by Ken Jannen
Last year ALTA® held a telephone seminar on the new privacy safeguards regulations that settlement services providers need to comply with. This article reviews the new legal requirements and suggests some tips to change your business practices to help limit your liability. For full information on compliance you can purchase an audio tape from the seminar “Privacy Safeguards and FTC Compliance” on ALTA®'s Web site, under “Education.”
Protecting Your Customers From Identity Theft:
The Financial Services Modernization Act, usually known as the Gramm-Leach-Bliley Act, passed by Congress in 1999, opened the door to affiliation among banks, insurance companies (including title insurance companies), and securities firms.
Due to the vast amount of nonpublic personal information in the hands of these institutions, Congress wanted assurances that consumers would be apprised about how the information would be shared and with whom, as well as the more critical assurance that the confidentiality of such information would be maintained.
In the Gramm-Leach-Bliley Act Congress left implementation of policy requirements for safeguarding nonpublic personal information to various banking regulators, the Federal Trade Commission, which regulates settlement services, and the states, which regulate insurance.
FTC Privacy Safeguards
On May 23, 2002, the FTC published its final rule relating to Privacy Safeguards, which became effective May 23, 2003. The rule requires that a company create an information security program in written form which shall include several elements listed below.
Essentially, an agency or underwriter must establish a safeguards program that includes the basic elements listed below. For a small agency, a one-page memo placed in a file drawer may be sufficient, as long as the steps are followed. For a large company, the safeguards program may be more complex. Most important, lender customers who are federally regulated or insured and other business partners will require that companies with which they contract have programs in place to safeguard customer information. Consequently lenders will require that title insurers and settlement agents have a safeguard program in place.
Any program must have the following:
Practically what does this mean? Lenders will look at title programs and title entities much make sure that companies with which they contract have programs in place. If service providers are not affiliated and there is a written service agreement that was entered into on or before June 24, 2002, title entities have until May 24, 2004 to get contractors such as courier services, imaging services, and document storage companies to comply.
In addition, if you contract with new service providers, move to a new area that might be hit with an earthquake or hurricane, or move to a new building that is less secure, you should update your program.
The rule is intended to be flexible since there are numerous sizes and types of providers of settlement services; however, this flexibility has a downside, in that it does not provide specific details or “safe harbors” as to the kinds of safeguards and how they should be implemented.
What Information Should Be Protected?
The following personally identifiable financial information needs to be protected:
Businesses could be subject to lawsuits by regulators, lender customers, and consumers, if they fail to meet requirements to safeguard consumer's information. Even if there is no theft, the misuse by employees of electronic files containing consumer's information can expose your businesses to potential lawsuits by lender customers and individuals.
The FTC's enforcement powers under Section 5 of the FTC Act enable it to obtain cease and desist orders and civil penalties of up to $10,000 for each violation.
NAIC Puts Forth Model
The National Association of Insurance Commissioners (NAIC) set forth a model regulation for safeguarding consumer information that, with some local tweaking, has been promulgated in a number of states. This model is very similar to the FTC rule.This model regulation can be obtained from the NAIC, by asking for publication M673.
In establishing a safeguards program, you should make sure that you understand both the information security and other risks you face. With respect to physical security, you should make sure you establish common sense rules like locking your doors, computers, and filing cabinets, and keeping non-employees out of sensitive areas. Computers should be backed up to maintain data integrity, and antivirus software should be updated at least once a year. A system firewall should also be used and updated periodically.
Employees should be trained to protect your customer information. They should be taught how to establish strong passwords and secure locks for paper files containing customer information. Low cost training resources are available on the Web.
While safeguards rules may seem like just another senseless administrative burden imposed by regulators, it really is just common sense. Having a program in place provides you with a management tool that can provide a structure for both training and supervision of employees and a checklist of office procedures that ensures quality control of customer information.
Ken Jannen, vice president-counsel, multistate agency services, and associate underwriter for First American Title Insurance Company in Sunrise, FL; Barbara Flippo, vice president of information risk management for LandAmerica in Richmond; and Ann vom Eigen, ALTA®'s legislative/ regulatory counsel, participated in the telephone seminar.