In response to CFPB, title companies have rushed to the finish line, not only to master the new process and forms of TRID, but to also become compliant with the pillars of ALTA Best Practices. Federal and state laws (including the Gramm-Leach-Bliley Act) require title companies to develop a written information security program that describes their procedures to protect non-public customer information. This program must be followed by every team member of a title company, everyone from the receptionist to the marketing representative to the escrow officer.
First of all, let’s talk about what constitutes as “Non-Public Information,” or “NPI.” The first step in being able to protect NPI is to understand what it is and where it is. Non-public, Personal Information is:
- Any information that in itself or as part of a unique combination of information specifically recognizes an individual by unique descriptors and/or identifiers.
- Information from customers on forms, applications, or information about a customer’s transactions
- Information about a customer which is otherwise unavailable to the general public
NPI includes first name or first initial and last name coupled with social security number, driver’s license number, state-issued I.D. number, credit card number or other financial account numbers (found on personal checks).
What items could you find in your office that would contain this sort of information:
- Banking information, loan payoff, credit card statements;
- Earnest money checks;
- Insurance, retirement, and tax statements;
- Social Security numbers, dates of birth; driver’s license copies;
- Private real estate-title related items, sales price commission amounts, loan fees
Close your eyes, take a tour throughout your organization; as you mentally travel, which areas in your organization could these items pass through in a normal day of business? The marketing rep picks up a contract, a contract with a check attached? Is this person going directly from pick-up point to the title office, and if not, what is the procedure to protect such items? A drop-off box for after-hours; I’ve seen many slots in the front doors of title offices so that Real Estate Agents may drop off contracts and checks along with other real estate documents. Who has access to your office after-hours that could possible get their hands on this information? The janitor, maintenance crew, or even the landlord could be letting themselves into your office, long after the lights have gone out. How about your receptionist desk; is this person properly trained to protect the information in their work area should they jump up to make a quick copy or grab a cup of coffee for a guest?
The escrow staff is the most vulnerable. Obviously, you know by now to lock up your files when you leave at the end of the day, but are you practicing this every time you leave your office? Is your computer set to go into a lock-mode if you are away from your desk for an extended amount of time? How about the closing room? Are you leaving sensitive documents on the closing table that pertain to the other side of the transaction when you leave the room to make copies? One would be surprised how quickly someone could pull out a smart phone and snap a picture of what you left behind. Ensure that your smart phones, tablets and IPads are password protected and guarded at all times. There are most likely a few holes within your organization, but doing this exercise will help to identify the gaps and provide proper training and procedures.
When thinking of where and how we store NPI, we also must examine how we dispose of it. Most everyone is in the practice of shredding documents and files containing compromising information, but what about disposing of digital data? You must also expand your mind regarding any digital device that once contained NPI. These devices include computers, smart phones, tablets, external drives, back-up tapes, off-site digital storage, printer/scanners and copy machines. These all need to be disposed of responsibly and wiped clean.
You should actively review privacy and information security procedures to detect the potential for improper disclosure of NPI with your entire staff:
- Clean-desk policies;
- Lock computers/desk/office;
- Lock file cabinets;
- Separation of work offices, lobby and closing rooms
- Secure facility, especially if you share common areas with another office suite;
- Unique and strong passwords for all systems;
- Protect passwords
Hopefully, this exercise will allow you to stop and think about your day-to-day activities and protection of NPI, perhaps you’ll discover some loopholes and remedy them before it’s too late. This is but one component of Pillar #3 regarding your security program, but this is one area we seem to miss within all levels of a title company. Under CFPB, Lenders will be looking to you to uphold these procedures, and one breach could bring down a title company’s reputation in the new compliance-ready marketplace. For more information regarding ALTA Best Practices, go to www.alta.org/bestpractices.