Every state in the nation has a unique set of steps with which businesses must comply to provide notification when a hacker has gained unauthorized access to data via a breach of a network and/or email account. But a new set of statutes will focus on what a title agent is required to do even before a breach occurs, by mandating procedures designed to minimize the chances that a client’s nonpublic personal information (NPI) will be subjected to a successful attack.
This is the first in a series of blogs designed to outline specific steps title agents should immediately take to prepare for the inevitable adoption of similar legislation likely to be passed in their states.
The most recent example of pre-breach legislation is South Carolina’s Insurance Data Protection Act, signed into law in early May 2018. This statute is virtually identical to the NAIC Model Cybersecurity Act recently adopted by the National Association of Insurance Commissioners. The NAIC act closely parallels the comprehensive, and first-in-the-nation, New York Department of Financial Services (DFS) Cybersecurity Requirements for Financial Services Companies regulation that took effect March 1, 2017. The practices mandated by both the NAIC and New York laws track what are widely regarded as best practices in the information security community. For that reason, as all states seek future legislative solutions to curb cyberattack threats, they are likely to adopt laws similar to these.
In addition, the South Carolina law makes it clear that cybersecurity is no longer an issue that solely falls on the shoulders of the IT department or outsourced IT service provider. This legislation mandates that a firm’s senior management must be actively involved in the development of an “information security program.” It further requires management to closely supervise its staff to ensure the written program is consistently employed and constantly modified to address new threats and any identified shortcomings in the current plan’s implementation.
But the South Carolina law is not only about security before a breach. It also imposes new timelines and reporting requirements once one has determined to have sustained a “cybersecurity event.” If a breach does occur, one must provide the Department of Insurance 13 statutorily mandated details surrounding each cyber event within 72 hours, in addition to notifying affected clients whose data has been compromised.
Once this type of law is passed, cybersecurity moves beyond mere “recommendations” from underwriters, clients, and land title associations. All of these new requirements are dictated directly by the Department of Insurance, an entity that can revoke your license if you do not comply. It is vital that you ensure that the third-party service providers you utilize document their compliance with the same high security standards. When weighing title and settlement agent complaints about the difficulty of compliance against the insurance consumer’s reasonable expectation of privacy, it’s likely the Department of Insurance will side with the consumer. Failure to comply likely will result in your inability to handle insurance transactions.
Compliance with the required steps involves processes and actions foreign to most title agents. One must perform risk assessments and system vulnerability assessments and develop information security plans that include incident response plans and disaster recovery plans. Once your plans are developed, you will be required to conduct gap analyses that will lead to remediation plans. Behind each of these terms exists a set of specific requirements and processes that should be employed. Your ultimate compliance will likely require securing the assistance of a third party with an in-depth knowledge of both cybersecurity compliance and title and settlement business operations.
If you are a South Carolina title agent, you should begin taking these steps immediately, because the South Carolina Insurance Data Security Act is now the law with which you must comply. The clock is already ticking toward upcoming compliance deadlines.
PYA has years of experience in helping title and settlement agents meet the evolving demands of lenders and regulators to protect client NPI. PYA is the market leader in providing these unique services to the title community. Let us know if we can help.
- Baker Hostetler’s state-by-state data breach law index
- National Conference of State Legislators’ index to every state’s data breach legislation
- Harvard Law School Forum’s “NAIC Adopts Model Cybersecurity Law”
- SC Information Data Security Act Video