2. Christopher J. Gulotta, Esq. Founder & CEO Real Estate Data Shield, Inc. 271 Madison Avenue Suite 700 New York, NY 10016  212-951-7302  cgulotta@redatashield.com 1 Real Estate Data Shield, Inc.© 2015

3. 2 Confidential and Proprietary The Old World

4. 3 Confidential and Proprietary The New World

5. Non-public Personal Information (“NPPI”): –Personally identifiable data such as information provided by a customer on a form or application, information about a customer’s transactions, or any other information about a customer which is otherwise unavailable to the general public. –NPPI includes first name or first initial and last name coupled with any of the following: Social Security Number Driver’s license number State-issued ID number Credit or debit card number Other financial account numbers 4 Real Estate Data Shield, Inc.© 2015

6. Common “Settlement” Documents Containing NPPI Common “Title” Documents Containing NPPI Uniform Residential Loan Application (Form 1003) (NPPI includes: SSN, bank account numbers, loan numbers, work, address, etc.) Title Commitment, Policy & Order Form (NPPI includes: SSN, address, loan numbers) Borrower Tax Returns (NPPI includes: SSN, financial information, address) Identification (Driver’s License, passport, etc.) (NPPI includes: address, Birthdate, ID number, Passport number) Lender Engagement Letter (NPPI includes: SSN, address, loan numbers) Payoff Letter (NPPI includes: Bank account numbers, loan number, address) Identification (Driver’s License, passport, etc.) (NPPI includes: address, Birthdate, ID number, Passport number) Escrow Agreements with Tax Searches (NPPI includes: SSN, address) Settlement Statement (HUD-1) (NPPI includes: loan number, address) Real Estate Transfer Tax Forms (NPPI includes: SSN, financial information, address) IRS Form 4506-T, Request for Transcript of Tax Returns (NPPI includes: SSN, address) Affidavits (NPPI includes: SSN, address) IRS Form W-9, Request for Taxpayer Identification Number and Certification (NPPI includes: SSN, address) Recordable Docs (NPPI includes: loan numbers, address) Payoff Letter (NPPI includes: Bank account numbers, loan number, address) Title Bill (NPPI includes: address) 5 Real Estate Data Shield, Inc.© 2015

7. 1.Gramm-Leach Bliley Act (GLBA) 2.Federal Trade Commission (FTC)  Privacy Rule (1999)  Safeguard Rule (2003)  Disposal Rule (2005) 3. Consumer Financial Protection Bureau (CFPB)  April 2012 Bulletin  Supervisory Highlights (2012) 4.Office of the Comptroller of the Currency (OCC)  Interagency Guidelines Establishing Standards for Safeguarding Customer Information (2001)  Third Party Relationship Bulletin (Oct. 2013) 5.American Land Title Association (ALTA) 1.“Best Practices” for Title Insurance and Settlement Companies (Jan 2013) 6.State Agencies & Regulators (State Attorney General, Department of Insurance, Attorney Professional Codes of Conduct) 7.Lender communications Real Estate Data Shield, Inc.© 2015

8. Date Enacted: November 12th, 1999 Date Effective: November 18 th, 2000 Compliance date: July 1 st, 2001 Tasks the FTC and other agencies that regulate Financial Institutes to implement regulations to carry out GLB’s financial privacy provisions. Covers “financial institutions” Real Estate Settlement Service Providers (e.g., Title and Settlement companies) included in definition of “financial institutions” as they are “significantly engaged” in financial activities. Real Estate Data Shield, Inc.© 2015

9. 1999 – FTC Privacy Rule (16 C.F.R. § 313) Financial Institutions are required to provide “a clear and conspicuous notice” (i.e. a “Privacy Notice”) to customers/consumers that accurately states the company’s privacy policies and practices 2002 – FTC Safeguards Rule (16 C.F.R. § 314) Financial Institutions are required to develop a written information security plan that describes their program to protect customer/consumer information Preamble to Rule identifies “employee training and management” as one of the three areas essential to ensuring information security within a business 2005 – FTC Disposal Rule (16 C.F.R. § 682) Financial Institutions are required to properly dispose of all customer/consumer information by taking “reasonable measures” to protect against unauthorized access to/use of the information –Reasonable measures = burning/pulverizing/shredding papers so that the information cannot be read or reconstructed; destroying or erasing electronic media Real Estate Data Shield, Inc.© 2015

10. Must: Designate employee to coordinate information security program Identify and assess risks to customer information and evaluate effectiveness of current safeguards Design and implement a safeguards program and regularly monitor/test it Select service providers to maintain safeguards and oversee handling of customer information Evaluate and adjust the program in light of relevant circumstances Real Estate Data Shield, Inc.© 2015

11. FTC recommendations include: Employee management and training for information handling; “Regular” Risk assessment of systems, networks, and software designs; “Periodic” monitoring and testing of safeguards (e.g. penetration testing of network access); Upgrade information security program when necessary; Checking references or conducting background checks before hiring new employees; Require employee to read and sign company privacy policies; Real Estate Data Shield, Inc.© 2015

13. OCC Bulletin OCC 2013-29 October 30, 2013 “Third Party Relationships” Bulletin Real Estate Data Shield, Inc.© 2015

14. These factors have combined to create a higher level of “safety & soundness” risk and the OCC has concern that banks may have generally failed to: Properly assess the risks associated with the use of such third party providers; Perform adequate due diligence and on-going monitoring of these relationships; and Appropriately enter into agreements with Service Providers after properly assessing the third party’s internal risk management capabilities. Real Estate Data Shield, Inc.© 2015

15. 1.Establish and maintain current license(s) as required to conduct the business of title insurance and settlement services. 2.Adopt and maintain appropriate written procedures and controls for Escrow Trust Accounts allowing for electronic verification of reconciliation. 3.Adopt and maintain a written privacy and information security program to protect Non-public Personal Information as required by local, state and federal law. 4.Adopt standard real estate settlement procedures and policies that ensure compliance with Federal and State Consumer Financial Laws as applicable. 5.Adopt and maintain written procedures related to title policy production, delivery, reporting and premium remittance. 6.Maintain appropriate professional liability insurance and fidelity coverage. 7.Adopt and maintain procedures for resolving consumer complaints. Real Estate Data Shield, Inc.© 2015

16. Establish a Disaster Management/Recovery Plan Notification of Security Breaches to Customers and Law Enforcement –47 states have a data breach notification law; know the requirements particular to your state so that you are prepared in the event of a breach –Post your company’s privacy and information security program on your website or provide program information directly to customers in another useable form –When a breach is detected, your company should have a program to inform customers and law enforcement as required by law Real Estate Data Shield, Inc.© 2015

17. Nearly every state have adopted the American Bar Associations Model Rules of Professional conduct. Rule 1.6 Confidentiality of information (a) “a lawyer shall not reveal information relating to the representation of a client..” Real Estate Data Shield, Inc.© 2015

18. Massachusetts adopted the ABA Model Rules of Professional Conduct (with some variation and revision) and they have been effective since June 9, 1997. Rule 1.6: Confidentiality of Information –(a) A lawyer shall not reveal confidential information relating to representation of a client unless the client consents after consultation, except for disclosures that are impliedly authorized in order to carry out the representation, and except as stated in paragraph (b). Real Estate Data Shield, Inc.© 2015

19. Comment 16 of ABA Model Rule 1.6 –“Paragraph (c) requires a lawyer to exercise reasonable care to prevent disclosure of information related to the representation by employees, associates and others whose services are utilized in connection with the representation.” Comment 17 of ABA Model Rule 1.6 –“When transmitting a communication that includes information relating to the representation of a client, the lawyer must take reasonable precautions to prevent the information from coming into the hands of unintended recipients... Factors to be considered in determining the reasonableness of the lawyer’s expectation of confidentiality include the sensitivity of the information and the extent to which the privacy of the communication is protected by law or by a confidentiality agreement. A client may require the lawyer to use a means of communication or security measures not required by this Rule.” Real Estate Data Shield, Inc.© 2015

20. RULES ADVISORY COMMITTEE PROPOSED REVISIONS TO MASSACHUSETTS RULES OF PROFESSIONAL CONDUCT RULES 1.0 - 6.2, 7.1 - 7.5, 8.1 - 8.4 As revised as of May 14, 2014 Acting Competently to Preserve Confidentiality [18] Paragraph (c) requires a lawyer to act competently to safeguard confidential information relating to the representation of a client against unauthorized access by third parties and against inadvertent or unauthorized disclosure by the lawyer or other persons who are participating in the representation of the client or who are subject to the lawyer’s supervision. See Rules 1.1, 5.1 and 5.3. The unauthorized access to, or the inadvertent or unauthorized disclosure of, confidential information relating to the representation of a client does not constitute a violation of paragraph (c) if the lawyer has made reasonable efforts to prevent the access or disclosure. Factors to be considered in determining the reasonableness of the lawyer’s efforts include, but are not limited to, the sensitivity of the information, the likelihood of disclosure if additional safeguards are not employed, the cost of employing additional safeguards, the difficulty of implementing the safeguards, and the extent to which the safeguards adversely affect the lawyer’s ability to represent clients (e.g., by making a device or important piece of software excessively difficult to use). A client may require the lawyer to implement special security measures not required by this Rule or may give informed consent to forgo security measures that would otherwise be required by this Rule. Whether a lawyer may be required to take additional steps to safeguard a client’s information in order to comply with other law, such as state and federal laws that govern data privacy or that impose notification requirements upon the loss of, or unauthorized access to, electronic information, is beyond the scope of these Rules. For a lawyer’s duties when sharing information with non lawyers outside the lawyer’s own firm, see Rule 5.3, Comments 3 and 4. Real Estate Data Shield, Inc.© 2015

21. Pursuant to M.G.L. c. 93H, s. 3(b), if you own or license data that includes personal information of a Massachusetts resident, you are required to provide written notice as soon as practicable and without unreasonable delay to:M.G.L. c. 93H, s. 3(b) The Attorney General (AGO); The Director of the Office of Consumer Affairs and Business Regulation (OCABR); and The affected Massachusetts resident when you know or have reason to know (a) of a breach of security; or (b) that personal information of a Massachusetts resident was acquired by or used by an unauthorized person or used for an unauthorized purpose. Notice to the AGO and OCABR The notice to the Attorney General and the Director of Consumer Affairs and Business Regulation shall include, but not be limited to: (1) the nature of the breach of security or the unauthorized acquisition or use; (2) the number of Massachusetts residents affected by such incident at the time of notification; and (3) any steps the person or agency has taken or plans to take relating to the incident. To assist you in this notification process, the AGO has prepared a sample letter outlining the minimum information that your notice should contain to the Attorney General. Real Estate Data Shield, Inc.© 2015

22. Data Security Breach Notification Laws, Gina Stevens Legislative Attorney, April 10, 2012 Congressional Research Service 7-5700, www.crs.gov, R42475www.crs.gov CRS Report for Congress (Prepared for Members and Committees of Congress) The Massachusetts security breach and data destruction law and security regulations are considered to “constitute one of the most comprehensive sets of general security regulations yet seen at the state level.... [And] are clearly modeled after aspects of developing data security law at the federal level.” (Smedinghoff, Thomas J., “New State Regulations Signal Significant Expansion Of Corporate Data Security Obligations,” BNA Privacy & Security Law Report, October 20, 2008, at http://www.wildman.com/article/New_State_Regulations_Signal_Significant_Expansion.pdf. 201 CMR 17.00 et seq. The Massachusetts regulations require “all persons that own, license, store or maintain personal information about a resident of Massachusetts” to protect the security and confidentiality of personal information about residents and require companies to implement a comprehensive written information security program (based on listed requirements) and to deploy security safeguards (encryption). By March 1, organizations holding the personal information of Massachusetts residents (including customers, employees and others, regardless of which state the data is stored in) must amend their vendor contracts to require compliance. Real Estate Data Shield, Inc.© 2015

23. Wells supports customer choice provided such third party providers “consistently meets all applicable requirements” Wells is expanding and enhancing third party oversight…in order to monitor and measure performance Prepare for “Top Performer” status Wells “supports” ALTA Best Practices, which should already be in place for “businesses providing title and closing services” Wells recognizes some may need “transition time” If not currently following ALTA Best Practices, do you have a plan in place for adoption? Can you document and demonstrate inspection processes to validate your adoption of ALTA’s Best Practices? Real Estate Data Shield, Inc.© 2015

25. Practical Steps to Take :  Develop all required privacy and data security policies, procedures, and plans  Information Security Plan  Incident Response Plan  Disaster Recovery Plan  Secure Password Policy  Electronic Communications and Internet Use Policy  Assess your company’s risk profile  Educate and train your work force  Secure your work flows  Ensure compliance of all service providers  Implement a sound document destruction policy Real Estate Data Shield, Inc.© 2015

26. A.Administrative B.Physical C.Network Real Estate Data Shield, Inc.© 2015

27. 1.Staff Training 2.Manual of Policies and Procedures 3.Privacy Notice 4.Shred-All Policy 5.Vendor Non-Disclosure Agreements (NDA’s) 6.Background checks on employees handling NPPI 7.Clean Desk, Office and Screen Policy 8.Authorized Devices Real Estate Data Shield, Inc.© 2015

28. 1.Entryway Security & Sign-in Log 2.Clean Desk Policy 3.Clean Office 4.Locked Filing Cabinets 5.Security Cameras 6.Privacy Screens 7.Locked Offices 8.Shredding of Paper and Digital Media 9.Locks on Computers Real Estate Data Shield, Inc.© 2015

29. 1.Password Protection 2.Computer Screen Timed Lockout 3.Using Various Brands of Firewalls (Defensive Depth) 4.Port Lockdown 5.Network Printers/Scanners 6.Restrictive Access to Programs, files etc. 7.Updates and Patches 8.Email Encryption Real Estate Data Shield, Inc.© 2015

30. Christopher J. Gulotta, Founder & CEO Paul Schwartz, Chief Privacy Advisor Richard, Purcell, Courseware Developer CEO and founder of Real Estate Data Shield, The Gulotta Law Group, and Paradigm Title Agency & Settlement and has represented institutional lenders in mortgage finance transactions for more than 20 years. He has developed compliance management platforms for mortgage lenders, title underwriters, and title and settlement agents. An international expert on information privacy law, Professor Schwartz assists corporations and law firms with regulatory, policy, and governance issues. As professor of law at UC Berkeley and Director of the Berkeley Center for Law and Technology, he has published widely on privacy and data security topics. A leading voice in consumer privacy and data protection challenges, Mr. Purcell is an award-winning developer of Web-based education and training courses. As Microsoft's original privacy officer, he designed and implemented one of the world's largest and most advanced privacy programs.

31. Compliance must now be a core competency Compliance is the “NEW” marketing Lenders have identified Data Security as their Number 1 concern with regard to their Service providers Data Security compliance is the law and lenders are more actively enforcing our compliance requirements Prepare for Lender & Regulator audits now! Real Estate Data Shield, Inc.© 2015

32. This presentation, the supporting materials and the information contained therein do not constitute legal advice nor an attorney client relationship and is provided for information purposes only. Because laws, rules and regulations change frequently and because local laws may apply, you should consult an attorney for any specific compliance or related inquiries. Real Estate Data Shield, Inc.© 2015

33. Christopher J. Gulotta, Esq. Founder & CEO Real Estate Data Shield, Inc.  212-951-7302  cgulotta@redatashield.com www.realestatedatashield.com Real Estate Data Shield, Inc.© 2015

34. Regulatory Requirements Lender Requirements ALTA Best Practices August 1, 2015 ! Lenders Already Requiring Compliance Today’sEnvironment

35. Lenders are reducing their vendor ranks What is your Real Estate Practice Worth?

36. Adopt and maintain appropriate written procedures and controls for Escrow Trust Accounts allowing for electronic verification of reconciliation. These controls help meet client and legal requirements for safeguarding client funds Adopt and maintain appropriate written procedures and controls for Escrow Trust Accounts allowing for electronic verification of reconciliation. These controls help meet client and legal requirements for safeguarding client funds.  Daily Reconciliation Requirement  Positive Pay  File Balance Documentation  Electronic Access for Underwriters ALTA Best Practices Escrow Best Practices 2 2 NAIC Escrow White Paper

37.  Summary Page  Bank Statement  Outstanding Deposits  Outstanding Check Report  Account Adjustments  Trial Balance  Debits & Credits = Bank & Book  Red Flags  Stale Dated Checks  Undisbursed Funds  Outstanding Deposits  Negative File Balance  Negative File Balance s Be able to present a daily report True Daily Reconciliation

38. o Pre-Closing  File Balance  Check Endorsement  Good Funds v. Collected Funds  Deposit (In Transit = RESPA Violation)  Dealing with IRS Liens  Pacer Search – Patriot Search  FIRPTA Training & Records Written Procedures

39. Post Closing  Pacer Search  Ledger Card-File Balance-HUD  Check Payees  Check Signing & Wiring  Check Reissue  Stop Payment Training & Records Written Procedures

40. Settlement Software Controls  Permissions  Freeze Files  Logins  Industry Standard Software Training & Records Written Procedures

41. Unclaimed Property  Stale Dated Check Follow-up  Undisbursed funds  Escrow Agreements  Interpleading Funds  Escheatment Written Procedures Training & Records

42. o What are the greatest external risks?  Cyber (Banking) / Check Fraud / Physical Entry  Phishing emails (APT) o What are the greatest internal risks ?  Embezzlement / Wi-Fi / Physical Security / Adherence to Procedures o Verification and Validation  Expect what you Inspect!

43. Positive Pay o Defense Against Check Fraud Banking Software that matches: Banking Software that matches:  Check #  Check Date  Dollar amount  Payee o UCC 3-103(7), 3-406b, 3-406e  Reasonable Commercial Standards  Ordinary Care  Comparative Fault o Defense Against Check Fraud Banking Software that matches: Banking Software that matches:  Check #  Check Date  Dollar amount  Payee o UCC 3-103(7), 3-406b, 3-406e  Reasonable Commercial Standards  Ordinary Care  Comparative Fault

44. Follow the Money Follow-up after 3-4 days for: Payoffs & Recordings Payoffs & Recordings Follow-up after 10 days for: Government entities (taxes) Service providers (hazard and flood). Follow up after 30 days for: Disbursements greater than $1000. Follow up after 45 days for all other disbursements.

45. Disburse Collected Funds o Good Funds ≠ Collected Funds  Good Funds – Settlement Definition Only  Banking Regulation CC  Available Funds or Collected Funds  Expedited Funds Availability Act 1987  Collected Funds Irrevocably Credited  Statute Definition v. Bank Definition  Underwriter Guidelines o Limit Good Funds  Illinois and North Dakota $50,000  Indiana and Utah $10,000  Idaho $1,000 Settlement Funding Legislation Needed

46. Escrow Security o Industry Software o Administrative Controls  Ability to Limit Functions  Freeze Files  Written Procedures o Segregation of Duties o Daily Reconciliation o Strong Passwords o Dual Authentication

47. Cyber Security o Secure Email Service o Biometric Access Device o Strong Passwords  Master Passwords o Internet Controls o Firewalls o Browser’s o Training, Training, Training

48. CYBER ALERT - A New Variant Zeus Botnet and Zero Access Rootkit o Attack on Settlement Software  No Administrative Controls  Created Files  Transferred Funds  Posted Checks o Daily Reconciliation Prevented  Escrow Analysis  Careful Review  Potential Loss ~$2,000,000

49. CYBER ALERT - A New Variant Zeus Botnet and Zero Access Rootkit o NPPI Aspects  >14,000 Settlement Files  SSN’s  Bank Account Numbers  Investment Account Info  Credit Card Numbers o FTC Reporting Requirements?

50. Online Banking Requirements NACHA & FBI Guidelines  Dedicated Stand Alone Computer  Banking Only Use  No Java – No Adobe – No Flash  Malware Protection  Automatic Updates  Strong Authentication  Dual Controls Compromised

51. Control Web Access Browser Selection Browser Selection  Avoid Internet Explorer (Personal Choice)  Speed - Security - Functionality  Active X for Closing Packages  Eliminate Advertising (Adblockplus.org)  Keep Plugins up to date o Java-Flash Player-Adobe Reader Firewalls & Routers Firewalls & Routers Lockdown Computer Internet Access Lockdown Computer Internet Access

52. Secure Email o Encrypted Email  Protects NPPI  Sarbanes-Oxley Requirement  Lender Requirement  “Best Practices  “Best Practices” o Easy Affordable First Step

53. Who else is reading your email? These pictures were taken in 1975, and kept in a folder in my attic for 38 years. In April 2013, I scanned the pictures and emailed them to a friend in Florida They were “on the web 5 days later ”! Latest Scam – “Revised wire instructions”

54. Nothing to be Learned There is nothing to be learned from the second kick of the mule!

55. The Importance of Data Security Understanding the Threat Rick Diamond, SVP, I.T. Director, WFG

56. Major Data Breaches Are you Next?

57. Pillar #3 Data Security Questions Do you have a clean desk policy? Are you shredding sensitive documents? If using a shredding service are the documents secured before shredding? Does your scanning solution have levels of security to limit access? Are files locked and secured?

58. Are you Protecting your Data and Yourself? Do you conduct background checks of employees? Are devices password protected with limited access? Are they locked down at night? Are your servers secure with limited access? Do you destroy old hard drives of computers and copiers? Are mobile devices secure and can they be remotely wiped clean?

59. Still Think you are Protecting your Data? How are paper files secured that leave the office or with couriers? Do you have oversight of 4 th party service providers to be sure they secure NPI? Do you have secured points of entry to your office and work areas with individual access codes or key access?

60. Is there no end? Do you control the use of removable devices like flash drives? Do you utilize Strong Passwords? Do you have Disaster Management and Business Continuity Plans? Do you have audit procedures to insure that staff comply with security measures and procedures?

61. Are We Done Yet! Are e-mail and attachments encrypted? Is your data at rest encrypted? Are personal e-mail accounts restricted? Do you have training for employees about protection of NPI? Do you have guidelines and controls for use of company technology that has access to NPI?

62. Recap Understand the New Rules Create a Culture of Compliance Partner with WFG for Guidance, Solutions and Support

63. This is What Happens When you Don’t Protect your Data Lawyer who clicked on attachment loses $289K in hacker scam Malware Scam

64. WFG Compliance Management System “CMS” http://www.wfgagent.com/compliance WFG Trusted Partners https://wfgagent.com/trusted-partners/