Presentation on theme: "Securing NPI Mary Schuster Mike Murphy. Gramm-Leach-Bliley Act Enacted to control the ways that financial institutions deal with the private information."— Presentation transcript:
Gramm-Leach-Bliley Act Enacted to control the ways that financial institutions deal with the private information of individuals consisting of three sections: o The Financial Privacy Rule, which regulates the collection and disclosure of private information o The Safeguards Rule, which stipulates that financial institutions must implement security program to protect private information o The Pretexting Rule, which prohibits accessing private information using false pretenses
The CFPB Responsible for consumer protection in the financial sector Authorized by the Dodd-Frank Act in 2010 in response to the financial crisis of 2007-08 Service Provider Memo of 4/13/12 extends some GLB service providers of the lender Has developed new rules and forms related to the closing of a real estate transaction
ALTA Advocacy on behalf of title agents related to proposed CFPB regulations o Educated the CFPB on the value of the title industry and title agent o Formed a task force that worked with the CFPB related to changes o Created Best Practices as industry-wide proactive offering of Standards – as opposed to waiting for each lender to set individual standards o Worked with title agents to review and comment on the proposed CFPB changes
But what does the coming together of these parts really mean? Lenders have a greater responsibility than ever before o Responsible for title agents and their processes, practices and procedures used in transactions o Ultimately responsible for title agency 3 rd party vendors Notaries Cleaning staff IT service providers That’s 4 th party level responsibility and that got the Lender’s attention!
ALTA’s answer…Best Practices 7 Pillars ALTA/Underwriter/Software Vendor Tools o Webinars o Readiness Assessments Certification o Pillars 1, 2, 4, 5, 6, 7 o Pillar 3
Develop a security program to protect NPI – Electronic & Paper Identify where NPI exists in your organization o Data in use Active order data within Title Production Software Active order data in paper files Active order data in documents (Word, Excel, etc) Documents at the closing table o Data in motion Any order data moving along your network Any order data being shared with other parties o Data at rest Inactive order data within Title Production Software Inactive order data in data warehouse Offsite backups, tapes, etc.
Develop a security program to protect NPI Examples of NPI o The obvious SSN/EIN Credit card numbers o The little less obvious Bank or credit card payoff statements Insurance, retirement, divorce or tax information Dates of birth o How about this one? Buyer/Seller names with property address on a HUD on an active order? Yep, that’s NPI until the data is recorded
Develop a security program to protect NPI Ask questions about your operation o Do you have a clean desk policy? o Are you shredding sensitive documents? o If you use a shredding service are documents to be shredded secured? o Does you scanning solution have levels of security to limit access? o Are all files locked and secured? Common area stand-ups? o Do you conduct background checks of employees? How often?
Develop a security program to protect NPI Ask questions about your operation o Are devices password protected and are they locked down at night? o Are your servers secure with limited access? o Do you destroy old hard drives of computers and copiers? o Are mobile devices secure and can they be remotely wiped clean? o How are paper files secured that leave the office or are with couriers? o Do you have oversight of service providers to be sure they secure NPI?
Develop a security program to protect NPI Ask questions about your operation o Does your office and work areas have secured entry points with individual access codes or keyed access? o Do you control the use of removable media devices like flash drives? o Do you have Disaster Recovery and Business Continuity plans? o Do you have audit procedures to insure that staff comply with security measures and procedures? o Are email and attachments containing NPI encrypted?
Develop a security program to protect NPI Ask questions about your operation o Are you restricting personal email accounts? o Does a training program for employees related to protecting NPI exist? o Do you have guidelines and controls for use of company technology that has access to NPI?
Develop a security program to protect NPI Build company policies, educate staff and review regularly o Clean Desk Policy o Acceptable Use Policy o Password Policy o Information Technology Electronic Asset Disposition Policy o Security of Information and Records Policy o Privacy of Personal Information of Consumers and Customers Policies o Exception Standard o Firewall Policy o Vulnerability Scanning Policy
Do continue to educate yourselves Do take action – get started as this is a process. Compliance is a continuous journey, not a destination. Do ask questions and get help Do train your staff members about NPI Do review your Security Program Do become compliant – get certified
Business Continuity How we work when we can’t get to work or when equipment isn’t available Can Business Continuity be built into our systems? Disaster Recovery What we do when resources are gone for good or gone for an extended period of time Recovery Point Objective Recovery Time Objective Developing the process to determine if/when to enable Disaster Recovery Testing
Nice 10 years ago – Today’s grade F Application Database Storage Web Email
Application Database Storage Web Email Nice 10 years ago – Today’s grade F