Michigan Mortgage Lenders Association (MMLA)
The Types of Member Information Michigan Mortgage Lenders Association Obtains
Michigan Mortgage Lenders Association, hereafter referred to as ‘the organization’, is a non-profit organization representing institutions that provide mortgage financing to the consumer. Individuals may become members of the organization and corporations may offer sponsorships for various programs. MMLA may obtain personal information during the membership process and may obtain credit card or other bank account information in the course of receiving payment for dues, sponsorships and events.
How Do We Use Member Information?
We will not disclose any member information or member provided information (“Member Information”), to any organization, affiliated or non-affiliated entity unless this disclosure is either:
- necessary to effect, administer, or enforce a transaction or service for which we have been contracted to perform; or
- necessary to facilitate or consummate our business transactions with third parties. This will not involve selling information for the purpose of further solicitation.
In cases where information is shared with other companies that perform services on our behalf, the Member Information provided is limited to the information which we, in our discretion, reasonably believe is needed to perform the contracted function. We also maintain contracts with these companies requiring them to keep this information secure and confidential.
A list of active members is available to members through the MMLA website. The website information consists of names and business contact information and does not include personal or financial information.
How Do We Keep Member Information Private?
We take steps to safeguard Member Information. We maintain physical, electronic and procedural safeguards to guard the information against unauthorized access. We also utilize appropriate corrective action when needed to enforce employee compliance with our procedures with regard to privacy of information.
- All employees have received training (described below) before they are given authorization to receive or make phone calls to discuss Member Information.
- The company is only authorized to request information necessary to process payments for dues, sponsorships and/or events.
- All captured information is currently held securely in one main office computer. This is further discussed in the Information System Safeguard Section.
- The office is within a single family residential home. There is a fire extinguisher located in the office area. In the event of a fire, the household occupants have been trained in the proper use of the extinguishers and the fire department phone number is readily available. The house has a smoke alarm and the premises are locked whenever the house is left vacant.
- All Member Information is kept in a locked office after hours and is only available to authorized employees. No other individuals have access to the office area after hours. No person outside the household occupants has key access to the house or the office area.
- Any Member Information that needs to be disposed of is put in a shredder located in the office.
- If the information needs to be returned to the member, the Company returns the files in taped envelopes through nationally recognized courier services.
- All board members and volunteers who have access to personal financial information of members have been instructed on the handling of this information.
Information System Safeguards
- The computer is secured with the use of a firewall.
- A private password is needed to enter the main computer. The computer automatically prompts the user to change his/her password.
- Any hardware that will no longer be in use will have the memory erased by a qualified computer professional and then destroyed.
- The system information is backed up by using an external hard drive. This back up occurs weekly (or more often if necessary) and yearly. All backup drives are stored offsite.
- All computers are protected with anti-virus software, which is updated monthly. In addition, every inbound and outbound e-mail is scanned prior to reaching the e-mail recipient’s destination.
- It is the policy of the Company that no key information is to be stored on any laptop or PDA.
Board Member and Volunteer Training
- Each board member and volunteer is provided with written instructions on the handling of credit card information as issued by the board.
- Board members and volunteers are required to verify any request for Member Information in order to be certain that the person requesting the information has the right to receive it.
Breach of Policy Or Safeguard
1. Board members or volunteers found to be in violation of the company policy may be subject to a change in job responsibilities and compensation (if applicable) and in the case of a severe breach the company may choose to terminate the board member or volunteer. The decision on the exact course of action will be based on the severity of the breach of confidentiality including but not limited to the impact of the breach to the member and to the Company.
2. If a security breach of Member Information has occurred, the board member or volunteer discovering the breach must notify the MMLA Board President immediately. The President will then direct the course of action in accordance with the following policy: The Company will notify the Member(s) in accordance with the state laws applicable to the Member’s state of residence. The following protocol is specific to Michigan and is to be used as minimum requirements unless the laws in the applicable states require more stringent procedures.
3. The notice provided to the Member will include both of the following:
(a) To the extent possible, a description of the categories of personal identifying information that was, or is reasonably believed to have been, acquired by an unauthorized person.
(b) A toll-free telephone number or website that the recipient of the notice may use to contact the person or an agent of the person and from which the recipient may learn all of the following:
(i) The types of information the person maintained or stored about the recipient or about individuals in general.
(ii) Whether or not the person maintained or stored information about the recipient
(iii) The toll-free contact telephone numbers and addresses for the major credit reporting agencies.
- If the Company discovers circumstances that require the Company to provide notice under this section to more than 500 individuals at 1 time, the Company shall also notify all of the major credit reporting agencies within 48 hours.
- The Company shall provide any notice required under this section in the most expedient time possible and without unreasonable delay, unless 1 or both of the following apply:
(a) Delay is necessary to determine the scope of the security breach and restore the reasonable integrity of the data system.
(b) A law enforcement agency determines that providing notice will impede a criminal investigation. However, the Company shall provide the notice after the law enforcement agency determines that disclosure will not compromise the investigation.
- The Company shall provide notice required under this section by any of the following methods:
(a) Written notice sent by first-class mail, address correction requested.
(b) Electronic notice, if the notice provided is consistent with the provisions regarding electronic records and signatures set forth in section 101 of title I of the electronic signatures in global and national commerce act, 15 USC 7001.
(c) Substitute notice, if the Company demonstrates that the cost of providing notice under subdivision (a) or (b) will exceed $250,000.00, that the Company has to provide notice to more than 500,000 individuals, or that the Company does not have sufficient contact information for the individuals or licensees it is required to notify under that subsection. A Company provides substitute notice under this subdivision by doing all of the following:
(i) Providing notice by e-mail to those individuals for whom the agency or person has e-mail addresses.
(ii) If the Company maintains a website, conspicuously posting the notice on that website.
(iii) Notifying major statewide media. A notification under this subparagraph shall include the toll-free telephone number or website described in subsection (3)(b).