The following article was distributed to members of the Tennessee Land Title Association.
You may be familiar with one of Under Armour’s slogans, “Protect This House.” Back when the sportswear company launched, it aired commercials that aimed to invoke a passion for the product—using this slogan as its battle cry. I will admit: I bought what they were selling. For some reason, this slogan just really seems to fit better in the title and settlement industry. Come on, “Protect This House”–isn’t that what you do?
The Consumer Financial Protection Bureau (CFPB) is all about protecting the consumers. With the lender’s increased accountability over third-party vendor relationships, settlement and title companies will need to be able to communicate to their lenders how they will be protecting the consumer’s nonpublic personal information (NPI).
The protection of NPI is the main reason that the American Land Title Association (ALTA), the voice of the title industry, developed the Best Practices Framework. The majority of ALTA’s Best Practices fall under Pillar #3: Adopt and maintain a written privacy and information security program to protect non-public personal information as required by local, state, and federal law. Pillar #3 is by far the most challenging and costly pillar to implement, but the most important in the eyes of your lenders because it is all about protecting NPI.
Although there are multiple controls in Pillar #3 that should be addressed individually, the key controls are:
1. Develop a written privacy and information security policy and distribute to your employees.
2. Conduct background checks on all employees who have access to NPI.
3. Conduct third-party vendor background checks on vendors who have access to NPI. Monitor your vendors to ensure that they have the ability to safeguard NPI.
4. Maintain a clean desk policy or equivalent mitigating control.
5. Establish an NPI Security Risk Assessment that ranks risks including locations, systems, and methods used to store, process, transmit, and dispose of NPI.
6. Develop physical, logical, and network access controls.
7. Develop acceptable use of information technology and customer privacy procedures.
8. Develop and maintain a record retention and disposal policy based on securing NPI.
9. Develop a data breach reporting procedure that helps you monitor, investigate, and respond to data breach attacks/intrusions.
10. Develop and maintain a business continuity and disaster recovery plan to protect your critical business processes from the potential effects of failures or disasters.
Many title companies outsource their IT functions to a third party, but need to keep in mind that the overall responsibility still lies with the title company’s management. Management ultimately needs to be responsible and provide the appropriate oversight and guidance to their third parties so that the best practices are met.
ALTA’s Best Practices Task Force has released, for its members, the seventh and final “Assessment Readiness Guide” for Pillar #3. All seven guides are now available for members at (http://www.alta.org/bestpractices/documents.cfm).
The guide for Pillar #3, which is divided into three parts like all of the preceding guides, addresses the privacy and information security program to protect NPI. Part 1 of the Pillar #3 guide requires you to document business and demographic information, including the use of any third parties’ services. Part 2 is the Self-Assessment, which is a questionnaire that asks you specific questions about adopting and maintaining written procedures and controls to protect NPI. Also included is expected testing that helps to ensure your company is in compliance with ALTA’s Best Practices. Part 3 includes an appendix with a template for documenting your policies and procedures.
ALTA’s challenge for its members to complete the implementation and self-assessment by the end of September 2014 has passed. You may ask, what is the benefit of implementing ALTA’s Best Practices and obtaining certification? Maybe it is to protect your customer’s NPI. Or perhaps it is to give your company a competitive advantage if it chooses to obtain an independent third-party certification before your competition does. Do not be caught off guard when your lenders start calling and asking for your certification.
Adopt and implement Pillar #3, so your company’s new slogan can be “Protect This NPI.”
If you have questions about ALTA Best Practices services or would like to request a speaker on this topic, contact Debra Gentry at (800) 270-9629.