Tips on Improving Policies to Protect Private Information
|November 13, 2012
ALTA Best Practices
In October, ALTA released its Title Insurance and Settlement Company Best Practices to serve as a benchmark for the real estate settlement and mortgage lending industries and illuminate the high level of professionalism that ALTA members follow to protect consumers and businesses. One of the best practices encourages members to adopt and maintain a written privacy and information security plan to protect Non-public Personal Information (NPI) as required by local, state and federal law.
To learn more about the best practices, join us for a webinar at 2 p.m. ET, Tuesday, Nov. 20. Click here to email us and RSVP.
Federal and state laws—including the Gramm-Leach-Bliley Act—require title companies to develop a written information security plan that describes their program to protect non-public customer information.
ALTA recently published its Title Insurance and Settlement Company Best Practices to help members highlight practices the industry exercises to protect lenders and consumers, while ensuring a positive and compliant real estate settlement experience. Among the best practices, ALTA encourages members to adopt and maintain a written privacy and information security plan to protect Non-public Personal Information (NPI) as required by local, state and federal law.
NPI includes first name or first initial and last name coupled with any of the following: Social Security Number, driver’s license number, state-issued ID number, credit card number, debit card number, or other financial account numbers.
A plan to protect NPI must be appropriate to the company’s size and complexity, the nature and scope of the company’s activities, and the sensitivity of the customer information the company handles. For a small agency, a one-page memo placed in a file drawer may be sufficient, as long as the steps are followed. For a large company, the safeguards program may be more complex.
Most important, lender customers who are federally regulated or insured and other business partners will require that companies with which they contract have programs in place to safeguard customer information. Consequently lenders will require that title insurers and settlement agents have a safeguard program in place.
Frank Pellegrini, ALTA’s president, suggests title companies post their written privacy policies in the office.
“This will help employees understand why they should have a clean-desk policy, why there needs to be network security, why computers are password protected and why the bank relationship must be secure. There must be communication and employees must be trained,” Pellegrini said.
Title companies should also take precaution when working with contract closers. Bill Burding, general counsel of Orange Coast Title Co., said title companies should have contract closers sign a Gramm-Leach-Bliley disclosure.
A privacy program should have the following:
- designation of an employee or employees to coordinate an information security program;
- risk assessment: the identification of reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information, including employee training, information systems, and prevention against disclosure, misuse, alteration or destruction and detection, prevention and response to attacks, intrusions or other systems failures;
- the design and implementation of information safeguards to control the identified risks;
- oversight of service providers to ensure that such providers also maintain appropriate safeguards for customer information and require, by contract, that the service provider implement and maintain such safeguards; and
- evaluation and adjustment of the security program in light of the results of testing and monitoring compliance and changes in operations or business arrangements.