In my job, I have the privilege of speaking with title and settlement agents from across the nation. At some point during our conversations, those agents who have just been certified as compliant with ALTA’s Best Practices will usually voice something similar to the following:
“I recently upgraded my server, and each of my office computers, to install new firewalls and anti-malware programs in an effort to achieve a higher level of secure software. All are encrypted with complex passwords which are changed every 60 days. Whenever I send a fax or email, I use encryption. I have installed new locks and familiarized my employees with newly established policies and procedures to prevent unauthorized access to my clients’ personal information. Isn’t that enough to prevent a breach?”
The short answer is, “No, all the steps you have taken are, at best, designed to minimize the potential for a breach, but there is nothing that you can do to prevent a breach.”
The steps you take in complying with the ALTA Best Practices Framework all are professionally responsible steps, but in today’s world, those actions are just the minimally required steps to take when handling the data of other parties. While you might have spent “a great deal of money” and devoted a “substantial amount of time and effort” in implementing adequate security controls, those costs and efforts may pale in comparison to those of other companies that ultimately have found themselves subject to a data breach. For example, the Federal Government’s Office of Personnel Management, which handles millions of federal applicants’ sensitive information, recently announced that it was hacked, and background investigation databases affecting 21.5 million individuals were stolen. Even those who provide direct supervision of title agents are not immune – see the June 10, 2016, breach notification issued by the Virginia State Corporation Commission (providing oversight to insurance companies and agents) in which it acknowledged that access to “names and social security or driver’s license information of these former [insurance] licensees” had been improperly accessed by one of its contractors.
When you consider the financial resources and time that federal and state agencies have invested in data security and realize that such efforts were not sufficient to prevent a breach, you must acknowledge that your efforts are far less stringent and leave your company far more vulnerable to even the most unsophisticated hacking attempts. Because of the data-intensive business in which you work, and the amount of money you handle daily, there is a real probability that over the next 5-10 years, your data will be hacked as a result of a security breach.
This blog is designed to assist you in planning for a potential data breach. Identifying your legal post-breach obligations and the reputational and financial losses you will likely sustain may reinforce the necessity of continued daily vigilance to ensure the steps you have put in place are meticulously followed.
Before going further, I make a disclaimer that I am not providing legal advice, nor do I purport to act as a data-breach expert. I simply am trying to provide you, as a title professional, with some resources regarding issues you immediately must address if a breach has occurred. Hopefully by providing you with a link to a recent webinar, and some articles and materials published by those who have significant experience in this area, you can better fashion a game plan to contend with any future security breaches.
An extremely helpful resource is an April 13, 2016, webinar produced by ALTA, “Life Cycle of a Data Breach: Know What You Need to Do.” In the webinar, Matthew Froning, of Security Compliance Associates, and Christopher Gulotta, with Real Estate Data Shield, provide a concise description of the statutes, regulations, and regulatory guidance letters which describe your obligation to protect your customers’ non-public personal information (NPI). But more importantly, they document a clear trend in data breach law. They discuss the passage of new state legislation, and recent amendments to currently existing legislation, that reveal that your obligations in the event of a breach are increasing every year. The breach notification time frames are becoming smaller, requirements to utilize specific forms and processes are increasing, and long-standing safe harbor exemptions are disappearing. Froning and Gulotta provide clear, practical tips for developing your data breach incident response plan and recommendations for the types of companies you should hire to ensure your post-breach obligations are satisfied. After watching this webinar, you should conclude that your best strategy is to have high-level security and NPI-protection procedures in place to direct the hackers’ attention elsewhere, but understand that you will remain vulnerable to a security breach. Just as in the event of a fire, knowing where the exits are located can save your life. In the event of a data breach, which is probably more likely than a fire, you must have a response plan in place ahead of the breach, along with the phone numbers of those companies with the skills necessary to implement that plan. You simply do not have the luxury of investigating what you need to do after the breach occurs.
The advice given by Gulotta and Froning is reaffirmed in another helpful article entitled, “Data Breach Experts Share the Most Important Next Step You Should Take After a Data Breach in 2014 – 2015 & Beyond,” updated as of May 18, 2016. This article provides insight from 30 different data security experts who were asked the same question, “What is the first step you need to take in the event a breach occurs?” Each expert consistently advises you to react immediately by taking a set of steps as required under applicable state and federal regulations. Unfortunately, the “applicable” law or regulation will depend on where you are located and the location of the individuals who have been affected by the data breach. Most title companies deal with customers who are located in states other than those of their offices, compelling them to comply with not only the requirements of their state, but also with those in states where their customers live. This could mean you have to comply with the obligations of dozens of different states.
In my next blog, I will provide you with references to each state statute and the applicable federal statutes and regulations that you will need to research to determine, under a particular state law, whether a “breach” has occurred, and point you toward the appropriate resources to determine the specifics of your post-breach action plan.