The following two-part blog by PYA’s Gene McCullough appeared in the 2016 fall issue of Tennessee Land Title Times.
In my job, I have the privilege of speaking with title and settlement agents from across the nation. At some point during our conversations, those agents who have just been certified as compliant with ALTA’s Best Practices will usually voice something similar to the following:
“I recently upgraded my server, and each of my office computers, to install new firewalls and anti-malware programs in an effort to achieve a higher level of secure software. All are encrypted with complex passwords which are changed every 60 days. Whenever I send a fax or email, I use encryption. I have installed new locks and familiarized my employees with newly established policies and procedures to prevent unauthorized access to my clients’ personal information. Isn’t that enough to prevent a breach?”
The short answer is, “No, all the steps you have taken are, at best, designed to minimize the potential for a breach, but there is nothing that you can do to prevent a breach.”
The steps you take in complying with the ALTA Best Practices Framework all are professionally responsible steps, but in today’s world, those actions are just the minimally required steps to take when handling the data of other parties. While you might have spent “a great deal of money” and devoted a “substantial amount of time and effort” in implementing adequate security controls, those costs and efforts may pale in comparison to those of other companies that ultimately have found themselves subject to a data breach. For example, the Federal Government’s Office of Personnel Management, which handles millions of federal applicants’ sensitive information, recently announced that it was hacked, and background investigation databases affecting 21.5 million individuals were stolen. Even those who provide direct supervision of title agents are not immune – see the June 10, 2016, breach notification issued by the Virginia State Corporation Commission (providing oversight to insurance companies and agents) in which it acknowledged that access to “names and social security or driver’s license information of these former [insurance] licensees” had been improperly accessed by one of its contractors.
When you consider the financial resources and time that federal and state agencies have invested in data security and realize that such efforts were not sufficient to prevent a breach, you must acknowledge that your efforts are far less stringent and leave your company far more vulnerable to even the most unsophisticated hacking attempts. Because of the data-intensive business in which you work, and the amount of money you handle daily, there is a real probability that over the next 5-10 years, your data will be hacked as a result of a security breach.
This blog is designed to assist you in planning for a potential data breach. Identifying your legal post-breach obligations and the reputational and financial losses you will likely sustain may reinforce the necessity of continued daily vigilance to ensure the steps you have put in place are meticulously followed.
Before going further, I make a disclaimer that I am not providing legal advice, nor do I purport to act as a data-breach expert. I simply am trying to provide you, as a title professional, with some resources regarding issues you immediately must address if a breach has occurred. Hopefully by providing you with a link to a recent webinar, and some articles and materials published by those who have significant experience in this area, you can better fashion a game plan to contend with any future security breaches.
An extremely helpful resource is an April 13, 2016, webinar produced by ALTA, “Life Cycle of a Data Breach: Know What You Need to Do.” In the webinar, Matthew Froning, of Security Compliance Associates, and Christopher Gulotta, with Real Estate Data Shield, provide a concise description of the statutes, regulations, and regulatory guidance letters which describe your obligation to protect your customers’ non-public personal information (NPI). But more importantly, they document a clear trend in data breach law. They discuss the passage of new state legislation, and recent amendments to currently existing legislation, that reveal that your obligations in the event of a breach are increasing every year. The breach notification time frames are becoming smaller, requirements to utilize specific forms and processes are increasing, and long-standing safe harbor exemptions are disappearing. Froning and Gulotta provide clear, practical tips for developing your data breach incident response plan and recommendations for the types of companies you should hire to ensure your post-breach obligations are satisfied. After watching this webinar, you should conclude that your best strategy is to have high-level security and NPI-protection procedures in place to direct the hackers’ attention elsewhere, but understand that you will remain vulnerable to a security breach. Just as in the event of a fire, knowing where the exits are located can save your life. In the event of a data breach, which is probably more likely than a fire, you must have a response plan in place ahead of the breach, along with the phone numbers of those companies with the skills necessary to implement that plan. You simply do not have the luxury of investigating what you need to do after the breach occurs.
The advice given by Gulotta and Froning is reaffirmed in another helpful article entitled, “Data Breach Experts Share the Most Important Next Step You Should Take After a Data Breach in 2014 – 2015 & Beyond,” updated as of May 18, 2016. This article provides insight from 30 different data security experts who were asked the same question, “What is the first step you need to take in the event a breach occurs?” Each expert consistently advises you to react immediately by taking a set of steps as required under applicable state and federal regulations. Unfortunately, the “applicable” law or regulation will depend on where you are located and the location of the individuals who have been affected by the data breach. Most title companies deal with customers who are located in states other than those of their offices, compelling them to comply with not only the requirements of their state, but also with those in states where their customers live. This could mean you have to comply with the obligations of dozens of different states.
In my next blog, I will provide you with references to each state statute and the applicable federal statutes and regulations that you will need to research to determine, under a particular state law, whether a “breach” has occurred, and point you toward the appropriate resources to determine the specifics of your post-breach action plan.
WHATCHA GONNA DO WHEN A DATA BREACH HAPPENS TO YOU? — Part 2 — Which Law Applies?
In today’s blog, we’ll continue to take a look at what constitutes a “data breach” and what your obligations are under the applicable law.
If someone breaks through a locked office door and steals a server or a stack of closing files, most would agree such an event probably would meet the definition of a data breach, when non-public personal information (NPI) is accessed via fraudulent means. However, has a breach occurred if you lose a phone or laptop? Believe it or not, these latter two events happen far more often than the “break-in-and-steal” events. Does the law require you to issue a data breach notification when you misplace your phone or laptop? Does it make any difference if the phone required a passcode or if the laptop was encrypted?
Frustratingly, “it depends.” That’s because your obligations are almost never governed solely by the law of a single state. In many cases, your obligations also may be determined by various federal laws. Your ultimate obligations only can be determined after a careful appraisal of (1) the laws in the state where you reside, (2) the laws in the states where each of your affected customers live, and (3) depending on your type of business, the federal laws and regulations such as those imposed by the Gramm-Leach-Bliley Act (GLBA) and regulated by the Consumer Financial Protection Bureau (CFPB) and Federal Trade Commission (FTC).
Remarkably, the same event (lost phone/laptop, hacking attempt, etc.) may be deemed a data breach in some states, but not in others. Therefore, knowing which law applies is a critical first step in determining your obligations, as one type of event can result in different obligations depending on the state in which it occurred.
Which state laws may apply
In 2014, the Clausen Miller, PC, law firm compiled a list of individual state data breach laws. Another law firm, Baker Hostetler, also has published a state-by-state data breach law listing in a slightly different format. These online compilations can be excellent resources, but care must be taken to verify the cited statutes have not been recently modified. These resources provide valuable insight into state-mandated procedures and customer notification obligations that can be imposed in the event of an NPI-related incident.
As you assess these state law compilations, you will find that most states have specific, and often similar, definitions of what constitutes a data breach. A recent article indicated that until recently, 41 states agreed that the loss or unauthorized access of a device containing encrypted data would not constitute a data breach, and therefore no customer notifications would be required. This commonly is referred to as an “encrypted data safe harbor” statute.
As a result, at the state level, there is widespread consensus that encryption of your devices is the best available preventive tool, and implementing that process should be sufficient to eliminate the need for customer notification obligations. However, at least one state recently has eliminated this well-established safe harbor. As of July 1, 2016, Tennessee amended T. C. A. § 47-18-2101, et seq. This recent amendment provides that customer notification obligations are triggered when a Tennessean’s NPI is lost or improperly accessed, even if the compromised data was encrypted. While Tennessee may be the first state to eliminate the “encrypted data safe harbor,” as we will discuss later, federal laws and regulations have never reduced your obligations just because the device containing your data was encrypted.
Of equal significance, this Tennessee amendment also changes the definition of “unauthorized person” in a way that varies significantly from most other states. According to the newly amended Tennessee law, the term “unauthorized person” now includes “an employee of the information holder who is discovered by the information holder to have obtained personal information and intentionally used it for an unlawful purpose.” As such, a data breach under Tennessee law will have occurred, and customer notification obligations are triggered, if someone inside your firm accesses customer NPI for “unlawful” purposes. The significance of these changes is further discussed in an excellent blog by Baker Hostetler entitled, “Tennessee Revamps Its State Data Breach Notification Statute.”
As a result, determining the applicable state law requirements entails initial analysis of your state’s laws, immediately followed by an analysis of your customers’ states of residence. Once a customer’s residence is established, you will need to read and follow the state law associated with that residence. For an active title agency, handling transactions for buyers and sellers nationwide, this approach may force you to read and comply with dozens of state laws.
Consider whether you are exempt in particular state statutes
In reading those applicable state laws, you need to check for any provision that exempts your company from compliance with the specifics of that particular state law. For example, some states, like Tennessee, provide that the statute defining the notice obligations “does not apply to any person or entity subject to Title V of the Gramm-Leach-Bliley Act of 1999.” If you run a shoe repair company or other entity not governed by GLBA, this provision would not have any impact on your state-mandated obligations. However, if you are a title and/or settlement agency, which GLBA defines as a “financial institution,” this type of provision may exempt you from the specific customer notification obligations requirement under state laws that contain such a provision. In that case, a title/settlement agency then must look at the federal laws and regulations to determine what course of action to employ.
Obligations arising under federal laws and regulations
There is a clear argument that title and settlement agencies always are covered by the obligations imposed under various federal laws. GLBA, codified at 15 U.S.C. § 6801 et seq., is an all-encompassing piece of federal legislation passed in 1999 that imposes strict obligations on financial institutions to protect the NPI of their customers and consumers. By definition, title and settlement agents are deemed to be financial institutions and therefore subject to those same obligations and penalties for breach thereof. Additionally, Section 5 of the FTC Act, 15 U.S.C. § 45, grants the FTC power to investigate and prevent deceptive trade practices and deems it the primary government enforcement agency with powers to impose penalties for financial institution data breaches. For that reason, the federal definition of a data breach must be considered.
The FTC defines a data breach as “any unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a person or business.” GLBA has a similar, but slightly different, definition: “Any unauthorized disclosure of personally identifiable financial information that was given by a consumer to a financial institution resulting from any transaction with the consumer or any service performed for the consumer or otherwise obtained by the financial institution.” Note that neither of these definitions provides any safe harbor for the loss of data that has been encrypted. So, if you determine that your customer notification obligations are governed by adherence to federal laws, although encryption is highly recommended as a defense to unauthorized access, it will not lessen your notification obligations if a device is lost, stolen, or compromised.
Window for compliance once a breach occurs
Once you have determined which law(s) apply, you then have the obligation to dig deeper and identify the specific steps you must take. It is recommended that you have access to the laws that apply to your organization to expedite your ability to react timely. Failing to act within the specific time frame could subject you to significant fines and penalties. While most statutes describe the time frames for your next actions in general terms, such as “without reasonable delay,” other states have specific timing deadlines to which you must adhere. Tennessee, Ohio, Rhode Island, Vermont, Washington, and Wisconsin require that notices be given in 45 days. Other states require even shorter deadlines (Florida’s is 30 days), while Connecticut currently has a 90-day deadline. This may seem like a workable time period, but there are numerous actions that must be taken within this period, and acting promptly will minimize your eventual financial and reputational losses.
Do you find all this overwhelmingly confusing? While a complicated subject, it is essential to understand to prepare yourself for the possibility of a data breach. Hopefully, by realizing the complexity inherent in developing a post-breach plan of action, you will be even more focused on the importance of taking every step necessary to avoid a data breach event.
In case you missed the earlier blog on this topic, I once again urge you to read a helpful article entitled, “Data Breach Experts Share the Most Important Next Step You Should Take After a Data Breach in 2014 – 2015 & Beyond,” updated as of May 18, 2016. This article provides insight from 30 data security experts who were asked the same question, “What is the first step you need to take in the event a breach occurs?” Each expert consistently advises you to react immediately by taking a set of steps as required under applicable state and federal regulations