Transcript Information Security - Foundation Title and Escrow, LLC

ALTA Best Practices
Section 3 Information Security
Required Training for
new hires/annual re-cert
The Value of Information
• The nature of the services performed at Foundation Title and
Escrow requires all teammates to have access to information. The
accumulation, interpretation, and presentation of data is at the heart
of our day to day operations.
• All information carries some risk if inappropriately handled. Some
information is subject to special protections.
• Just as physical data protection might require locking doors, and
limiting who receives a key to the office, digital information also
requires planning and awareness for proper protection.
• As a service provider for real estate agents and lenders, the
company and teammate are subject to the same laws and
regulations regarding information protection.
• This training will cover different information types, their associated
risks, systemic and individual efforts required to protect Non-Public
Personal and other high risk information, and gain ALTA best
practice certification.
Public Information
• Public - Public Information is freely
available outside of the business or is
intended for public use.
• Public information is the only type of
information that presents no risk if
accurately disclosed.
– Misrepresentation of public information,
however can still cause significant harm.
Public information risk scenarios
• The order entry clerk has a typo on one of the
buyer names, or the name is very common.
• The abstractor finds numerous judgments
against the name.
• If a teammate:
– Tells the lender/agent/other party to the transaction to
cancel the transaction because the buyer is a bad
person?
• The teammate and company (and by extension, the lender)
may be in violation of fair lending laws
• May be liable under the Equal credit opportunity act.
• May have committed slander
• Could be liable to the seller for the purchase price.
Public information risk scenarios
The teammate should:
– Provide the commitment to the parties, and allow
them to
• Clarify the buyer name (middle initials, last 4 of SSN etc.) so
the commitment can be corrected
• Provide proof that the judgements have been satisfied.
• Allow the parties to specify which exceptions/requirements
are not acceptable
• Request the title underwriter override the exception
• The lender may approve that the exceptions remain on the
final policy.
Internal Information
• Internal such as internal phone directories
(emergency contact information etc.) should be
controlled, but there is no requirement for
extraordinary steps such as encryption or lock &
key.
• Internal Information is commonly shared within
the business and is not intended for public
distribution.
• Internal distribution includes Foundation
affiliates, vendors, and clients on a need to know
basis.
Pending public information
• Some information that may be public
information at the completion of a
transaction may be considered Protected
Non-Public Personal information, or for
internal use only depending on the party
requesting/receiving the information.
– Negotiated sale price
– Lenders loan/application#
– Seller concessions, repairs etc.
Corporate Non Public Information
• Corporate
– Client lists and information
– Procedures/business methodology/trade secrets of the company
– Affiliate/vendor knowledge
Even seemingly innocent comments like “one of our other clients
does ____ this way” is a violation of our client’s trust and privacy
and is strictly prohibited.
Corporate espionage is a real threat, our clients frequently compete
against each other.
Resigning or terminated employees are prohibited from capturing
client data, corporate documentation, or disseminating client
data to potential or future employers. Management will assess
client data risk when reviewing resignations/terminations and will
take appropriate measures to ensure that all data is secured.
Non Public Personal Information
– Laws apply to all Banks, Lenders, Originators, and their
vendors/service providers.
– Graham Leach Bliley act burden of proof:
• Any information breach that would cause significant harm, cost, or
inconvenience.
• E-mail encryption may be required.
– Elephant in the room and the new policeman = Dodd Frank –
CFPB - Consumer Financial Protection Bureau
• Over 3,200 page legislation
• Rule writing is 39% complete
– 13,789 pages
– 155 rules with another 243 proposed.
• Most difficult - UDAAP - Unfair or Deceptive Acts And Practices
– Any business practice that the consumer deems unfair or deceptive
– Applies to all bank, lenders, originators and their vendors
– Requires formal complaint tracking and escalation mechanism
Non Public Personal Information
– Foundation’s Golden Rules policy allow for simplified
compliance with all of the new regulations imposed on
our clients.
• E-mails present additional risks. When in doubt:
– Don’t give information out/remove sensitive information.
– Shrink the audience – be able to articulate why each receiver of
an e-mail is entitled to the information being sent, or remove
them.
– Encrypt emails by adding [secure] to the subject line.
– Create a new e-mail rather than replying to an e-mail that may
contain sensitive information in the larger conversation.
– Don’t be the middle man, connect the client to the source
(agent/lender/originator, etc.)
– Escalate to management, and they will request specific written
instructions from the lender/originator or client on how to handle
a specific request for information.
Foundation Policy
•
Foundation T & E’s Golden Rules
–
–
–
–
–
Giving without permission is stealing (information within company systems belongs to the company and was
given with specific client permission)
You can’t disclose what you don’t collect (if you don’t need it, don’t collect it.)
Don’t disclose information to questionable persons. (All employees and vendors must pass a criminal
background check. Applicants/employees are ineligible for employment if unable to pass the background
check)
If you must communicate sensitive information, truncate and encrypt the information.
Don’t disclose any client information you wouldn’t want disclosed if it were yours.
•
Transaction information
–
–
–
•
Identity theft protection items
–
–
–
–
–
–
SSN
DOB
Account #s
Loan #s
Credit score
You can give back what has been given to you
–
–
–
purchase price
concessions
property condition or value opinions
Teammates should question why the party requesting the information doesn’t already have it. Verify the call is from a known
phone number for the authorized party, or call them back at a verified number to prevent phishing attempts.
Loan and account numbers which are normally protected may be repeated to the persons which provided them if there is a
legitimate business reason. (lender requests loan# be included in the subject line of all correspondence to assist in tracking)
Follow the rules
•
•
Certain information by law, is required to be disclosed at certain times (Purchase amount for calculating transfer tax, etc.)
All other non-public information remains protected indefinitely.
Information Security toolbelt
•
•
•
•
•
•
•
•
•
•
Passwords (unique, known only to the teammate managed by ImageQuest)
Do not collect unnecessary data.
Print reduction (reduce the number of copies of sensitive data)
Deposit printed materials into a company approved, locked shred bin after scanning
to company software platform (system of record)
Clean desk (sensitive data should be cleared from the phyisical desk space and
locked each evening)
Clean desktop-password log-in’s to pc’s should never be disabled, (individual
computer desktops should remain clear of sensitive personal information. Only
house “work in progress” until it can be uploaded to the system of record)
Sensitive data should rarely be disclosed and should be on an as needed basis,
truncated and sent via secure encrypted e-mails (add [secure] to the subject line)
whenever possible.
Removable storage media (other than DigiDocs secure disks) is not allowed, USB
ports are disabled for data transfer.
Complaints and e-mails should be escalated and tracked by forwarding to
[email protected]
Administrative/advanced system rights are limited to the ImageQuest authorized
personnel, and changes to access levels may only be approved by executive
management.
ALTA B.P. 3 Information Security
Certification
– By signing below, I acknowledge reading and
understanding the Foundation Title and Escrow
Series LLC’s Information Security and Protection
Policy.
– Teammate __________________date__/__/__
– By signing below, I agree to abide by the Foundation
Title and Escrow Series LLC’s Information Security
and Protection Policy.
– Teammate __________________date__/__/__
» Scan/e-mail this page to: