If you’re a regular reader of ours, you’ll know we frequently write and speak on issues of data security — we can’t get enough of it! We rarely publish to this blog about items specific to certain types of practitioners (in this case, title agents); but, after coming across this piece, from Rick Diamond, senior vice president for information technology, agency operations at WFG National Title Insurance Company, we made an exception — which was easier to make given that much of what Rick details below represents best practice for every attorney. We appreciate Rick and WFG allowing us to republish this piece. Rick can be reached via email at firstname.lastname@example.org and via telephone at (617) 721-9703.
. . .
If it’s true that your ears burn when someone is talking about — or watching you — then the ears of title insurance agents should be on fire now, because mortgage lenders are going to be focusing intently on the policies and procedures they have in place to protect the consumer data they collect.
That scrutiny results from provisions in the Dodd-Frank financial reform legislation authorizing the Consumer Financial Protection Bureau (CFPB) to enforce most consumer protection requirements applicable to financial institutions, including those related to the confidentiality and security of consumer information.
Although the CFPB does not regulate title insurance companies, the agency has ‘recommended’ that the financial institutions it does regulate ensure that their service providers comply with federal consumer privacy and data security requirements — specifically those outlined in the Gramm-Leach-Bliley Act and in the “Privacy” and “Safeguards” rules implementing it.
In a recent compliance bulletin, the agency outlined several specific steps financial institutions should take, among them:
-Conduct due diligence to ensure that the service provider understands and will comply with the relevant laws;
-Request and review the service provider’s policies and procedures to ensure that the service provider’s employees are properly trained and supervised;
-Incorporate contractual provisions detailing the compliance responsibilities of service providers and the consequences of noncompliance;
-Monitor compliance with the laws and “act promptly” to correct any deficiencies.
In the regulatory world, there isn’t much of a distinction between ‘recommendations’ and ‘requirements’. So, CFPB-regulated entities, which include non-banks as well as depository institutions, are going to be asking all of their service providers about the policies and procedures they have in place to protect the non-public information (NPI) they collect from consumers. Mortgage lenders and mortgage brokers are going to insist that the title insurance agents with whom they do business comply and document their compliance with the CFPB’s data security regulations.
Compliance Best Practices
The agency has not yet drafted its data protection regulations, but it is not difficult to anticipate, in a general sense, what they will include. Below are identified 20 key areas that data protection policies should address. These are, for the most part, common sense, best practices that all title agents should adopt even absent statutes, regulations or pressure from clients requiring them to do so.
(1) Create and implement a written privacy and information security program to protect NPI data. The program should be monitored closely and updated continually as processes, procedures and rules evolve.
(2) Know where sensitive customer information is stored and store it securely. Make sure only authorized employees have access to it.
(3) Establish procedures to protect paper files. Dispose of documents containing NPI safely and appropriately by shredding them. Make sure ‘to-be-shredded’ documents are secure. Many companies leave these documents in unsecured boxes — a common compliance failure. If you use a shredding service, make sure that company has appropriate data security policies in place and documents the chain-of-custody to establish accountability.
(4) Establish strict guidelines to protect documents sent outside the office for off-premises closings or any other purpose. Make sure the couriers you use to transport documents have written data security procedures.
(5) Make sure all entry points to your office and to work areas are secured, with access controlled by personal codes or keys. You must know who is walking through your office at all times.
(6) Establish a ‘clean desk policy’ requiring employees to put closing files out of sight whey they are away from their desks.
(7) Make sure all files are locked away every night and stored in a secure location, protected against destruction or damage from physical hazards, such as fire or floods. A scanning solution (with levels of security limiting access) can be a great alternative to file storage, permitting ready access to files, reducing storage space and storage costs, and creating the ability to comply with likely CFPB requirements to ‘lock-down’ electronic files.
(8) Maintain up-to-date firewalls and use anti-virus and anti-spyware software that updates automatically.
(9) Store archived hard copy data off-line in a physically-secure area.
(10) Encrypt email and attachments when storing or transmitting sensitive data electronically. These are probably the areas in which companies are the most vulnerable to data breaches. Encryption is an essential means of reducing those risks.
(11) Restrict access to personal email accounts from work computers. This is another easy way to reduce vulnerability to data breaches.
(12) Conduct background checks on employees who have or might have access to NPI data. You must know who is working for you and trust absolutely their access to consumer information.
(13) Establish an employee training program to explain the data security and privacy requirements. All employees must understand your policies and procedures for protecting NPI and their responsibility for following those procedures.
(14) Inspect what you expect. Establish audit procedures to ensure that all employees (not just new ones) are complying with and implementing your documented data security procedures. Impose clear and meaningful penalties for violations.
(15) Develop special policies for employees who telecommute specifying (among other things) whether they are allowed to transport NPI to their homes and, if so, the security procedures they are required to follow.
(16) Immediately deactivate the passwords and user names of terminated employees and take other necessary measures to block their access to customer information.
(17) Develop clear, written guidelines and controls ensuring the appropriate use of company technology. Among other measures:
-Limit access to authorized employees and make sure all devices are password protected and locked down at night. Passwords should be strong and changed every 90 days.
-Make sure servers are located in properly ventilated areas and locked at all times with access limited to authorized personnel.
-Use appropriate, secure means to destroy or erase data when disposing of hard drives, laptops, desktops, disks, CDs, magnetic tapes, PDAs, cell phones, or any other electronic media or hardware containing customer information. Don’t forget about copiers, which also contain hard drives. Obtain a letter of compliance documenting that you have followed recommended security procedures for disposing of NPI material.
-Make sure all mobile devices are password-protected, in case of loss or theft, and can be wiped clean remotely. (Existing software allows you to do this.)
-Strictly control the use of removable storage devices, such as flash drives or CDs. These devices should be used only by authorized personnel and solely for business purposes.
(18) Make sure your service providers are taking steps to protect and secure NPI data. Insist on written documentation of their data security policies and procedures. Include provisions in their contracts requiring them to maintain data security safeguards. You should impose on your service providers the same compliance requirements that your clients will be imposing on you.
(19) Establish and document disaster management and business continuity plans. Many lenders are insisting that their service providers do the same kind of disaster planning that the CFPB is requiring of them.
(20) Establish procedures for responding to a data breach. Take immediate steps to assess the cause and extent of the breach, notify the consumers whose personal information has been or may have been compromised and mitigate the security gap so it will not occur again.
. . .
Title agents may view compliance in one of two ways:
-As an unwelcome and annoying burden, draining resources and distracting from ‘more important’ business goals; or,
-As an integral component of your business, essential for avoiding regulatory sanctions and liability risks — and, equally important, as a way to better serve your clients and to distinguish you from your competitors.
The second option is best.