Leading institutions have become more involved in the regulatory arena, including multiple federal and state regulators, lenders, and the industry trade association, ALTA. Together, the goal of these parties is to make the title and settlement process safe and sound, ensuring it is conducted in a manner that best protects consumers.
ALTA’s Best Practices provides independent title and settlement agents with a tangible list of critical criteria aimed at reconciling all regulatory sources and industry mandates. Of particular interest is the following:
-Adopt and maintain a written privacy and information security program to protect NPPI as required by local, state and federal law.
Federal and state laws (including the Gramm-Leach-Bliley Act) require title companies to develop a written information security program that describes the procedures they employ to protect NPPI. The program must be appropriate to the company’s size and complexity, the nature and scope of the activities, and the sensitivity of the customer information it handles. A company evaluates and adjusts its program in light of relevant circumstances, including changes in the company’s business or operations, or the results of security testing and monitoring.
Procedures to meet this best practice:
-Physical security of NPPI
-Restrict access to NPPI to authorized employees who have undergone background checks at hiring
-Prohibit or control the use of removable media
-Use only secure delivery methods when transmitting NPPI
-Network security of NPPI
-Maintain and secure access to company information technology
-Develop guidelines for the appropriate use of company information technology
-Ensure secure collection and transmission of NPPI
-Disposal of NPPI
-Federal law requires companies that possess NPPI for a business purpose to dispose of such information properly in a manner that protects against unauthorized access to or use of the information
-Establish a disaster management plan
-Appropriate management and training of employees to help ensure compliance with company’s information security program
-Oversight of service providers to help ensure compliance with a company’s information security program
-Companies should take reasonable steps to select and retain service providers that are capable of appropriately safeguarding NPPI
-Audit and oversight procedures to help ensure compliance with company’s information security program
-Companies should review their privacy and information security procedures to detect the potential for improper disclosure of confidential information
-Notification of security breaches to customers and law enforcement
-Companies should post the privacy and information security program on their websites or provide program information directly to customers in another useable form. When a breach is detected, the company should have a program to inform customers and law enforcement as required by law
In some areas, compliance with ALTA’s Best Practices can be considered common sense in terms of managing sensitive data within the workplace. Physical tactics and office procedure policy can be employed to ensure data is not easily accessible by theft of equipment or documents. When it comes to protecting against hackers and the online theft and abuse of NPPI or transaction funds, it is important to digitally protect data—whether it is in motion or at rest.
The primary (and simplest) method to foil would-be data thieves is through encryption software and services. The myth is that this requires complex algorithms and private keys. The fact is, implementing encryption for stored data is low-cost and easy to implement. Encryption services and solutions for data in motion (via email and file transfer) are similarly low-cost, easy to source and use even for untrained recipients of encrypted messages.
While the current sensitivity and regulatory environment is not currently focused on the mortgage professional’s role in NPPI data exchange security, clearly the “long-tail of compliance” is wagging through the supply-chain that mortgage brokers rely upon to get their jobs done. Awareness, as well as professional sensitivity of the necessity to protect NPPI and transaction funds, is in the best interest of the industry and its valued clients.
Bud Walder is a vice president at DataMotion. Christopher J. Gulotta, an attorney at Real Estate Data Shield Inc. also contributed to this article.