American Land Title Association
Home  >  Advocacy
Advocacy


SoftPro is the nation's leading provider of Real Estate Closing and Title Insurance software


Best Practices

Tips on Improving Policies to Protect Private Information

August 15, 2013

The third pillar of ALTA's “Title Insurance and Settlement Company Best Practices” provides information on adopting and maintaining a written privacy and information security plan to protect Non-public Personal Information (NPI) as required by local, state and federal law.

NPI includes first name or first initial and last name coupled with any of the following: Social Security Number, driver’s license number, state-issued ID number, credit card number, debit card number, or other financial account numbers.

A plan to protect NPI must be appropriate to the company’s size and complexity, the nature and scope of the company’s activities, and the sensitivity of the customer information the company handles. For a small agency, a one-page memo placed in a file drawer may be sufficient, as long as the steps are followed. For a large company, the safeguards program may be more complex.

Most important, lender customers who are federally regulated or insured and other business partners will require that companies with which they contract have programs in place to safeguard customer information. Consequently lenders will require that title insurers and settlement agents have a safeguard program in place.

Frank Pellegrini, ALTA’s president, suggests title companies post their written privacy policies in the office.

“This will help employees understand why they should have a clean-desk policy, why there needs to be network security, why computers are password protected and why the bank relationship must be secure. There must be communication and employees must be trained,” Pellegrini said.

Title companies should also take precaution when working with contract closers. Bill Burding, general counsel of Orange Coast Title Co., said title companies should have contract closers sign a Gramm-Leach-Bliley disclosure.

“It’s a form disclosure,” he said. “Have them read it and sign it. So at the very least if you ever do have a problem, you have something in your file that you met the privacy policy.”

A privacy program should have the following:

  • designation of an employee or employees to coordinate an information security program;
  • risk assessment: the identification of reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information, including employee training, information systems, and prevention against disclosure, misuse, alteration or destruction and detection, prevention and response to attacks, intrusions or other systems failures;
  • the design and implementation of information safeguards to control the identified risks;
  • oversight of service providers to ensure that such providers also maintain appropriate safeguards for customer information and require, by contract, that the service provider implement and maintain such safeguards; and
  • evaluation and adjustment of the security program in light of the results of testing and monitoring compliance and changes in operations or business arrangements.



Print Friendly


How To Find Us:
American Land Title Association
1800 M Street, NW, Suite 300S
Washington, D.C. 20036-5828
P. 202.296.3671 F. 202.223.5843
www.alta.org
service@alta.org
Copyright © 2004-2014 American Land Title Association. All rights reserved.
SecurityMetrics for PCI Compliance, QSA, IDS, Penetration Testing, Forensics, and Vulnerability Assessment