Transcript Data Security/Best Practices Awareness and Implementation

Part 2
• www.NCClosingAttorneyBestPractices.org
Made Possible By a Grant From:
relanc.com
Nancy Ferguson
 Sr. State Counsel, VP, Chicago Title
 State Counsel, Fidelity National Title Group
 Relevant Memberships: NCBA (Real Property Section
Council), NCLTA, RELANC, NC Closing Attorney Best
Practices Task Force, ABA, ALTA, ACREL, ACMA
 NC State Bar Certified Specialist, Real Property Transactions
 Co-Author, NC Real Estate with Forms, 3d Ed.
Christopher J. Gulotta, Esq.
Founder & CEO
Real Estate Data Shield, Inc.
271 Madison Avenue Suite 700
New York, NY 10016
(212-951-7302
Real Estate Data Shield, Inc.© 2014
*[email protected]
5
• Non-public Personal Information (“NPPI”):
– Personally identifiable data such as information provided by a
customer on a form or application, information about a customer’s
transactions, or any other information about a customer which is
otherwise unavailable to the general public.
– NPPI includes first name or first initial and last name coupled with
any of the following:
• Social Security Number
• Driver’s license number
• State-issued ID number
• Credit or debit card number
• Other financial account numbers
6
1.
Gramm-Leach Bliley Act (GLBA)
2.
Federal Trade Commission (FTC)

Privacy Rule (1999)

Safeguard Rule (2003)

Disposal Rule (2005)
3.
Consumer Financial Protection Bureau (CFPB)

April 2012 Bulletin

Supervisory Highlights (2012)
4.
5.
Office of the Comptroller of the Currency (OCC)

Interagency Guidelines Establishing Standards for Safeguarding Customer
Information (2001)

Third Party Relationship Bulletin (Oct. 2013)
American Land Title Association (ALTA)
1.
“Best Practices” for Title Insurance and Settlement Companies (Jan 2013)
6.
State Agencies & Regulators
7.
Attorney Code of Professional Conduct
7
- It is now commonly accepted in the legal profession that
the confidentiality duty applies to attorney client
information in computer and information systems.
- Comment 18 to ABA Model Code: notes that lawyers are
required “to act competently to safeguard information
relating to the representation of a client against
unauthorized access by third parties and against
inadvertent or unauthorized disclosure by the lawyer or
other persons who are participating in the representation
of the client or who are subject to the lawyer’s
supervision.”
8
• Nearly every state have adopted the
American Bar Associations Model Rules of
Professional conduct.
• Rule 1.6 Confidentiality of information
(a) “a lawyer shall not reveal information
relating to the representation of a client..”
9
-
“every state has its own legislative or judicial rules pertaining to the
practice of law that prohibit lawyers from disclosing information about
their clients to third parties and that the GLBA would not add anything to
the local regulations.”
- The court pointed out that “the legal guidelines within the legal
profession are very similar to the disclosure requirements of the GLBA”,
also stating that this area is typically left to states to enforce.
- “Pre-existing state ethical rules that govern attorneys, would be
prohibited from affiliating with financial institutions and, as a result of the
affiliation, disclosing clients’ information without their clients’ consent.”
- The ABA stated during trial that “professional conduct rules in every
state and the District of Columbia impose stringent confidentiality
requirements on attorneys that protect the privacy of clients far
more effectively than provisions in the GLBA.”
- It is now commonly accepted in the legal profession that
the confidentiality duty applies to attorney client
information in computer and information systems.
- Comment 18 to ABA Model Code: notes that lawyers are
required “to act competently to safeguard information
relating to the representation of a client against
unauthorized access by third parties and against
inadvertent or unauthorized disclosure by the lawyer or
other persons who are participating in the representation
of the client or who are subject to the lawyer’s
supervision.”
11
• §60: A Lawyer’s Duty to Safeguard Confidential Information
• (1) During and after representation of a client:
– (a) the lawyer may not use or disclose confidential client
information as defined in § 59 if there is a reasonable prospect
that doing so will adversely affect a material interest of the client
or if the client has instructed the lawyer not to use or disclose
such information;
– (b) the lawyer must take steps reasonable in the circumstances
to protect confidential client information against impermissible
use or disclosure by the lawyer's associates or agents that may
adversely affect a material interest of the client or otherwise than
as instructed by the client.
12
•
Comment D: A lawyer’s duty to safeguard confidential client information
– “A lawyer who acquires confidential client information has a duty to take
reasonable steps to secure the information against misuse or
inappropriate disclosure, both by the lawyer and by the lawyer's
associates or agents to whom the lawyer may permissibly divulge it.”
– “This requires that client confidential information be acquired,
stored, retrieved, and transmitted under systems and controls that
are reasonably designed and managed to maintain confidentiality.”
– “A lawyer must take reasonable steps so that law-office personnel and
other agents such as independent investigators properly handle
confidential client information.”
– “That includes devising and enforcing appropriate policies and
practices concerning confidentiality and supervising such
personnel in performing those duties.”
13
•
North Carolina adopted the ABA Model Rules of Professional Conduct on October 7, 1985 (with subsequent
amendments).
•
Rule 1.6: Confidentiality of Information
–
•
•
(1) the client gives informed consent;
•
(2) the disclosure is impliedly authorized in order to carry out the representation
Comment 3
–
•
(a) A lawyer shall not reveal information relating to the representation of a client unless:
The confidentiality rule, for example, applies not only to matters communicated in confidence by the client but
also to all information relating to the representation, whatever its source. A lawyer may not disclose such
information except as authorized or required by the Rules of Professional Conduct or other law.
Comment 19, paragraph (c)
–
Requires a lawyer to act competently to safeguard information relating to the representation of a client
against inadvertent or unauthorized disclosure by the lawyer or other persons who are participating in the
representation of the client or who are subject to the lawyer's supervision.
–
A client may require the lawyer to implement special security measures not required by this Rule, or
may give informed consent to forgo security measures that would otherwise be required by this Rule.
Whether a lawyer may be required to take additional steps to safeguard a client’s information to comply with
other law—such as state and federal laws that govern data privacy, or that impose notification requirements
upon the loss of, or unauthorized access to, electronic information—is beyond the scope of these Rules.
14
•
Comment 20
–
When transmitting a communication that includes information relating to the representation of a
client, the lawyer must take reasonable precautions to prevent the information from coming into the
hands of unintended recipients. This duty, however, does not require that the lawyer use special security
measures if the method of communication affords a reasonable expectation of privacy. Special
circumstances, however, may warrant special precautions. Factors to be considered in determining the
reasonableness of the lawyer's expectation of confidentiality include the sensitivity of the
information and the extent to which the privacy of the communication is protected by law or by a
confidentiality agreement.
–
A client may require the lawyer to implement special security measures not required by this Rule or may give
informed consent to the use of a means of communication that would otherwise be prohibited by this Rule.
Whether a lawyer may be required to take additional steps to comply with other law, such as state and
federal laws that govern data privacy, is beyond the scope of these Rules.
15
• Wells supports customer choice provided such third party providers
“consistently meets all applicable requirements”
• Wells is expanding and enhancing third party oversight…in order
to monitor and measure performance
• Prepare for “Top Performer” status
• Wells “supports” ALTA Best Practices, which should already be in
place for “businesses providing title and closing services”
• Wells recognizes some may need “transition time”
• If not currently following ALTA Best Practices, do you have a plan in
place for adoption?
• Can you document and demonstrate inspection processes to
validate your adoption of ALTA’s Best Practices?
16
1. Establish and maintain current license(s) as required to conduct the business of title
insurance and settlement services.
2. Adopt and maintain appropriate written procedures and controls for Escrow Trust
Accounts allowing for electronic verification of reconciliation.
3. Adopt and maintain a written privacy and information security
program to protect Non-public Personal Information as required
by local, state and federal law.
4. Adopt standard real estate settlement procedures and policies that ensure compliance
with Federal and State Consumer Financial Laws as applicable.
5. Adopt and maintain written procedures related to title policy production, delivery,
reporting and premium remittance.
6. Maintain appropriate professional liability insurance and fidelity coverage.
7. Adopt and maintain procedures for resolving consumer complaints.
17
• Establish a Disaster Management/Recovery Plan
• Notification of
Enforcement
Security
Breaches
to
Customers
and
Law
– 47 states have a data breach notification law; know the
requirements particular to your state so that you are prepared in the
event of a breach
– Post your company’s privacy and information security program on
your website or provide program information directly to customers in
another useable form
– When a breach is detected, your company should have a program to
inform customers and law enforcement as required by law
18
•
•
•
The FTC looks for:
–
Written data security policies
–
Sound document destruction policy and practice
–
Password protection procedures
–
Proof of ongoing staff training in data security and GLB Act compliance
The CFPB looks for:
–
Appropriate training and oversight of employees and agents that have consumer contact
–
Comprehensive data security policies, procedures and internal controls
–
Compliance with federal consumer financial laws
Lenders look for:
–
•
Compliance by their Service Providers with federal and state laws, rules and regulations (e.g. OCC & CFPB)
OCC looks for:
–
Oversight and management of Third Party Relationships, including: independent assessments, due diligence and
appropriate agreements, on-site, independent audits, safeguarding of NPPI, etc.
19
Practical Steps to Take:
 Develop all required privacy and data security policies,
procedures, and plans
 Information Security Plan
 Incident Response Plan
 Disaster Recovery Plan
 Secure Password Policy
 Electronic Communications and Internet Use Policy
 Assess your company’s risk profile
 Educate and train your work force
 Secure your work flows
 Ensure compliance of all service providers
 Implement a sound document destruction policy
20
A. Administrative
B. Physical
C. Network
21
Common “Settlement”
Documents
Containing NPPI
Uniform Residential Loan
Application (Form 1003)
Borrower Tax Returns
Lender Engagement Letter
Identification (Driver’s License,
passport, etc.)
Settlement Statement (HUD-1)
IRS Form 4506-T, Request for
Transcript of Tax Returns
IRS Form W-9, Request for
Taxpayer Identification Number
and Certification
Payoff Letter
Common “Title”
Documents
Containing NPPI
Identification (Driver’s License,
passport, etc.)
Title Order Form
Payoff Letter
Escrow Agreements with Tax
Searches
Real Estate Transfer Tax Forms
Affidavits
Recordable Docs
Title Bill
22
1.
2.
3.
4.
5.
6.
7.
8.
Staff Training
Manual of Policies and Procedures
Privacy Notice
Shred-All Policy
Vendor Non-Disclosure Agreements (NDA’s)
Background checks on employees handling NPPI
Clean Desk, Office and Screen Policy
Authorized Devices
23
1.
2.
3.
4.
5.
6.
7.
8.
Entryway Security & Sign-in Log
Clean Desk Policy
Locked Filing Cabinets
Security Cameras
Privacy Screens
Locked Offices
Shredding of Paper and Digital Media
Locks on Computers
24
1.
2.
3.
4.
5.
6.
7.
8.
Password Protection
Computer Screen Timed Lockout
Using Various Brands of Firewalls (Defensive Depth)
Port Lockdown
Network Printers/Scanners
Restrictive Access to Programs, files etc.
Updates and Patches
Email Encryption
25
26
1.
2.
3.
4.
5.
Information Security Policy Templates;
Award winning Staff-Training e-courseware;
Company Self-Assessment tools;
Independent On-Site Security Audits; and
Security Certifications (ALTA Pillar No. 3,
GLBA, and FTC).
27
• Compliance must now be a core competency
• Compliance is the “NEW” marketing
• Lenders have identified Data Security as their
Number 1 concern with regard to their Service
providers
• Data Security compliance is the law and lenders
are more actively enforcing our compliance
requirements
• Prepare for Lender & Regulator audits now!
28
Christopher J. Gulotta, Esq.
Founder & CEO
Real Estate Data Shield, Inc.
(212-951-7302
*[email protected]
www.realestatedatashield.com
29
Data Security/Best Practices
Preparation and Implementation
Jim Brahm
Chief Executive Officer
Security Compliance Associates
2727 Ulmerton Rd., Suite 310
Clearwater, FL 33762
(727-571-1141
*[email protected]
• Phase 1 – Initial Call
• Phase 2 – Pre-Assessment Due Diligence
• Phase 3 – External Assessment
• Phase 4 – Internal Assessment
• Phase 5 – Post-Assessment Report
• Phase 6 - Remediation
• Step 1 - Initial call
– The company will need the information security
policy, acceptable-use policy and business
continuity/disaster recovery plan.
– Explain the personnel interview process and who
will be interviewed.
– The company being assessed will want to ask any
questions they may have about the on-site visit.
• Step 2 - Pre-assessment due diligence
– Review/update policies and procedures for content and
relevance
– review network topology, which means ensuring security
devices are configured correctly
– check web-content filtering
– ensure firewalls, and intrusion defense systems (IDS) or
intrusion prevention systems are configured properly
– remove old user accounts and rename default administrative
account names
• Step 3 - External Assessment
– Provides proof of how a company could be exploited.
– IP address(es) tested to deduce vulnerabilities
– Test vendor response for intrusion defense systems
(IDS) or intrusion prevention systems (IPS)
– Social engineering test/employee awareness & training
• Examples of tests include spear-phishing emails
• phishing emails containing a forged link
• pretense calling which is similar to phishing where
the caller attempts to obtain sensitive information via
telephone.
• Step 4 - On-site assessment
– Conducting an external physical assessment of the site
– Internal physical assessment
– Conducting an internal network vulnerability scan
– Conduct interviews with management & IT staff
– Review in-place policies & procedures
– Workstation reviews
– Server configuration reviews
• Step 5 - Post-assessment report
– Detailed findings of all parts of the assessment
– List of vulnerabilities discovered and the associated
hosts
– Recommendations for vulnerability remediation, policy
recommendations, acceptable-use recommendations
and implementation of business continuity/disaster
recovery plan.
Component of Assessment
Information Security Program
Risk Identification and Assessment
Employee Training Management and
Responsibilities
Risk Level
Information Security Policy
Medium
Information Security Plans & Procedures
Medium
Roles & Responsibilities
Low
Personnel Security
Low
InfoSec Risk Assessment
Low
Critical Application Risk Assessment
Medium
Security Guidance and Training
Low
Social Engineering
Medium
Internal Information Security
Security Administration (Authentication and Authorization
Medium
Network Security (Communications, Network and Internet Security)
Medium
Host Security (Operating Systems, Hardening, Patch Management)
Medium
Change Management
Medium
User Equipment Security (Operating System, Workstation Imaging)
Low
Security Monitoring (Audit and Log Review)
Medium
Security Monitoring (Vulnerability Scanning & Penetration Testing)
Low
Virus and Malware Mitigation
Low
FTP Configuration - Internal
Low
FTP Configuration - External
Low
Physical Security
Medium
Encryption
Medium
Publicly Accessible Services
Low
Perimeter Defense Systems Response Handling
High
ICMP Testing
Low
DNS Registration Information
Low
Banner Enumeration
Low
Autocomplete
Low
Frameable Response (Clickjacking)
Low
Retention and Destruction of Personal
Information
Data Security (Data Classification)
Low
Overseeing Service Providers
Third Party Management
Low
Data Breach Incident Reporting
Incident Response Plan
Low
Business Continuity and Disaster Recovery
BCP / DRP
Medium
Phase 5 – Post Assessment Report
Phase 5 – Post Assessment Report
• Step 6 - Remediation stage
– Company must determine its ability to address shortfalls and
vulnerabilities
– Work with IT support on remediation steps for technical
vulnerabilities
– Address non-technical shortfalls/vulnerabilities and
– Document remediation steps that are performed
• Use ISO on-demand availability to answer
questions you may have and provide guidance
• It’s a resource for you – Take advantage of it!
• Policies & Procedures incomplete or outdated.
• No back-up plan or Disaster Recovery Policy
• Antivirus shortfalls
– Disabling antivirus active scan due to speed
issues
– No antivirus on the server because it is not
accessed
• No firewalls
• Not monitoring firewalls, IPS/IDS, and event
logs
• Allowing anyone to access files on file servers (Not
using permissions)
• Allowing anyone on the internal network through
the wireless access point
• Employees providing username/password
• Missing Security Patches/Updates
• Third Party Vendor Due Diligence
Document Security:
Secure email delivery
of
Non-Public Personal Information (NPPI)
• Travels the open internet on its way to
the recipient inbox
• Many server to server ‘hops’ along route
• Content is viewable and can be stolen without your knowledge
• Like sending private information on a
postcard
• Compliance Grade
Encryption
• Cloud-Based Service
• Premise-Based Gateway
"Encryption works. Properly implemented
strong crypto systems are one of the few
things that you can rely on.”
Edward Snowden
Email Encryption Works Against the NSA
• Secure from Desktop to
Desktop to Mobile
• High Availability / Disaster
Recovery
• Non-public personal information
– Social security number
– Driver’s license number
– Credit card number
– Other financial account number
• Secure electronic delivery solutions
– Selective email encryption (desktop)
– Automatic email encryption (policy
gateway)