ALTA’s Newest Tool: The Best Practices Maturity Model

tool-alta-suit-e1477675972236Recently, the American Land Title Association (ALTA) prepared and published a new tool, the Best Practices Maturity Model Index (Maturity Model), to assist title companies and settlement agencies with benchmarking their compliance with the ALTA Best Practices Framework (Best Practices).

Historically, maturity models demonstrate an organization’s progress toward a specific goal by identifying areas that need improvement.  At the most basic level, ALTA’s Maturity Model is a way to identify and document an organization’s progression toward full compliance with ALTA Best Practices.  This model uses five different “Benchmark Compliance Levels” ranging from Ad Hoc (no established policies and procedures) to Optimized (fully compliant with Best Practices).  As each element of the Best Practices Framework is outlined on the vertical axis, an explanation of the standard to be met to attain a Benchmark Compliance Level is included on the horizontal axis.  By matching the organization’s level of compliance with a Best Practices Framework element to the applicable explanation, the organization can determine how close it is to being Optimized.

When using the Maturity Model, it is the responsibility of the organization to establish its level of readiness and compliance with Best Practices.  The Maturity Model prompts title companies and settlement agencies to examine their organization’s implementation of Best Practices policies and procedures to determine their level of compliance.  Once completed, the Maturity Model displays the results in a dashboard format, indicating which areas need improvement and which areas are fully optimized.  For organizations with a compliance officer, this dashboard is an effective tool for updating the leadership team on the organization’s compliance with Best Practices.

Completing the Maturity Model can help identify the next steps (if any) the organization may need to take to fully comply with Best Practices, as well as prepare the organization for a third-party assessment.  The Maturity Model also can be used to help an organization maintain compliance after a third-party assessment.  It is important to note that the Maturity Model serves as an internal resource and is not intended to be provided to financial institutions to demonstrate compliance.  Organizations should inquire of the lenders for whom they provide services to determine the type of compliance assessment the lender prefers.

The development of the Maturity Model indicates ALTA’s continued focus on Best Practices.  ALTA understands the importance of demonstrating regulatory compliance and securing consumer information.  Title companies and settlement agents benefit from staying abreast of Best Practices as they seek to protect their clients’ sensitive information while simultaneously mitigating their business risk.  If agents are uncertain where to begin in assessing their organization’s level of Best Practices compliance, the Maturity Model is a good starting point.

If you would like more information about ALTA’s Maturity Model or Best Practices compliance and implementation, contact one of our executives below, (800) 270-9629.

Whatcha Gonna Do, Whatcha Gonna Do, Whatcha Gonna Do When a Data Breach Happens to You?

handcuff-computer-335x223The following two-part blog by PYA’s Gene McCullough appeared in the 2016 fall issue of Tennessee Land Title Times.

In my job, I have the privilege of speaking with title and settlement agents from across the nation.  At some point during our conversations, those agents who have just been certified as compliant with ALTA’s Best Practices will usually voice something similar to the following:

I recently upgraded my server, and each of my office computers, to install new firewalls and anti-malware programs in an effort to achieve a higher level of secure software. All are encrypted with complex passwords which are changed every 60 days. Whenever I send a fax or email, I use encryption. I have installed new locks and familiarized my employees with newly established policies and procedures to prevent unauthorized access to my clients’ personal information. Isn’t that enough to prevent a breach?”

The short answer is, “No, all the steps you have taken are, at best, designed to minimize the potential for a breach, but there is nothing that you can do to prevent a breach.”

The steps you take in complying with the ALTA Best Practices Framework all are professionally responsible steps, but in today’s world, those actions are just the minimally required steps to take when handling the data of other parties.  While you might have spent “a great deal of money” and devoted a “substantial amount of time and effort in implementing adequate security controls, those costs and efforts may pale in comparison to those of other companies that ultimately have found themselves subject to a data breach.  For example, the Federal Government’s Office of Personnel Management, which handles millions of federal applicants’ sensitive information, recently announced that it was hacked, and background investigation databases affecting 21.5 million individuals were stolen.  Even those who provide direct supervision of title agents are not immune – see the June 10, 2016, breach notification issued by the Virginia State Corporation Commission (providing oversight to insurance companies and agents) in which it acknowledged that access to “names and social security or driver’s license information of these former [insurance] licensees” had been improperly accessed by one of its contractors.

When you consider the financial resources and time that federal and state agencies have invested in data security and realize that such efforts were not sufficient to prevent a breach, you must acknowledge that your efforts are far less stringent and leave your company far more vulnerable to even the most unsophisticated hacking attempts.  Because of the data-intensive business in which you work, and the amount of money you handle daily, there is a real probability that over the next 5-10 years, your data will be hacked as a result of a security breach.

This blog is designed to assist you in planning for a potential data breach. Identifying your legal post-breach obligations and the reputational and financial losses you will likely sustain may reinforce the necessity of continued daily vigilance to ensure the steps you have put in place are meticulously followed.

Before going further, I make a disclaimer that I am not providing legal advice, nor do I purport to act as a data-breach expert.  I simply am trying to provide you, as a title professional, with some resources regarding issues you immediately must address if a breach has occurred.  Hopefully by providing you with a link to a recent webinar, and some articles and materials published by those who have significant experience in this area, you can better fashion a game plan to contend with any future security breaches.

An extremely helpful resource is an April 13, 2016, webinar produced by ALTA, “Life Cycle of a Data Breach: Know What You Need to Do.”  In the webinar, Matthew Froning, of Security Compliance Associates, and Christopher Gulotta, with Real Estate Data Shield, provide a concise description of the statutes, regulations, and regulatory guidance letters which describe your obligation to protect your customers’ non-public personal information (NPI).  But more importantly, they document a clear trend in data breach law.  They discuss the passage of new state legislation, and recent amendments to currently existing legislation, that reveal that your obligations in the event of a breach are increasing every year.  The breach notification time frames are becoming smaller, requirements to utilize specific forms and processes are increasing, and long-standing safe harbor exemptions are disappearing.  Froning and Gulotta provide clear, practical tips for developing your data breach incident response plan and recommendations for the types of companies you should hire to ensure your post-breach obligations are satisfied.  After watching this webinar, you should conclude that your best strategy is to have high-level security and NPI-protection procedures in place to direct the hackers’ attention elsewhere, but understand that you will remain vulnerable to a security breach.  Just as in the event of a fire, knowing where the exits are located can save your life.  In the event of a data breach, which is probably more likely than a fire, you must have a response plan in place ahead of the breach, along with the phone numbers of those companies with the skills necessary to implement that plan.  You simply do not have the luxury of investigating what you need to do after the breach occurs.

The advice given by Gulotta and Froning is reaffirmed in another helpful article entitled, “Data Breach Experts Share the Most Important Next Step You Should Take After a Data Breach in 2014 – 2015 & Beyond,” updated as of May 18, 2016.  This article provides insight from 30 different data security experts who were asked the same question, “What is the first step you need to take in the event a breach occurs?”  Each expert consistently advises you to react immediately by taking a set of steps as required under applicable state and federal regulations.  Unfortunately, the “applicable” law or regulation will depend on where you are located and the location of the individuals who have been affected by the data breach.  Most title companies deal with customers who are located in states other than those of their offices, compelling them to comply with not only the requirements of their state, but also with those in states where their customers live.  This could mean you have to comply with the obligations of dozens of different states.

In my next blog, I will provide you with references to each state statute and the applicable federal statutes and regulations that you will need to research to determine, under a particular state law, whether a “breach” has occurred, and point you toward the appropriate resources to determine the specifics of your post-breach action plan.

WHATCHA GONNA DO WHEN A DATA BREACH HAPPENS TO YOU? — Part 2 — Which Law Applies?

In today’s blog, we’ll continue to take a look at what constitutes a “data breach” and what your obligations are under the applicable law.

The breach

If someone breaks through a locked office door and steals a server or a stack of closing files, most would agree such an event probably would meet the definition of a data breach, when non-public personal information (NPI) is accessed via fraudulent means.  However, has a breach occurred if you lose a phone or laptop?  Believe it or not, these latter two events happen far more often than the “break-in-and-steal” events.  Does the law require you to issue a data breach notification when you misplace your phone or laptop?  Does it make any difference if the phone required a passcode or if the laptop was encrypted?

Frustratingly, “it depends.”  That’s because your obligations are almost never governed solely by the law of a single state.  In many cases, your obligations also may be determined by various federal laws.  Your ultimate obligations only can be determined after a careful appraisal of (1) the laws in the state where you reside, (2) the laws in the states where each of your affected customers live, and (3) depending on your type of business, the federal laws and regulations such as those imposed by the Gramm-Leach-Bliley Act (GLBA) and regulated by the Consumer Financial Protection Bureau (CFPB) and Federal Trade Commission (FTC).

Remarkably, the same event (lost phone/laptop, hacking attempt, etc.) may be deemed a data breach in some states, but not in others.  Therefore, knowing which law applies is a critical first step in determining your obligations, as one type of event can result in different obligations depending on the state in which it occurred.

State SignsWhich state laws may apply

In 2014, the Clausen Miller, PC, law firm compiled a list of individual state data breach laws.  Another law firm, Baker Hostetler, also has published a state-by-state data breach law listing in a slightly different format.  These online compilations can be excellent resources, but care must be taken to verify the cited statutes have not been recently modified.  These resources provide valuable insight into state-mandated procedures and customer notification obligations that can be imposed in the event of an NPI-related incident.

As you assess these  state law compilations, you will find that most states have specific, and often similar, definitions of what constitutes a data breach. A recent article indicated that until recently, 41 states agreed that the loss or unauthorized access of a device containing encrypted data would not constitute a data breach, and therefore no customer notifications would be required.  This commonly is referred to as an “encrypted data safe harbor” statute.

As a result, at the state level, there is widespread consensus that encryption of your devices is the best available preventive tool, and implementing that process should be sufficient to eliminate the need for customer notification obligations.  However, at least one state recently has eliminated this well-established safe harbor.  As of July 1, 2016, Tennessee amended T. C. A. § 47-18-2101, et seq.  This recent amendment provides that customer notification obligations are triggered when a Tennessean’s NPI is lost or improperly accessed, even if the compromised data was encrypted.  While Tennessee may be the first state to eliminate the “encrypted data safe harbor,” as we will discuss later, federal laws and regulations have never reduced your obligations just because the device containing your data was encrypted.

Of equal significance, this Tennessee amendment also changes the definition of “unauthorized person” in a way that varies significantly from most other states.  According to the newly amended Tennessee law, the term “unauthorized person” now includes “an employee of the information holder who is discovered by the information holder to have obtained personal information and intentionally used it for an unlawful purpose.”  As such, a data breach under Tennessee law will have occurred, and customer notification obligations are triggered, if someone inside your firm accesses customer NPI for “unlawful” purposes.  The significance of these changes is further discussed in an excellent blog by Baker Hostetler entitled, “Tennessee Revamps Its State Data Breach Notification Statute.”

As a result, determining the applicable state law requirements entails initial analysis of your state’s laws, immediately followed by an analysis of your customers’ states of residence.  Once a customer’s residence is established, you will need to read and follow the state law associated with that residence.  For an active title agency, handling transactions for buyers and sellers nationwide, this approach may force you to read and comply with dozens of state laws.

Consider whether you are exempt in particular state statutes

In reading those applicable state laws, you need to check for any provision that exempts your company from compliance with the specifics of that particular state law.  For example, some states, like Tennessee, provide that the statute defining the notice obligations “does not apply to any person or entity subject to Title V of the Gramm-Leach-Bliley Act of 1999.”  If you run a shoe repair company or other entity not governed by GLBA, this provision would not have any impact on your state-mandated obligations.  However, if you are a title and/or settlement agency, which GLBA defines as a “financial institution,” this type of provision may exempt you from the specific customer notification obligations requirement under state laws that contain such a provision.  In that case, a title/settlement agency then must look at the federal laws and regulations to determine what course of action to employ.

Obligations arising under federal laws and regulations

There is a clear argument that title and settlement agencies always are covered by the obligations imposed under various federal laws.  GLBA, codified at 15 U.S.C. § 6801 et seq., is an all-encompassing piece of federal legislation passed in 1999 that imposes strict obligations on financial institutions to protect the NPI of their customers and consumers.  By definition, title and settlement agents are deemed to be financial institutions and therefore subject to those same obligations and penalties for breach thereof.  Additionally, Section 5 of the FTC Act, 15 U.S.C. § 45,  grants the FTC power to investigate and prevent deceptive trade practices and deems it  the primary government enforcement agency with powers to impose penalties for financial institution data breaches.  For that reason, the federal definition of a data breach must be considered.

The FTC defines a data breach as “any unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a person or business.” GLBA has a similar, but slightly different, definition: “Any unauthorized disclosure of personally identifiable financial information that was given by a consumer to a financial institution resulting from any transaction with the consumer or any service performed for the consumer or otherwise obtained by the financial institution.” Note that neither of these definitions provides any safe harbor for the loss of data that has been encrypted.  So, if you determine that your customer notification obligations are governed by adherence to federal laws, although encryption is highly recommended as a defense to unauthorized access, it will not lessen your notification obligations if a device is lost, stolen, or compromised.

Window for compliance once a breach occurs

Once you have determined which law(s) apply, you then have the obligation to dig deeper and identify the specific steps you must take.  It is recommended that you have access to the laws that apply to your organization to expedite your ability to react timely.  Failing to act within the specific time frame could subject you to significant fines and penalties.  While most statutes describe the time frames for your next actions in general terms, such as “without reasonable delay,” other states have specific timing deadlines to which you must adhere.  Tennessee, Ohio, Rhode Island, Vermont, Washington, and Wisconsin require that notices be given in 45 days.  Other states require even shorter deadlines (Florida’s is 30 days), while Connecticut currently has a 90-day deadline.  This may seem like a workable time period, but there are numerous actions that must be taken within this period, and acting promptly will minimize your eventual financial and reputational losses.

Do you find all this overwhelmingly confusing?  While a complicated subject, it is essential to understand to prepare yourself for the possibility of a data breach.  Hopefully, by realizing the complexity inherent in developing a post-breach plan of action, you will be even more focused on the importance of taking every step necessary to avoid a data breach event.

In case you missed the earlier blog on this topic, I once again urge you to read a helpful article entitled, “Data Breach Experts Share the Most Important Next Step You Should Take After a Data Breach in 2014 – 2015 & Beyond,” updated as of May 18, 2016.  This article provides insight from 30 data security experts who were asked the same question, “What is the first step you need to take in the event a breach occurs?”  Each expert consistently advises you to react immediately by taking a set of steps as required under applicable state and federal regulations

Riding the Wave of Compliance—Surfing Your Way Through Changes to ALTA Best Practices

riding-waveThe following article by Sarah Hauge, Staff Consultant in the ALTA Best Practices Services Group for PYA, appeared in the 2016 fall issue of Tennessee Land Title Times.

Within the turbulent sea of regulatory changes affecting the title industry in recent years, the American Land Title Association (ALTA) announced in June 2016 proposed language and procedural changes to the current ALTA Best Practices Framework (v2.0) (Best Practices) and Assessment Procedures (v2.1) (Assessment Procedures).  This new information may have left some title companies feeling unsteady in their compliance with Best Practices. Those wishing to meet these updated compliance standards, must regain their balance and ride out these new waves of change.  An awareness of these changes prior to their finalization in early October 2016 can help your company navigate these uncertain waters and safely make it to shore.

Understanding ALTA’s Process for Adopting Changes

Prior to adopting changes to the Best Practices and Assessment Procedures, ALTA first received Board of Governance approval, announced the proposed changes, and then held a comment period (through July 29, 2016) to solicit input from members.  As of this announcement and according to ALTA’s website, comments and feedback are now under consideration.  Once feedback is reviewed, ALTA plans to implement the changes prior to the expected effective date of October 7, 2016.  We believe that most of the changes to Best Practices and the Assessment Procedures clarify language in the earlier versions and that ALTA’s finalized updates will include many of the proposed modifications after the comment period.  Therefore, industry professionals should start developing a plan that addresses any potential impact to their businesses.

Basis for the Changes

The proposed changes were based, in part, on the insights and feedback from title and settlement companies who went through the process of implementing Best Practices and obtaining independent third-party certification for their organizations.  During that process, some unclear or confusing Best Practices verbiage, as well as other areas that needed improvement, began to emerge.  In this article, we will examine some of the proposed updates involving simple word modifications that clarify the understanding of Best Practices intent, and we also will address a few of the more substantial changes that could affect your current business operations.

Key Changes

Pillar 2

For Pillar 2, ALTA updated the language regarding Automated Clearing House (ACH) debit blocks and international wires to state that companies should utilize Positive Pay or Reverse Positive Pay, if available in the local market, and prohibit or control the use of ACH and international wire transfers.  This change allows the use of ACH and international wire transfers, if necessary for the performance of business (hence, greater flexibility for the agent), but emphasizes that they must be controlled (hence, greater protection for the customer).  ALTA also proposed new verbiage to clarify that “reconciliations, bank statements and supporting documentation can be provided electronically to the Company’s contracted underwriters upon request.”  This wording clarifies the previous language that says documents must be accessible electronically, which was always a point of confusion for agents.  For the review timeline, ALTA changed “days” to “business days”  for banking items such as deposits in transit, outstanding checks, file shortages, and the selection of daily reconciliations for testing.

Pillar 3

One of the changes within Pillar 3 answers the question about how to treat documentation that contains non-public personal information (NPI).  The updated language now clarifies that title companies must establish a time frame for the retaining and disposing of records containing NPI.  In even more detail, the new language proposes that “Assessment Procedures should be applied as appropriate to the Company’s size and complexity, the nature and scope of the Company’s activities, and the sensitivity of the customer information the Company handles.”  Another significant change to Pillar 3 is the proposed addition that companies will need to routinely test their established disaster management plan and document the results.  Also, another change allows for the use of encryption or an alternative secure delivery method for transmitting NPI.  And, going forward, rather than simply restricting the use of removable media, ALTA would allow the controlled use of such devices (USB ports, CD/DVD writable drives, etc.).

Pillar 4

In Pillar 4, due diligence of third-party companies, specifically third-party signing professionals, receives more attention.  Previously, vendor due diligence was solely covered in Pillar 3.  Now, third-party signing professionals are mentioned in Pillar 4 along with language that highlights a combination of legal and contractual obligations.  Notary due diligence includes, but is not limited to, proof(s) of insurance, applicable industry verifications, and state licensures.  There is an exception to this rule: if the third-party signing professionals are directly employed by a Best-Practices-compliant title or settlement agent or an underwriter.  In this case, the third-party signing professional already has been assessed by the certified title company or underwriter, and therefore due diligence previously has been established.

Pillar 5

The biggest wave of change to Pillar 5 is that it now stipulates a 45-day remittance period to the underwriter instead of a range of 30 to 60 days, depending on when the settlement occurred during the month.  This means title or settlement agents will have a firm time frame for reporting titles and sending in payments.  Title companies should be aware that this potentially could affect contractual obligations and invoicing processes between agents and underwriters.

Finding Your Balance

ALTA’s proposed changes demonstrate a continued focus on Best Practices as a compliance solution for title and settlement companies.  The Best Practices updates convey ALTA’s commitment to compliance and the security of consumer information.  Remaining up-to-date on Best Practices and the proposed changes is key to providing lenders with assurance that you are in compliance with them.  Furthermore, title and settlement agents should review ALTA’s proposed changes in depth to identify the potential impact on business practices.  The challenging part, just like learning to surf, is finding your balance.  Once you are up, you can ride out the wave.  More information on the changes to the Best Practices Framework and Assessment Procedures can be found on ALTA’s website at www.alta.org.

PYA Executives Provide Insight on Succession Planning and Effective Marketing at ALTA Convention

shutterstock_325640750-e1473966621724PYA Senior Manager Mark Brumbelow will present “Transitioning Within a New Market” at the American Land Title Association’s (ALTA) 2016 Annual Convention, October 4-7, 2016, at the Fairmont Scottsdale Princess in Scottsdale, Arizona.

The presentation will provide insight into proper succession planning, as title or settlement agents contemplate retirement or an exit strategy. It will analyze various ownership transition options available to business owners as they consider retirement, expansion, or ownership succession.  Attendees will learn about:

  • The common components of every succession plan.
  • The importance of identifying and developing the right team members to step into leadership roles and how to expand the candidate pool, if necessary.
  • The role family dynamics play in the success or failure of a succession plan.
  • The impact taxes have on a succession plan and ways to get the best tax treatment for your particular situation.

Debra Gentry, Director of ALTA Best Practices Group at PYA, also will present “Compliance Is One of the Best Ways to Market Your Business.” Her presentation will cover:

  • The use of the compliance “seal of approval” when promoting title services to the marketplace.
  • The role of social media.
  • Radio/TV advertisement.
  • Other industry relationships that may be used to promote your services.

If you are unable to attend the ALTA Annual Convention, but would like more information about succession planning or capitalizing on compliance to grow your business, contact one of our executives.