No one running a business wants to hear about yet another rule they need to comply with, or about some audit they might endure. But in this situation, adding encryption protection, and a little extra, to mobile devices is actually pretty painless and relatively easy to implement. Unfortunately, in our experience we've seen that companies often don't have any idea that they even have data on these devices.
The American Land Title Association sets a high bar for data security at title insurance companies. Inclusion in the trade association is key for businesses in the industry, and nearly all title insurance companies belong to the group. Gaining membership brings with it business and reputational benefits, but ALTA compliance auditors stay busy by actively ensuring member companies continue to meet the criteria for certification.
ALTA has recently gotten more specific about its compliance guidelines, which have now reached the same level of required care around data security that's mandated by the Health Insurance Portability and Accountability Act in the health care industry. By the nature of their work, both these types of companies deal with sensitive personal and financial data. Title companies not only collect a lot of personally identifiable information in order to serve their clients, they're also responsible for handling the large sums of money belonging to banks and clients that change hands during closings.
These factors set the stakes in the conversation about title companies and data security. While neither ALTA nor HIPAA go as far as to specifically say that data encryption must be implemented, both all but require it, recognizing encryption as a capable and highly recommended method for fulfilling their requirements around protecting sensitive data.
What HIPAA does say is that a business must have an enforceable, auditable and persistent plan in place for ensuring that either sensitive data is not present on at-risk devices, or that the data can be rendered unreadable, inaccessible or indiscernible — which more or less necessitates an encryption solution where data is present.
As ALTA imitates HIPAA and introduces new provisions to protect mobile data, auditors are indeed specifying encryption as a solution for safeguarding information contained or accessible on mobile devices such as smartphones, tablets, laptops and USB drives.
This was the case for a client we recently worked with in our role as a data security technology provider. The land title company, facing an upcoming audit, needed to ensure that all data on their mobile devices was secured and that they were fully compliant with what ALTA has put forth.
However, the company did not believe they had anything sensitive on their mobile devices to protect in the first place. They also believed that they had no liability because any sensitive files were stored inside of the title insurance software they use.
But, we wanted to go the extra step of making sure. We performed an audit ourselves to seek personal info like Social Security numbers, dates of birth, email addresses, credit card numbers and other end-user information that might be stored in the land title company's emails. It turned out that they did indeed have sensitive data on the hard drives of many of their portable devices that ought to have been protected.
In response, we implemented a twofold approach to get them ready ahead of the audit, enlisting third-party cloud-based tools to provide remote encryption for all smartphones, laptops and tablets being used within the company, and to add email security as well.
This company was like others in the industry, in that they needed to pass their audit and desired to protect their clients' information, but they chafed at the idea of burdening the business and their workers by forcing heavy-handed requirements upon them. The tool implemented worked well for them because it could function transparently to the employees — who likely noticed no interference from their security solution.
The tool helped go beyond ALTA's best practices in not only encrypting data, but also enabling us to remotely block access. It even allows us to wipe all data from devices in the event that the company reports them as lost or stolen.
In the end, the company passed its audit with flying colors. The fact that the cloud-based solution we put in place for the client not only provided full data encryption, but also enabled access control and remote data deletion for those instances where tools beyond encryption could help —it might have been overkill, but it certainly didn't hurt. When it comes to being a good steward of people's most sensitive data, it's always a nice thing to tell both auditors and clients that you're being extra careful.
Phillip Long is the chief executive officer of Business Information Solutions.