So your underwriter wants to work from home? Beyond the concerns most employers would typically have, financial services firms must carefully consider the security of private customer financial data before deciding whether, how and which employees can work remotely. Indeed, the Gramm Leach Bliley Act ("GLB"), as well as often-stricter state privacy laws, require mortgage banks to institute practices and policies to ensure appropriate safeguards remain in place to protect sensitive financial information about customers from being intentionally or inadvertently disclosed. Banks must understand that this is an affirmative obligation-they must have reasonable practices and policies that prevent accidental data disclosure as well as theft.
As it pertains to telecommuting, banks must carefully consider the conditions necessary to ensure the security of data. The extent of necessary measures will obviously depend upon the nature of the position and access to data. For instance, an underwriter will simultaneously and consistently use all of a consumer's most sensitive personal financial information. Hence, if an employer wanted to even consider allowing an underwriter to work from home, extensive measures would need to be put in place to ensure that data security wouldn't and couldn't be compromised. An employer would likely need to set up a secure VPN, encrypt data, provide its own terminal (with no internal storage, drives, printing capacity), institute a high level password, computer time-out and security measures, and initiate and constantly maintain other protections to ensure no files could be taken to, or in any fashion maintained, at the underwriters home. It would not be enough to merely issue a written security policy and expect an employee to follow it-the bank must protect against hackers, snoopy and dishonest spouses, repair-men in the underwriter's house, and people looking in the underwriter's trash can. Indeed, if an employer took a passive approach it could face significant fines even if no security breach occurred. If a security breach were to take place...well, let's just say we don't want to go there.
The bottom line is that there are real concerns with allowing certain employees to telecommute. Given the risks and responsibilities and the fact that an employer will need to justify any and all of its decisions in the event of a data breach, an employer should consider retaining a data security expert to determine what is necessary before setting up remote work access. Depending on the position's access to data, employers should consider whether they want to invest the time and resources into accommodating and maintaining a telecommuting position. If an employer is not prepared to incur these costs, it should seriously consider whether telecommuting is something that fits for (at least certain portions) of its workforce.
