and the
availability of contact information BD Mortgage Group LLC has for the affected individuals Correspondence
must be prominently marked on the exterior reflecting the importance of the communication to help ensure the
recipient does not discard or otherwise ignore the notification
In general the primary means of notification will be by first-class mail to the last known mailing address of the
individual based on BD Mortgage Group LLC records
Where we have reason to believe that the address is no longer current reasonable efforts will be made to update
the address using the US Postal Service National Change of Address (NCOA) database
Substitute notice may be made in instances where BD Mortgage Group LLC does not have sufficient contact
information for those who need to be notified In such instances notice may consist of a conspicuous posting of
the notice on the companyrsquos home page of its web site and include additional information in a Frequently Asked
Questions (FAQ)
BD MORTGAGE GROUP LLC 23
Process for Remediation of a Breach
Remedy is provided when the risk score is High
Credit Monitoring Data Breach Risk Packages (ie Lifelock)
Low Risk Package Low Risk Package Includes
1048707 Social Security Credit Card and 1 Bureau Credit Report Monitoring 1048707 3 Bureau Initial Fraud Alert 1048707 Credit Card Registry 1048707 Online Identity Theft Assistance 1048707 24 x 7 Customer Support
Medium Risk Package Medium Risk includes Low Risk benefits plus 1048707 Instant 1 Bureau Credit Report 1048707 Instant 1 Bureau Credit Score 1048707 Personal Information Directory Monitoring and Deletion 1048707 Identity Theft Consumer Guide 1048707 $25000 ($0 deductible) Identity Theft Insurance
High Risk Package High Risk includes Medium Risk benefits plus 1048707 3 Bureau Credit Report Monitoring 1048707 Instant 3 in 1 Credit Report 1048707 Instant 3 Bureau Credit Scores 1048707 Fraud Resolution amp Identity Restoration Specialist
BD MORTGAGE GROUP LLC 24
Reporting a Data Breach
Security Breach Notification Laws have been enacted in most US states since 2002 These laws were enacted in
response to an escalating number of breaches of consumer databases containing personally identifiable
information The first such law the California data security breach notification law was enacted in 2002 and
became effective on July 1 2003 As related in the bill statement law requires a state agency or a person or
business that conducts business in California that owns or licenses computerized data that includes personal
information as defined to disclose in specified ways any breach of the security of the data as defined to any
resident of California whose unencrypted personal information was or is reasonably believed to have been
acquired by an unauthorized person In addition the law permits delayed notification if a law enforcement
agency determines that it would impede a criminal investigation The law also requires any entity that licenses
such information to notify the owner or licensee of the information of any breach in the security of the data
The California law has been the model for the enactment of similar laws in other states The National Conference
of State Legislatures maintains a list of enacted and proposed security breach notification laws
BD MORTGAGE GROUP LLC 25
BD MORTGAGE GROUP LLC 26
2-90-29 - Information Security Audit
To ensure security of our systems and that we comply with rules for customer information security we conduct
an annual audit of our information technology systems A provider qualified to review our independent
information technology in conjunction with mortgage procedures must conduct this audit
Since we do not have any proprietary information technology but utilize software and services provided by
vendors exclusively we rely on the qualified audits of the technology provided by these vendors This is
conducted in conjunction with our annual vendor approval process
Vendor Category Vendor Name Information Tech Cert Date
Loan Origination System
E-Disclosure
Data Back-up
Web 1003 Application
Pricing and Eligibility
Document Management
E-Fax
Voice-MailTelephony
NetworkInternet Service
Office SupportCleanerLandlord
Courier
In addition we assume that other licensed entities with which we do business have had their plans reviewed and
found acceptable Consequently we do not audit our mortgage lender business partners
Internal Policies for Information Security Management
In addition to these procedures please refer to our internal Information Security Plan and Red Flags for our
ongoing Information Security procedures
BD MORTGAGE GROUP LLC 20
5 Evidence of data being used for identity theft or other harm
H ndash Data published on the web
M ndash Data accessed but no direct evidence of use
L ndash No tangible evidence of data use
After evaluating each factor and assigning an overall probability or likelihood of a breach occurring review and
assess the impact or harm to an individual or our organization
Impact Rating
Impact Definition
High Event (1) may result in human death or serious injury or harm to individual (2) may result in high costs to organization or (3) may significantly violate harm or impede an organizationrsquos mission reputation or interest
Medium Event (1) may result in injury or harm to the individual (2) may result in costs to the organization or (3) may violate harm or impede an organizationrsquos mission reputation or interest
Low Event (1) may result in the loss of some tangible organizational assets or resources or (2) may noticeably affect an organizationrsquos mission reputation or interest
The impact depends on the extent to which the breach poses a risk of identity theft or other substantial harm to an
individual such as embarrassment inconvenience unfairness harm to reputation or the potential for harassment
or prejudice particularly when health or financial benefits information is involved
Financial considerations can be factored in when determining the impact on our organization For instance credit
monitoring is generally estimated at $20 per year per case (individual) The costs associated with implementing
a call center including staff salaries may also be a factor Alternatively the cost of contracting for this service
could be a factor
BD MORTGAGE GROUP LLC 21
Assigning Risk Score
The risk score is determined by cross-referencing the likelihood score with the impact score
Likelihood Impact
Low Medium High
High Medium High High
Medium Low Medium High
Low Low Low Medium
Notification of Individuals
The risk score assigned will help determine if and when we should provide notification If the likelihood of risk
is low there could be more harm or impact on the individual if notification is provided due to the actions the
notified individual may take Thus notification must be weighed with the likelihood of risk No notification may
be required when the risk levels of each of the five factors is low If the likelihood of risk is high and the level of
impact or harm to the individual is medium notification and remedy may be required Alternatively if the
likelihood of risk is low and the level of impact or harm to the individual is high notification only may be required
If the five factors are considered appropriately it is more likely that notification will only be given in those
instances where there is a reasonable risk of harm and will not lead to the overuse of notification and thus the
associated further complications to the individual
Thus consideration should be given to all factors when determining final actions to take when addressing each
incident The table below should only be used as guide and conditions may warrant actions above or below those
associated with the final risk score
Risk Score Necessary Action
High Notify and provide remedy
Medium Notify only
Low Monitor only
Timing of Notification
Notice will be provided within a reasonable time following the discovery of a breach consistent with the legitimate
needs of law enforcement and any measures necessary for the Census Bureau to determine the scope of the breach
and if applicable to restore the reasonable integrity of the systemprocess that was compromised
In some circumstances law enforcement considerations may require a delay in notification if the investigation of
the breach or of an individual affected by the breach requires it and notification would seriously impede the
investigation The delay should not exacerbate risk or harm to any affected individual(s) or be tied to the
completion of the investigation but rather be based on whether it would seriously impede the investigation to
provide the notice promptly
Responsibility for Notification
The notice should come from a senior BD Mortgage Group LLC representative
BD MORTGAGE GROUP LLC 22
Content of Notification
The notice must be clear concise conspicuous easy-to-understand in plain language and should include the
following elements
bull A brief description of what happened including the date(s) of the breach and its discovery
bull A description of the types of personal information that were involved in the breach (eg full name Social
Security number date of birth home address account number disability code etc) to the extent possible
bull What steps if any an individual should take to protect himself from potential harm
bull What BD Mortgage Group LLC is doing if anything to investigate the breach to mitigate losses and to
protect against any further breaches
bull Who and how affected individuals should contact BD Mortgage Group LLC for more information including
a toll-free telephone number e-mail address and postal address
bull Direction to additional guidance available from the Federal Trade Commission at
httpwwwconsumergovidtheft
Minimizing your risk at httpwwwconsumergovidtheftcon_minimizehtm
Publications at httpwwwconsumergovidtheftcon_pubshtm
Method of Communication
Notice of the breach will be provided commensurate to the number of individuals affected by the breach and the
availability of contact information BD Mortgage Group LLC has for the affected individuals Correspondence
must be prominently marked on the exterior reflecting the importance of the communication to help ensure the
recipient does not discard or otherwise ignore the notification
In general the primary means of notification will be by first-class mail to the last known mailing address of the
individual based on BD Mortgage Group LLC records
Where we have reason to believe that the address is no longer current reasonable efforts will be made to update
the address using the US Postal Service National Change of Address (NCOA) database
Substitute notice may be made in instances where BD Mortgage Group LLC does not have sufficient contact
information for those who need to be notified In such instances notice may consist of a conspicuous posting of
the notice on the companyrsquos home page of its web site and include additional information in a Frequently Asked
Questions (FAQ)
BD MORTGAGE GROUP LLC 23
Process for Remediation of a Breach
Remedy is provided when the risk score is High
Credit Monitoring Data Breach Risk Packages (ie Lifelock)
Low Risk Package Low Risk Package Includes
1048707 Social Security Credit Card and 1 Bureau Credit Report Monitoring 1048707 3 Bureau Initial Fraud Alert 1048707 Credit Card Registry 1048707 Online Identity Theft Assistance 1048707 24 x 7 Customer Support
Medium Risk Package Medium Risk includes Low Risk benefits plus 1048707 Instant 1 Bureau Credit Report 1048707 Instant 1 Bureau Credit Score 1048707 Personal Information Directory Monitoring and Deletion 1048707 Identity Theft Consumer Guide 1048707 $25000 ($0 deductible) Identity Theft Insurance
High Risk Package High Risk includes Medium Risk benefits plus 1048707 3 Bureau Credit Report Monitoring 1048707 Instant 3 in 1 Credit Report 1048707 Instant 3 Bureau Credit Scores 1048707 Fraud Resolution amp Identity Restoration Specialist
BD MORTGAGE GROUP LLC 24
Reporting a Data Breach
Security Breach Notification Laws have been enacted in most US states since 2002 These laws were enacted in
response to an escalating number of breaches of consumer databases containing personally identifiable
information The first such law the California data security breach notification law was enacted in 2002 and
became effective on July 1 2003 As related in the bill statement law requires a state agency or a person or
business that conducts business in California that owns or licenses computerized data that includes personal
information as defined to disclose in specified ways any breach of the security of the data as defined to any
resident of California whose unencrypted personal information was or is reasonably believed to have been
acquired by an unauthorized person In addition the law permits delayed notification if a law enforcement
agency determines that it would impede a criminal investigation The law also requires any entity that licenses
such information to notify the owner or licensee of the information of any breach in the security of the data
The California law has been the model for the enactment of similar laws in other states The National Conference
of State Legislatures maintains a list of enacted and proposed security breach notification laws
BD MORTGAGE GROUP LLC 25
BD MORTGAGE GROUP LLC 26
2-90-29 - Information Security Audit
To ensure security of our systems and that we comply with rules for customer information security we conduct
an annual audit of our information technology systems A provider qualified to review our independent
information technology in conjunction with mortgage procedures must conduct this audit
Since we do not have any proprietary information technology but utilize software and services provided by
vendors exclusively we rely on the qualified audits of the technology provided by these vendors This is
conducted in conjunction with our annual vendor approval process
Vendor Category Vendor Name Information Tech Cert Date
Loan Origination System
E-Disclosure
Data Back-up
Web 1003 Application
Pricing and Eligibility
Document Management
E-Fax
Voice-MailTelephony
NetworkInternet Service
Office SupportCleanerLandlord
Courier
In addition we assume that other licensed entities with which we do business have had their plans reviewed and
found acceptable Consequently we do not audit our mortgage lender business partners
Internal Policies for Information Security Management
In addition to these procedures please refer to our internal Information Security Plan and Red Flags for our
ongoing Information Security procedures
BD MORTGAGE GROUP LLC 21
Assigning Risk Score
The risk score is determined by cross-referencing the likelihood score with the impact score
Likelihood Impact
Low Medium High
High Medium High High
Medium Low Medium High
Low Low Low Medium
Notification of Individuals
The risk score assigned will help determine if and when we should provide notification If the likelihood of risk
is low there could be more harm or impact on the individual if notification is provided due to the actions the
notified individual may take Thus notification must be weighed with the likelihood of risk No notification may
be required when the risk levels of each of the five factors is low If the likelihood of risk is high and the level of
impact or harm to the individual is medium notification and remedy may be required Alternatively if the
likelihood of risk is low and the level of impact or harm to the individual is high notification only may be required
If the five factors are considered appropriately it is more likely that notification will only be given in those
instances where there is a reasonable risk of harm and will not lead to the overuse of notification and thus the
associated further complications to the individual
Thus consideration should be given to all factors when determining final actions to take when addressing each
incident The table below should only be used as guide and conditions may warrant actions above or below those
associated with the final risk score
Risk Score Necessary Action
High Notify and provide remedy
Medium Notify only
Low Monitor only
Timing of Notification
Notice will be provided within a reasonable time following the discovery of a breach consistent with the legitimate
needs of law enforcement and any measures necessary for the Census Bureau to determine the scope of the breach
and if applicable to restore the reasonable integrity of the systemprocess that was compromised
In some circumstances law enforcement considerations may require a delay in notification if the investigation of
the breach or of an individual affected by the breach requires it and notification would seriously impede the
investigation The delay should not exacerbate risk or harm to any affected individual(s) or be tied to the
completion of the investigation but rather be based on whether it would seriously impede the investigation to
provide the notice promptly
Responsibility for Notification
The notice should come from a senior BD Mortgage Group LLC representative
BD MORTGAGE GROUP LLC 22
Content of Notification
The notice must be clear concise conspicuous easy-to-understand in plain language and should include the
following elements
bull A brief description of what happened including the date(s) of the breach and its discovery
bull A description of the types of personal information that were involved in the breach (eg full name Social
Security number date of birth home address account number disability code etc) to the extent possible
bull What steps if any an individual should take to protect himself from potential harm
bull What BD Mortgage Group LLC is doing if anything to investigate the breach to mitigate losses and to
protect against any further breaches
bull Who and how affected individuals should contact BD Mortgage Group LLC for more information including
a toll-free telephone number e-mail address and postal address
bull Direction to additional guidance available from the Federal Trade Commission at
httpwwwconsumergovidtheft
Minimizing your risk at httpwwwconsumergovidtheftcon_minimizehtm
Publications at httpwwwconsumergovidtheftcon_pubshtm
Method of Communication
Notice of the breach will be provided commensurate to the number of individuals affected by the breach and the
availability of contact information BD Mortgage Group LLC has for the affected individuals Correspondence
must be prominently marked on the exterior reflecting the importance of the communication to help ensure the
recipient does not discard or otherwise ignore the notification
In general the primary means of notification will be by first-class mail to the last known mailing address of the
individual based on BD Mortgage Group LLC records
Where we have reason to believe that the address is no longer current reasonable efforts will be made to update
the address using the US Postal Service National Change of Address (NCOA) database
Substitute notice may be made in instances where BD Mortgage Group LLC does not have sufficient contact
information for those who need to be notified In such instances notice may consist of a conspicuous posting of
the notice on the companyrsquos home page of its web site and include additional information in a Frequently Asked
Questions (FAQ)
BD MORTGAGE GROUP LLC 23
Process for Remediation of a Breach
Remedy is provided when the risk score is High
Credit Monitoring Data Breach Risk Packages (ie Lifelock)
Low Risk Package Low Risk Package Includes
1048707 Social Security Credit Card and 1 Bureau Credit Report Monitoring 1048707 3 Bureau Initial Fraud Alert 1048707 Credit Card Registry 1048707 Online Identity Theft Assistance 1048707 24 x 7 Customer Support
Medium Risk Package Medium Risk includes Low Risk benefits plus 1048707 Instant 1 Bureau Credit Report 1048707 Instant 1 Bureau Credit Score 1048707 Personal Information Directory Monitoring and Deletion 1048707 Identity Theft Consumer Guide 1048707 $25000 ($0 deductible) Identity Theft Insurance
High Risk Package High Risk includes Medium Risk benefits plus 1048707 3 Bureau Credit Report Monitoring 1048707 Instant 3 in 1 Credit Report 1048707 Instant 3 Bureau Credit Scores 1048707 Fraud Resolution amp Identity Restoration Specialist
BD MORTGAGE GROUP LLC 24
Reporting a Data Breach
Security Breach Notification Laws have been enacted in most US states since 2002 These laws were enacted in
response to an escalating number of breaches of consumer databases containing personally identifiable
information The first such law the California data security breach notification law was enacted in 2002 and
became effective on July 1 2003 As related in the bill statement law requires a state agency or a person or
business that conducts business in California that owns or licenses computerized data that includes personal
information as defined to disclose in specified ways any breach of the security of the data as defined to any
resident of California whose unencrypted personal information was or is reasonably believed to have been
acquired by an unauthorized person In addition the law permits delayed notification if a law enforcement
agency determines that it would impede a criminal investigation The law also requires any entity that licenses
such information to notify the owner or licensee of the information of any breach in the security of the data
The California law has been the model for the enactment of similar laws in other states The National Conference
of State Legislatures maintains a list of enacted and proposed security breach notification laws
BD MORTGAGE GROUP LLC 25
BD MORTGAGE GROUP LLC 26
2-90-29 - Information Security Audit
To ensure security of our systems and that we comply with rules for customer information security we conduct
an annual audit of our information technology systems A provider qualified to review our independent
information technology in conjunction with mortgage procedures must conduct this audit
Since we do not have any proprietary information technology but utilize software and services provided by
vendors exclusively we rely on the qualified audits of the technology provided by these vendors This is
conducted in conjunction with our annual vendor approval process
Vendor Category Vendor Name Information Tech Cert Date
Loan Origination System
E-Disclosure
Data Back-up
Web 1003 Application
Pricing and Eligibility
Document Management
E-Fax
Voice-MailTelephony
NetworkInternet Service
Office SupportCleanerLandlord
Courier
In addition we assume that other licensed entities with which we do business have had their plans reviewed and
found acceptable Consequently we do not audit our mortgage lender business partners
Internal Policies for Information Security Management
In addition to these procedures please refer to our internal Information Security Plan and Red Flags for our
ongoing Information Security procedures
BD MORTGAGE GROUP LLC 22
Content of Notification
The notice must be clear concise conspicuous easy-to-understand in plain language and should include the
following elements
bull A brief description of what happened including the date(s) of the breach and its discovery
bull A description of the types of personal information that were involved in the breach (eg full name Social
Security number date of birth home address account number disability code etc) to the extent possible
bull What steps if any an individual should take to protect himself from potential harm
bull What BD Mortgage Group LLC is doing if anything to investigate the breach to mitigate losses and to
protect against any further breaches
bull Who and how affected individuals should contact BD Mortgage Group LLC for more information including
a toll-free telephone number e-mail address and postal address
bull Direction to additional guidance available from the Federal Trade Commission at
httpwwwconsumergovidtheft
Minimizing your risk at httpwwwconsumergovidtheftcon_minimizehtm
Publications at httpwwwconsumergovidtheftcon_pubshtm
Method of Communication
Notice of the breach will be provided commensurate to the number of individuals affected by the breach and the
availability of contact information BD Mortgage Group LLC has for the affected individuals Correspondence
must be prominently marked on the exterior reflecting the importance of the communication to help ensure the
recipient does not discard or otherwise ignore the notification
In general the primary means of notification will be by first-class mail to the last known mailing address of the
individual based on BD Mortgage Group LLC records
Where we have reason to believe that the address is no longer current reasonable efforts will be made to update
the address using the US Postal Service National Change of Address (NCOA) database
Substitute notice may be made in instances where BD Mortgage Group LLC does not have sufficient contact
information for those who need to be notified In such instances notice may consist of a conspicuous posting of
the notice on the companyrsquos home page of its web site and include additional information in a Frequently Asked
Questions (FAQ)
BD MORTGAGE GROUP LLC 23
Process for Remediation of a Breach
Remedy is provided when the risk score is High
Credit Monitoring Data Breach Risk Packages (ie Lifelock)
Low Risk Package Low Risk Package Includes
1048707 Social Security Credit Card and 1 Bureau Credit Report Monitoring 1048707 3 Bureau Initial Fraud Alert 1048707 Credit Card Registry 1048707 Online Identity Theft Assistance 1048707 24 x 7 Customer Support
Medium Risk Package Medium Risk includes Low Risk benefits plus 1048707 Instant 1 Bureau Credit Report 1048707 Instant 1 Bureau Credit Score 1048707 Personal Information Directory Monitoring and Deletion 1048707 Identity Theft Consumer Guide 1048707 $25000 ($0 deductible) Identity Theft Insurance
High Risk Package High Risk includes Medium Risk benefits plus 1048707 3 Bureau Credit Report Monitoring 1048707 Instant 3 in 1 Credit Report 1048707 Instant 3 Bureau Credit Scores 1048707 Fraud Resolution amp Identity Restoration Specialist
BD MORTGAGE GROUP LLC 24
Reporting a Data Breach
Security Breach Notification Laws have been enacted in most US states since 2002 These laws were enacted in
response to an escalating number of breaches of consumer databases containing personally identifiable
information The first such law the California data security breach notification law was enacted in 2002 and
became effective on July 1 2003 As related in the bill statement law requires a state agency or a person or
business that conducts business in California that owns or licenses computerized data that includes personal
information as defined to disclose in specified ways any breach of the security of the data as defined to any
resident of California whose unencrypted personal information was or is reasonably believed to have been
acquired by an unauthorized person In addition the law permits delayed notification if a law enforcement
agency determines that it would impede a criminal investigation The law also requires any entity that licenses
such information to notify the owner or licensee of the information of any breach in the security of the data
The California law has been the model for the enactment of similar laws in other states The National Conference
of State Legislatures maintains a list of enacted and proposed security breach notification laws
BD MORTGAGE GROUP LLC 25
BD MORTGAGE GROUP LLC 26
2-90-29 - Information Security Audit
To ensure security of our systems and that we comply with rules for customer information security we conduct
an annual audit of our information technology systems A provider qualified to review our independent
information technology in conjunction with mortgage procedures must conduct this audit
Since we do not have any proprietary information technology but utilize software and services provided by
vendors exclusively we rely on the qualified audits of the technology provided by these vendors This is
conducted in conjunction with our annual vendor approval process
Vendor Category Vendor Name Information Tech Cert Date
Loan Origination System
E-Disclosure
Data Back-up
Web 1003 Application
Pricing and Eligibility
Document Management
E-Fax
Voice-MailTelephony
NetworkInternet Service
Office SupportCleanerLandlord
Courier
In addition we assume that other licensed entities with which we do business have had their plans reviewed and
found acceptable Consequently we do not audit our mortgage lender business partners
Internal Policies for Information Security Management
In addition to these procedures please refer to our internal Information Security Plan and Red Flags for our
ongoing Information Security procedures
BD MORTGAGE GROUP LLC 23
Process for Remediation of a Breach
Remedy is provided when the risk score is High
Credit Monitoring Data Breach Risk Packages (ie Lifelock)
Low Risk Package Low Risk Package Includes
1048707 Social Security Credit Card and 1 Bureau Credit Report Monitoring 1048707 3 Bureau Initial Fraud Alert 1048707 Credit Card Registry 1048707 Online Identity Theft Assistance 1048707 24 x 7 Customer Support
Medium Risk Package Medium Risk includes Low Risk benefits plus 1048707 Instant 1 Bureau Credit Report 1048707 Instant 1 Bureau Credit Score 1048707 Personal Information Directory Monitoring and Deletion 1048707 Identity Theft Consumer Guide 1048707 $25000 ($0 deductible) Identity Theft Insurance
High Risk Package High Risk includes Medium Risk benefits plus 1048707 3 Bureau Credit Report Monitoring 1048707 Instant 3 in 1 Credit Report 1048707 Instant 3 Bureau Credit Scores 1048707 Fraud Resolution amp Identity Restoration Specialist
BD MORTGAGE GROUP LLC 24
Reporting a Data Breach
Security Breach Notification Laws have been enacted in most US states since 2002 These laws were enacted in
response to an escalating number of breaches of consumer databases containing personally identifiable
information The first such law the California data security breach notification law was enacted in 2002 and
became effective on July 1 2003 As related in the bill statement law requires a state agency or a person or
business that conducts business in California that owns or licenses computerized data that includes personal
information as defined to disclose in specified ways any breach of the security of the data as defined to any
resident of California whose unencrypted personal information was or is reasonably believed to have been
acquired by an unauthorized person In addition the law permits delayed notification if a law enforcement
agency determines that it would impede a criminal investigation The law also requires any entity that licenses
such information to notify the owner or licensee of the information of any breach in the security of the data
The California law has been the model for the enactment of similar laws in other states The National Conference
of State Legislatures maintains a list of enacted and proposed security breach notification laws
BD MORTGAGE GROUP LLC 25
BD MORTGAGE GROUP LLC 26
2-90-29 - Information Security Audit
To ensure security of our systems and that we comply with rules for customer information security we conduct
an annual audit of our information technology systems A provider qualified to review our independent
information technology in conjunction with mortgage procedures must conduct this audit
Since we do not have any proprietary information technology but utilize software and services provided by
vendors exclusively we rely on the qualified audits of the technology provided by these vendors This is
conducted in conjunction with our annual vendor approval process
Vendor Category Vendor Name Information Tech Cert Date
Loan Origination System
E-Disclosure
Data Back-up
Web 1003 Application
Pricing and Eligibility
Document Management
E-Fax
Voice-MailTelephony
NetworkInternet Service
Office SupportCleanerLandlord
Courier
In addition we assume that other licensed entities with which we do business have had their plans reviewed and
found acceptable Consequently we do not audit our mortgage lender business partners
Internal Policies for Information Security Management
In addition to these procedures please refer to our internal Information Security Plan and Red Flags for our
ongoing Information Security procedures
BD MORTGAGE GROUP LLC 24
Reporting a Data Breach
Security Breach Notification Laws have been enacted in most US states since 2002 These laws were enacted in
response to an escalating number of breaches of consumer databases containing personally identifiable
information The first such law the California data security breach notification law was enacted in 2002 and
became effective on July 1 2003 As related in the bill statement law requires a state agency or a person or
business that conducts business in California that owns or licenses computerized data that includes personal
information as defined to disclose in specified ways any breach of the security of the data as defined to any
resident of California whose unencrypted personal information was or is reasonably believed to have been
acquired by an unauthorized person In addition the law permits delayed notification if a law enforcement
agency determines that it would impede a criminal investigation The law also requires any entity that licenses
such information to notify the owner or licensee of the information of any breach in the security of the data
The California law has been the model for the enactment of similar laws in other states The National Conference
of State Legislatures maintains a list of enacted and proposed security breach notification laws
BD MORTGAGE GROUP LLC 25
BD MORTGAGE GROUP LLC 26
2-90-29 - Information Security Audit
To ensure security of our systems and that we comply with rules for customer information security we conduct
an annual audit of our information technology systems A provider qualified to review our independent
information technology in conjunction with mortgage procedures must conduct this audit
Since we do not have any proprietary information technology but utilize software and services provided by
vendors exclusively we rely on the qualified audits of the technology provided by these vendors This is
conducted in conjunction with our annual vendor approval process
Vendor Category Vendor Name Information Tech Cert Date
Loan Origination System
E-Disclosure
Data Back-up
Web 1003 Application
Pricing and Eligibility
Document Management
E-Fax
Voice-MailTelephony
NetworkInternet Service
Office SupportCleanerLandlord
Courier
In addition we assume that other licensed entities with which we do business have had their plans reviewed and
found acceptable Consequently we do not audit our mortgage lender business partners
Internal Policies for Information Security Management
In addition to these procedures please refer to our internal Information Security Plan and Red Flags for our
ongoing Information Security procedures
BD MORTGAGE GROUP LLC 25
BD MORTGAGE GROUP LLC 26
2-90-29 - Information Security Audit
To ensure security of our systems and that we comply with rules for customer information security we conduct
an annual audit of our information technology systems A provider qualified to review our independent
information technology in conjunction with mortgage procedures must conduct this audit
Since we do not have any proprietary information technology but utilize software and services provided by
vendors exclusively we rely on the qualified audits of the technology provided by these vendors This is
conducted in conjunction with our annual vendor approval process
Vendor Category Vendor Name Information Tech Cert Date
Loan Origination System
E-Disclosure
Data Back-up
Web 1003 Application
Pricing and Eligibility
Document Management
E-Fax
Voice-MailTelephony
NetworkInternet Service
Office SupportCleanerLandlord
Courier
In addition we assume that other licensed entities with which we do business have had their plans reviewed and
found acceptable Consequently we do not audit our mortgage lender business partners
Internal Policies for Information Security Management
In addition to these procedures please refer to our internal Information Security Plan and Red Flags for our
ongoing Information Security procedures
BD MORTGAGE GROUP LLC 26
2-90-29 - Information Security Audit
To ensure security of our systems and that we comply with rules for customer information security we conduct
an annual audit of our information technology systems A provider qualified to review our independent
information technology in conjunction with mortgage procedures must conduct this audit
Since we do not have any proprietary information technology but utilize software and services provided by
vendors exclusively we rely on the qualified audits of the technology provided by these vendors This is
conducted in conjunction with our annual vendor approval process
Vendor Category Vendor Name Information Tech Cert Date
Loan Origination System
E-Disclosure
Data Back-up
Web 1003 Application
Pricing and Eligibility
Document Management
E-Fax
Voice-MailTelephony
NetworkInternet Service
Office SupportCleanerLandlord
Courier
In addition we assume that other licensed entities with which we do business have had their plans reviewed and
found acceptable Consequently we do not audit our mortgage lender business partners
Internal Policies for Information Security Management
In addition to these procedures please refer to our internal Information Security Plan and Red Flags for our
ongoing Information Security procedures