Know What’s Considered Non-public Personal Information and Where It’s Located in Your Company
|May 8, 2014|
The third pillar of ALTA’s Title Insurance and Settlement Company Best Practices encourages companies to adopt and maintain a written privacy and information security program to protect Non-public Personal Information (NPI) as required by local, state and federal law. To be able to comply with this pillar of the Best Practices, it’s important to understand what constitutes NPI and where it can be found in a company, including how information is collected, acquired, stored, transmitted and disposed. The Federal Trade Commission defines NPI as:
Examples of NPI include bank, loan payoff and credit card statements; insurance, retirement and tax information; Social Security numbers and dates of birth; and real estate/title related items, commission amounts and loan fees. NPI does not include information that you have a reasonable basis to believe is lawfully made "publicly available." In other words, information is not NPI when you have taken steps to determine:
Here’s a list of additional resources:
There are many sources within a company where NPI can be found. Physical locations include paper-based files, desktop or reception area, the closing table and warehouse. With the widespread use of smartphones, companies should be cognizant of the documents visible at the closing table, according to Todd Hougaard of GreenFolders. If the closer steps out to get a cup of coffee, someone could use his or her smartphone and take a picture of the buyer’s loan application, he said. Meanwhile, there are many electronic locations where NPI is housed. These include:
Additionally, NPI can be found and in possession of vendors a company may utilize. These include mobile notaries and closers, couriers, online backup services or off-site backup tape storage vendors, email service providers, and server and website hosts. Michael Volin of Title Resource Group, said companies should take reasonable steps to select and retain service providers that are capable of appropriately safeguarding NPI. Volin said creating a list of all vendors can aid in this process. For more information, go to ALTA’s Best Practices resource page.