Nancy Ferguson Sr. State Counsel, VP, Chicago Title State Counsel, Fidelity National Title Group Relevant Memberships: NCBA (Real Property Section Council), NCLTA, RELANC, NC Closing Attorney Best Practices Task Force, ABA, ALTA, ACREL, ACMA NC State Bar Certified Specialist, Real Property Transactions Co-Author, NC Real Estate with Forms, 3d Ed.
Non-public Personal Information (“NPPI”): –Personally identifiable data such as information provided by a customer on a form or application, information about a customer’s transactions, or any other information about a customer which is otherwise unavailable to the general public. –NPPI includes first name or first initial and last name coupled with any of the following: Social Security Number Driver’s license number State-issued ID number Credit or debit card number Other financial account numbers 6
1.Gramm-Leach Bliley Act (GLBA) 2.Federal Trade Commission (FTC) Privacy Rule (1999) Safeguard Rule (2003) Disposal Rule (2005) 3. Consumer Financial Protection Bureau (CFPB) April 2012 Bulletin Supervisory Highlights (2012) 4.Office of the Comptroller of the Currency (OCC) Interagency Guidelines Establishing Standards for Safeguarding Customer Information (2001) Third Party Relationship Bulletin (Oct. 2013) 5.American Land Title Association (ALTA) 1.“Best Practices” for Title Insurance and Settlement Companies (Jan 2013) 6.State Agencies & Regulators 7.Attorney Code of Professional Conduct 7
-It is now commonly accepted in the legal profession that the confidentiality duty applies to attorney client information in computer and information systems. -Comment 18 to ABA Model Code: notes that lawyers are required “to act competently to safeguard information relating to the representation of a client against unauthorized access by third parties and against inadvertent or unauthorized disclosure by the lawyer or other persons who are participating in the representation of the client or who are subject to the lawyer’s supervision.” 8
Nearly every state have adopted the American Bar Associations Model Rules of Professional conduct. Rule 1.6 Confidentiality of information (a) “a lawyer shall not reveal information relating to the representation of a client..” 9
- “every state has its own legislative or judicial rules pertaining to the practice of law that prohibit lawyers from disclosing information about their clients to third parties and that the GLBA would not add anything to the local regulations.” - The court pointed out that “the legal guidelines within the legal profession are very similar to the disclosure requirements of the GLBA”, also stating that this area is typically left to states to enforce. - “Pre-existing state ethical rules that govern attorneys, would be prohibited from affiliating with financial institutions and, as a result of the affiliation, disclosing clients’ information without their clients’ consent.” - The ABA stated during trial that “professional conduct rules in every state and the District of Columbia impose stringent confidentiality requirements on attorneys that protect the privacy of clients far more effectively than provisions in the GLBA.”
-It is now commonly accepted in the legal profession that the confidentiality duty applies to attorney client information in computer and information systems. -Comment 18 to ABA Model Code: notes that lawyers are required “to act competently to safeguard information relating to the representation of a client against unauthorized access by third parties and against inadvertent or unauthorized disclosure by the lawyer or other persons who are participating in the representation of the client or who are subject to the lawyer’s supervision.” 11
§60: A Lawyer’s Duty to Safeguard Confidential Information (1) During and after representation of a client: –(a) the lawyer may not use or disclose confidential client information as defined in § 59 if there is a reasonable prospect that doing so will adversely affect a material interest of the client or if the client has instructed the lawyer not to use or disclose such information; –(b) the lawyer must take steps reasonable in the circumstances to protect confidential client information against impermissible use or disclosure by the lawyer's associates or agents that may adversely affect a material interest of the client or otherwise than as instructed by the client. 12
Comment D: A lawyer’s duty to safeguard confidential client information –“A lawyer who acquires confidential client information has a duty to take reasonable steps to secure the information against misuse or inappropriate disclosure, both by the lawyer and by the lawyer's associates or agents to whom the lawyer may permissibly divulge it.” –“This requires that client confidential information be acquired, stored, retrieved, and transmitted under systems and controls that are reasonably designed and managed to maintain confidentiality.” –“A lawyer must take reasonable steps so that law-office personnel and other agents such as independent investigators properly handle confidential client information.” –“That includes devising and enforcing appropriate policies and practices concerning confidentiality and supervising such personnel in performing those duties.” 13
North Carolina adopted the ABA Model Rules of Professional Conduct on October 7, 1985 (with subsequent amendments). Rule 1.6: Confidentiality of Information –(a) A lawyer shall not reveal information relating to the representation of a client unless: (1) the client gives informed consent; (2) the disclosure is impliedly authorized in order to carry out the representation Comment 3 –The confidentiality rule, for example, applies not only to matters communicated in confidence by the client but also to all information relating to the representation, whatever its source. A lawyer may not disclose such information except as authorized or required by the Rules of Professional Conduct or other law. Comment 19, paragraph (c) –Requires a lawyer to act competently to safeguard information relating to the representation of a client against inadvertent or unauthorized disclosure by the lawyer or other persons who are participating in the representation of the client or who are subject to the lawyer's supervision. –A client may require the lawyer to implement special security measures not required by this Rule, or may give informed consent to forgo security measures that would otherwise be required by this Rule. Whether a lawyer may be required to take additional steps to safeguard a client’s information to comply with other law—such as state and federal laws that govern data privacy, or that impose notification requirements upon the loss of, or unauthorized access to, electronic information—is beyond the scope of these Rules. 14
Comment 20 –When transmitting a communication that includes information relating to the representation of a client, the lawyer must take reasonable precautions to prevent the information from coming into the hands of unintended recipients. This duty, however, does not require that the lawyer use special security measures if the method of communication affords a reasonable expectation of privacy. Special circumstances, however, may warrant special precautions. Factors to be considered in determining the reasonableness of the lawyer's expectation of confidentiality include the sensitivity of the information and the extent to which the privacy of the communication is protected by law or by a confidentiality agreement. –A client may require the lawyer to implement special security measures not required by this Rule or may give informed consent to the use of a means of communication that would otherwise be prohibited by this Rule. Whether a lawyer may be required to take additional steps to comply with other law, such as state and federal laws that govern data privacy, is beyond the scope of these Rules. 15
Wells supports customer choice provided such third party providers “consistently meets all applicable requirements” Wells is expanding and enhancing third party oversight…in order to monitor and measure performance Prepare for “Top Performer” status Wells “supports” ALTA Best Practices, which should already be in place for “businesses providing title and closing services” Wells recognizes some may need “transition time” If not currently following ALTA Best Practices, do you have a plan in place for adoption? Can you document and demonstrate inspection processes to validate your adoption of ALTA’s Best Practices? 16
1.Establish and maintain current license(s) as required to conduct the business of title insurance and settlement services. 2.Adopt and maintain appropriate written procedures and controls for Escrow Trust Accounts allowing for electronic verification of reconciliation. 3.Adopt and maintain a written privacy and information security program to protect Non-public Personal Information as required by local, state and federal law. 4.Adopt standard real estate settlement procedures and policies that ensure compliance with Federal and State Consumer Financial Laws as applicable. 5.Adopt and maintain written procedures related to title policy production, delivery, reporting and premium remittance. 6.Maintain appropriate professional liability insurance and fidelity coverage. 7.Adopt and maintain procedures for resolving consumer complaints. 17
Establish a Disaster Management/Recovery Plan Notification of Security Breaches to Customers and Law Enforcement –47 states have a data breach notification law; know the requirements particular to your state so that you are prepared in the event of a breach –Post your company’s privacy and information security program on your website or provide program information directly to customers in another useable form –When a breach is detected, your company should have a program to inform customers and law enforcement as required by law 18
The FTC looks for : –Written data security policies –Sound document destruction policy and practice –Password protection procedures –Proof of ongoing staff training in data security and GLB Act compliance The CFPB looks for: –Appropriate training and oversight of employees and agents that have consumer contact –Comprehensive data security policies, procedures and internal controls –Compliance with federal consumer financial laws Lenders look for: –Compliance by their Service Providers with federal and state laws, rules and regulations (e.g. OCC & CFPB) OCC looks for: –Oversight and management of Third Party Relationships, including: independent assessments, due diligence and appropriate agreements, on-site, independent audits, safeguarding of NPPI, etc. 19
Practical Steps to Take: Develop all required privacy and data security policies, procedures, and plans Information Security Plan Incident Response Plan Disaster Recovery Plan Secure Password Policy Electronic Communications and Internet Use Policy Assess your company’s risk profile Educate and train your work force Secure your work flows Ensure compliance of all service providers Implement a sound document destruction policy 20
Common “Settlement” Documents Containing NPPI Common “Title” Documents Containing NPPI Uniform Residential Loan Application (Form 1003) Identification (Driver’s License, passport, etc.) Borrower Tax ReturnsTitle Order Form Lender Engagement LetterPayoff Letter Identification (Driver’s License, passport, etc.) Escrow Agreements with Tax Searches Settlement Statement (HUD-1)Real Estate Transfer Tax Forms IRS Form 4506-T, Request for Transcript of Tax Returns Affidavits IRS Form W-9, Request for Taxpayer Identification Number and Certification Recordable Docs Payoff LetterTitle Bill 22
1.Staff Training 2.Manual of Policies and Procedures 3.Privacy Notice 4.Shred-All Policy 5.Vendor Non-Disclosure Agreements (NDA’s) 6.Background checks on employees handling NPPI 7.Clean Desk, Office and Screen Policy 8.Authorized Devices 23
1.Entryway Security & Sign-in Log 2.Clean Desk Policy 3.Locked Filing Cabinets 4.Security Cameras 5.Privacy Screens 6.Locked Offices 7.Shredding of Paper and Digital Media 8.Locks on Computers 24
1.Password Protection 2.Computer Screen Timed Lockout 3.Using Various Brands of Firewalls (Defensive Depth) 4.Port Lockdown 5.Network Printers/Scanners 6.Restrictive Access to Programs, files etc. 7.Updates and Patches 8.Email Encryption 25
Compliance must now be a core competency Compliance is the “NEW” marketing Lenders have identified Data Security as their Number 1 concern with regard to their Service providers Data Security compliance is the law and lenders are more actively enforcing our compliance requirements Prepare for Lender & Regulator audits now! 28
Christopher J. Gulotta, Esq. Founder & CEO Real Estate Data Shield, Inc. 212-951-7302 email@example.com www.realestatedatashield.com 29
Data Security/Best Practices Preparation and Implementation Jim Brahm Chief Executive Officer Security Compliance Associates 2727 Ulmerton Rd., Suite 310 Clearwater, FL 33762 727-571-1141 firstname.lastname@example.org
Step 1 - Initial call – The company will need the information security policy, acceptable-use policy and business continuity/disaster recovery plan. – Explain the personnel interview process and who will be interviewed. – The company being assessed will want to ask any questions they may have about the on-site visit.
Step 2 - Pre-assessment due diligence –Review/update policies and procedures for content and relevance –review network topology, which means ensuring security devices are configured correctly –check web-content filtering –ensure firewalls, and intrusion defense systems (IDS) or intrusion prevention systems are configured properly –remove old user accounts and rename default administrative account names
Step 3 - External Assessment –Provides proof of how a company could be exploited. –IP address(es) tested to deduce vulnerabilities –Test vendor response for intrusion defense systems (IDS) or intrusion prevention systems (IPS) –Social engineering test/employee awareness & training Examples of tests include spear-phishing emails phishing emails containing a forged link pretense calling which is similar to phishing where the caller attempts to obtain sensitive information via telephone.
Step 4 - On-site assessment –Conducting an external physical assessment of the site –Internal physical assessment –Conducting an internal network vulnerability scan –Conduct interviews with management & IT staff –Review in-place policies & procedures –Workstation reviews –Server configuration reviews
Step 5 - Post-assessment report –Detailed findings of all parts of the assessment –List of vulnerabilities discovered and the associated hosts –Recommendations for vulnerability remediation, policy recommendations, acceptable-use recommendations and implementation of business continuity/disaster recovery plan.
Component of AssessmentRisk Level Information Security ProgramInformation Security PolicyMedium Information Security Plans & ProceduresMedium Roles & ResponsibilitiesLow Personnel SecurityLow Risk Identification and AssessmentInfoSec Risk AssessmentLow Critical Application Risk AssessmentMedium Employee Training Management and Responsibilities Security Guidance and TrainingLow Social EngineeringMedium
Internal Information SecuritySecurity Administration (Authentication and AuthorizationMedium Network Security (Communications, Network and Internet Security)Medium Host Security (Operating Systems, Hardening, Patch Management)Medium Change ManagementMedium User Equipment Security (Operating System, Workstation Imaging)Low Security Monitoring (Audit and Log Review)Medium Security Monitoring (Vulnerability Scanning & Penetration Testing)Low Virus and Malware MitigationLow FTP Configuration - InternalLow FTP Configuration - ExternalLow Physical SecurityMedium EncryptionMedium Publicly Accessible ServicesLow
Perimeter Defense Systems Response HandlingHigh ICMP TestingLow DNS Registration InformationLow Banner EnumerationLow AutocompleteLow Frameable Response (Clickjacking)Low Retention and Destruction of Personal Information Data Security (Data Classification)Low Overseeing Service ProvidersThird Party ManagementLow Data Breach Incident ReportingIncident Response PlanLow Business Continuity and Disaster Recovery BCP / DRPMedium
Step 6 - Remediation stage –Company must determine its ability to address shortfalls and vulnerabilities –Work with IT support on remediation steps for technical vulnerabilities –Address non-technical shortfalls/vulnerabilities and –Document remediation steps that are performed
Use ISO on-demand availability to answer questions you may have and provide guidance It’s a resource for you – Take advantage of it!
Policies & Procedures incomplete or outdated. No back-up plan or Disaster Recovery Policy Antivirus shortfalls –Disabling antivirus active scan due to speed issues –No antivirus on the server because it is not accessed No firewalls Not monitoring firewalls, IPS/IDS, and event logs
Allowing anyone to access files on file servers (Not using permissions) Allowing anyone on the internal network through the wireless access point Employees providing username/password Missing Security Patches/Updates Third Party Vendor Due Diligence
Document Security: Secure email delivery of Non-Public Personal Information (NPPI)
Travels the open internet on its way to the recipient inbox Many server to server ‘hops’ along route Content is viewable and can be stolen - without your knowledge Like sending private information on a postcard
Compliance Grade Encryption Cloud-Based Service Premise-Based Gateway Secure from Desktop to Desktop to Mobile High Availability / Disaster Recovery "Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on.” Edward Snowden Email Encryption Works Against the NSA
Non-public personal information –Social security number –Driver’s license number –Credit card number –Other financial account number Secure electronic delivery solutions –Selective email encryption (desktop) –Automatic email encryption (policy gateway)