Best Practice Pillar #3

Download Report

Transcript Best Practice Pillar #3

Best Practice Pillar #3:

Securing NPI

Mary Schuster Mike Murphy

 Gramm-Leach-Bliley Act • Enacted to control the ways that financial institutions deal with the private information of individuals consisting of three sections: o The Financial Privacy Rule, which regulates the collection and disclosure of private information o The Safeguards Rule, which stipulates that financial institutions must implement security program to protect private information o The Pretexting Rule, which prohibits accessing private information using false pretenses

 The CFPB • Responsible for consumer protection in the financial sector • Authorized by the Dodd-Frank Act in 2010 in response to the financial crisis of 2007-08 • Service Provider Memo of 4/13/12 extends some GLB service providers of the lender • Has developed new rules and forms related to the closing of a real estate transaction

 ALTA • Advocacy on behalf of title agents related to proposed CFPB regulations o Educated the CFPB on the value of the title industry and title agent o Formed a task force that worked with the CFPB related to changes o Created Best Practices as industry-wide proactive offering of Standards – as opposed to waiting for each lender to set individual standards o Worked with title agents to review and comment on the proposed CFPB changes

 But what does the coming together of these parts really mean?

• Lenders have a greater responsibility than ever before o Responsible for title agents and their processes, practices and procedures used in transactions o Ultimately responsible for title agency 3 rd • • • Notaries Cleaning staff IT service providers party vendors

That’s 4 th party level responsibility and that got the Lender’s attention!

 ALTA’s answer…Best Practices • 7 Pillars • ALTA/Underwriter/Software Vendor Tools o Webinars o Readiness Assessments • Certification o o Pillars 1, 2, 4, 5, 6, 7 Pillar 3

 Develop a security program to protect NPI – Electronic & Paper • Identify where NPI exists in your organization o Data in use • • • • Active order data within Title Production Software Active order data in paper files Active order data in documents (Word, Excel, etc) Documents at the closing table o Data in motion • • Any order data moving along your network Any order data being shared with other parties o Data at rest • • • Inactive order data within Title Production Software Inactive order data in data warehouse Offsite backups, tapes, etc.

 Develop a security program to protect NPI • Examples of NPI o The obvious • • SSN/EIN Credit card numbers o The little less obvious • • • Bank or credit card payoff statements Insurance, retirement, divorce or tax information Dates of birth o How about this one?

• • Buyer/Seller names with property address on a HUD on an active order?

Yep, that’s NPI until the data is recorded

 Develop a security program to protect NPI • Ask questions about your operation o Do you have a clean desk policy?

o Are you shredding sensitive documents?

o If you use a shredding service are documents to be shredded secured?

o Does you scanning solution have levels of security to limit access?

o Are all files locked and secured? Common area stand-ups?

o Do you conduct background checks of employees? How often?

 Develop a security program to protect NPI • Ask questions about your operation o Are devices password protected and are they locked down at night?

o Are your servers secure with limited access?

o Do you destroy old hard drives of computers and copiers?

o Are mobile devices secure and can they be remotely wiped clean?

o How are paper files secured that leave the office or are with couriers?

o Do you have oversight of service providers to be sure they secure NPI?

 Develop a security program to protect NPI • Ask questions about your operation o Does your office and work areas have secured entry points with individual access codes or keyed access?

o Do you control the use of removable media devices like flash drives?

o Do you have Disaster Recovery and Business Continuity plans?

o Do you have audit procedures to insure that staff comply with security measures and procedures?

o Are email and attachments containing NPI encrypted?

 Develop a security program to protect NPI • Ask questions about your operation o Are you restricting personal email accounts?

o Does a training program for employees related to protecting NPI exist?

o Do you have guidelines and controls for use of company technology that has access to NPI?

 Develop a security program to protect NPI • Build company policies, educate staff and review regularly o o o o o o o o o Clean Desk Policy Acceptable Use Policy Password Policy Information Technology Electronic Asset Disposition Policy Security of Information and Records Policy Privacy of Personal Information of Consumers and Customers Policies Exception Standard Firewall Policy Vulnerability Scanning Policy

 Do continue to educate yourselves  Do take action – get started as this is a process. Compliance is a continuous journey, not a destination.

 Do ask questions and get help  Do train your staff members about NPI  Do review your Security Program  Do become compliant – get certified

 Don’t be this title agent

 Don’t be this title agent

 Business Continuity • How we work when we can’t get to work or when equipment isn’t available • Can Business Continuity be built into our systems?

 Disaster Recovery • • • • What we do when resources are gone for good or gone for an extended period of time Recovery Point Objective Recovery Time Objective Developing the process to determine if/when to enable Disaster Recovery • Testing

Application Database Storage Web Email

Nice 10 years ago – Today’s grade F

Application Database Storage Web Email

Nice 10 years ago – Today’s grade F

Application Database Storage Web Email

Application Application Database Database Storage Storage Web Web Email Email

Application Application Database Database Storage Storage Web Web Email Email

Getting better – Today’s grade C-

Applicatio Application n Database Database Storage Storage Web Web Email Email Application Database Storage Web Email

Getting better – Today’s grade B

Application Database Storage Web Email Application Database Storage Web Email

Application Database Storage Web Email Application Database Storage Web Email Application Database Storage Web Email

This is it! – Today’s grade A+

Best Practices Lender Questionnaires Pressure on Lenders for not 3 rd Parties but 4 th Parties Build It or Lease It Cloud Basics

 State Land Title Associations  American Land Title Association Best Practices • www.alta.org/bestpractices  Underwriters • Webinars, White Papers, Checklists  Op2 • [email protected]

• Mary Schuster – RamQuest/op2 o o [email protected]

[email protected]

• Mike Murphy – op2 o [email protected]