American Land Title Association
Home  >  Publications  >  Title News Archive
Publications


SoftPro is the nation's leading provider of Real Estate Closing and Title Insurance software


Title News - January/ February, 2004

Advertise with Title News   Current Issue   Archives:   2014   2013   2012   2011   2010   2009   2008   2007   2006   2005   2004   2003   2002   2001   2000   1999   1998  

January/ February, 2004 - Volume 83 Number 1

Complying With the New Privacy Safeguards

by Ken Jannen

Last year ALTA® held a telephone seminar on the new privacy safeguards regulations that settlement services providers need to comply with. This article reviews the new legal requirements and suggests some tips to change your business practices to help limit your liability. For full information on compliance you can purchase an audio tape from the seminar “Privacy Safeguards and FTC Compliance” on ALTA®'s Web site, under “Education.”

Protecting Your Customers From Identity Theft:

Nonpublic Information Sharing

The Financial Services Modernization Act, usually known as the Gramm-Leach-Bliley Act, passed by Congress in 1999, opened the door to affiliation among banks, insurance companies (including title insurance companies), and securities firms.

Due to the vast amount of nonpublic personal information in the hands of these institutions, Congress wanted assurances that consumers would be apprised about how the information would be shared and with whom, as well as the more critical assurance that the confidentiality of such information would be maintained.

Part of Congress' requirements resulted in the Privacy Policy Notices that we get in the mail and that we, as title insurers, agents, and settlement services providers, submit to our customers. This part of Congress' mandate went into effect back on July 1, 2001, and is not treated in this article. Although the rest of the insurance industry must provide notices on an annual basis, ALTA® staff and the Government Affairs Committee educated the FTC about the title insurance industry. As a result, the FTC eliminated the annual notice requirement for the settlement services industry. Annual notices would have been an enormous burden on our industry given the avalanche of refinances in the past two years and the length of time many title insurance policies are in effect.

In the Gramm-Leach-Bliley Act Congress left implementation of policy requirements for safeguarding nonpublic personal information to various banking regulators, the Federal Trade Commission, which regulates settlement services, and the states, which regulate insurance.

FTC Privacy Safeguards

On May 23, 2002, the FTC published its final rule relating to Privacy Safeguards, which became effective May 23, 2003. The rule requires that a company create an information security program in written form which shall include several elements listed below.

Essentially, an agency or underwriter must establish a safeguards program that includes the basic elements listed below. For a small agency, a one-page memo placed in a file drawer may be sufficient, as long as the steps are followed. For a large company, the safeguards program may be more complex. Most important, lender customers who are federally regulated or insured and other business partners will require that companies with which they contract have programs in place to safeguard customer information. Consequently lenders will require that title insurers and settlement agents have a safeguard program in place.

Any program must have the following:

  • designation of an employee or employees to coordinate an information security program.
  • risk assessment: the identification of reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information, including employee training, information systems, and prevention against disclosure, misuse, alteration or destruction and detection, prevention and response to attacks, intrusions or other systems failures.
  • the design and implementation of information safeguards to control the identified risks; and
  • oversight of service providers to ensure that such providers also maintain appropriate safeguards for customer information and require, by contract, that the service provider implement and maintain such safeguards; and
  • evaluation and adjustment of the security program in light of the results of testing and monitoring compliance and changes in operations or business arrangements.

Practically what does this mean? Lenders will look at title programs and title entities much make sure that companies with which they contract have programs in place. If service providers are not affiliated and there is a written service agreement that was entered into on or before June 24, 2002, title entities have until May 24, 2004 to get contractors such as courier services, imaging services, and document storage companies to comply.

In addition, if you contract with new service providers, move to a new area that might be hit with an earthquake or hurricane, or move to a new building that is less secure, you should update your program.

The rule is intended to be flexible since there are numerous sizes and types of providers of settlement services; however, this flexibility has a downside, in that it does not provide specific details or “safe harbors” as to the kinds of safeguards and how they should be implemented.

What Information Should Be Protected?

The following personally identifiable financial information needs to be protected:

  • information shown on a HUD-1 in the current or a prior transaction,
  • a copy of an appraisal or appraisal information,
  • the real estate purchase and sale agreement,
  • a social security number, and credit card information.

Enforcement

Businesses could be subject to lawsuits by regulators, lender customers, and consumers, if they fail to meet requirements to safeguard consumer's information. Even if there is no theft, the misuse by employees of electronic files containing consumer's information can expose your businesses to potential lawsuits by lender customers and individuals.

The FTC's enforcement powers under Section 5 of the FTC Act enable it to obtain cease and desist orders and civil penalties of up to $10,000 for each violation.

NAIC Puts Forth Model

The National Association of Insurance Commissioners (NAIC) set forth a model regulation for safeguarding consumer information that, with some local tweaking, has been promulgated in a number of states. This model is very similar to the FTC rule.This model regulation can be obtained from the NAIC, by asking for publication M673.

Common Sense

In establishing a safeguards program, you should make sure that you understand both the information security and other risks you face. With respect to physical security, you should make sure you establish common sense rules like locking your doors, computers, and filing cabinets, and keeping non-employees out of sensitive areas. Computers should be backed up to maintain data integrity, and antivirus software should be updated at least once a year. A system firewall should also be used and updated periodically.

Employees should be trained to protect your customer information. They should be taught how to establish strong passwords and secure locks for paper files containing customer information. Low cost training resources are available on the Web.

While safeguards rules may seem like just another senseless administrative burden imposed by regulators, it really is just common sense. Having a program in place provides you with a management tool that can provide a structure for both training and supervision of employees and a checklist of office procedures that ensures quality control of customer information.


Ken Jannen, vice president-counsel, multistate agency services, and associate underwriter for First American Title Insurance Company in Sunrise, FL; Barbara Flippo, vice president of information risk management for LandAmerica in Richmond; and Ann vom Eigen, ALTA®'s legislative/ regulatory counsel, participated in the telephone seminar.



Print Friendly


How To Find Us:
American Land Title Association
1828 L Street, NW, Suite 705
Washington, DC 20036-5104
P. 202.296.3671 F. 202.223.5843
www.alta.org
service@alta.org
Copyright © 2004-2014 American Land Title Association. All rights reserved.
SecurityMetrics for PCI Compliance, QSA, IDS, Penetration Testing, Forensics, and Vulnerability Assessment