What’s the Weakest Link in Your Privacy Program?

In recent blogs, I focused on the serious consequences that arise in the event of a data breach.  Those consequences involve timely breach notifications to all your customers, dealing with inevitable regulator investigation, litigation, and the possibility of substantial fines.  However, probably of most significance, is the reputational risk, as a data breach would decrease lender confidence in your ability to protect the non-public personal information (NPI) that they entrusted to your company.  The resulting havoc from a breach is such that a single data breach event would likely put many small title agencies out of business, which makes efforts to minimize a breach a high priority.  In this blog, I will focus on one low-cost way to avoid a significant risk of a breach.

Your policies and procedures must address three key areas of risk

Those who have started the process of compliance with Best Practices realize that you must begin with a set of written policies and procedures (P&P) that provide your staff guidance on the detailed steps they need to take, from the moment a file is opened to the point it is placed into storage.  In order to adequately complete this essential first step, your P&P manual thoroughly must address the handling of three specific types of risk:   (1) physical security (i.e., locks, customer escort, clean desk policies, etc.), (2) technical security (i.e., firewalls, encryption, use of long passwords, etc.) and (3) administrative security (i.e., providing direction regarding ongoing risk management procedures to your staff).

Physical and technical security measures often require expenditure of substantial financial resources, ranging from several thousand dollars to tens of thousands of dollars, depending upon the size of your operation.  Conversely, complying with your obligation to implement administrative security—i.e., training your staff to follow your company’s policies and procedures—can be a relatively low-cost investment.  However, just because it costs less doesn’t mean it is less important.

Effective employee training can prevent data breaches that will not be prevented by passive firewalls or physical security systems. Remember, a large percentage of the frauds committed against our industry arises out of “spear-phishing” emails and social engineering techniques designed to divert mortgage disbursement funds from their intended recipient.  Creating a sense of awareness and urgency with your front-line staff is critical. Educating them about these title and settlement targeted fraud techniques and arming them with the tools to identify and overcome them can make all the difference.

For that reason, it is critical you recognize that failure to adequately train your staff may significantly compromise your overall Best Practices program and could result in little-to-no return for the money and time you have invested in structural improvements and computer upgrades.  For that reason, this blog will focus on the importance of implementing an effective staff training program to maximize and preserve the more costly investments you made in office renovations and computer upgrades.

Don’t let staff training be an afterthought

There is no question that you can substantially reduce the risk of a data breach by tightening controls and implementing policies surrounding those who have physical access to your offices and computer systems.  However, spending money on highly sophisticated controls for building access (i.e., segregated waiting/closing rooms, keypad locks on all processors’ doors, cameras, etc.) becomes a worthless investment if your staff allows your clients to walk freely around the back office and enter unlocked doors.  Similarly, buying new computer equipment, implementing sophisticated firewalls, and requiring eight-digit complex passwords to access the system is a waste of money if your staff tapes their current passwords to their monitors because they found them “too hard to remember.”

Statistics show that 25% of all data breaches arise from human error

CHART REFERENCE: IBM 2016 Cost of Data Breach Study: Global Analysis

CHART REFERENCE: IBM 2016 Cost of Data Breach Study: Global Analysis

Many of the companies reviewed in this analysis were large multinational firms and collectively had likely spent hundreds of millions of dollars in the creation and maintenance of their physical and technical security systems.  But, even with all that investment in staff hours and technology, data breaches still occurred because staffers simply failed to exercise good judgement.  While there are certainly costs associated with employee training, the cost for implementing administrative security controls is a miniscule fraction of the costs associated with securing physical access or technical computer security.  Dollar for dollar, money spent on an effective training program has the highest rate of return in reducing your risk of a data breach.  The following are important points to consider when developing your training program.In June of 2016, IBM released a Ponemon Institute report that focused on an analysis of companies that had sustained data breaches of confidential records—383 companies located in the United States and 11 other countries.  While that free, comprehensive report, “2016 Cost of Data Breach Study: Global Analysis,” has numerous findings, the portion that focused on the causes of the data breaches was of particular interest.  As the graphic reflects, from a worldwide perspective, most breaches occur as a result of malicious or criminal attacks.  But, equally noteworthy was the fact that this analysis reflected that 25% of all data breaches were directly attributable to “human error.”

  1. A training program is only as effective as the knowledge and abilities of the instructor

It is not enough for the manager of a title operation to simply tell their employees to “read the P&P Manual and sign a page acknowledging you have done so.”  This approach doesn’t provide any real assurance that the staff has an adequate understanding of the procedures they are required to follow.  Even if the title manager requires a sit-down, multi-hour training class, the training still may not be effective unless you have confidence that the manager conducting the training (1) has a firm grasp on the principles required under existing privacy law and (2) is a skilled instructor.  Some title professionals may fit that required bill, but most are more proficient in explaining a Closing Disclosure than explaining the importance of what constitutes NPI as defined under Gramm-Leach-Bliley.

  1. Proof of training should be supported by the ability to demonstrate comprehension of training

We all have been there, attending a training session for the required time, while we check our e-mail or Facebook posts on our cell phone.  Requiring attendance does not ensure comprehension.  To have an effective training program, one must assess the attendee’s comprehension.  Providing a post-training test is a good strategy; but once again, creation of tests usually is outside the scope of most title professionals’ comfort zones. The course recommended at the end of this article offers an end-of- training test that users must successfully complete to complete the web-based training module.

  1. Training should be an ongoing process, not just a one-time event

P&P designed to protect customer’s NPI require staff to follow a set of specific protocols that take additional time and effort.  There is a natural tendency to slip back into doing things “the way we have always done it.”  In addition, over time, your staff will change, and each new employee will inevitably bring his or her own work habits, both good and bad.  Added pressures to stray from your P&P arise when new clients ask your office to modify your procedures to make it easier for them to use your firm.  For all these reasons, it is a good idea to train, and then re-train, your staff on a regular schedule.

Your best solution is to implement a process, or utilize a third-party service, designed to ensure your staff learns exactly what they need, are tested on their comprehension, and easily can be re-trained and re-tested.  This can be accomplished internally, but it will take a real commitment of time and effort.  If you would like to explore options that allow management to concentrate on closing loans, yet provide effective staff privacy training, there is a good solution available for you to ensure all three of the foregoing key elements of an effective training program are met.

Choose a training solution provider with a proven track record

ALTA has developed an Elite Provider network of companies providing specialized services needed by those who wish to become compliant with ALTA’s Best Practices.  These companies have undergone a qualifying process with ALTA involving interviews with customers and adherence to high business standards.  My review of this list indicates that only one, Real Estate Data Shield[1], (REDS) offers a specialized course focused on staff training.  That company offers an online privacy training course, called REDS 2.0, which is designed to provide title agency staff with the exact type of training they need.  Designed with input from several of the nation’s foremost privacy experts, you can feel confident that the content is both comprehensive and accurate.  Since it is offered online, it is accessible on demand and will not require all of your staff to attend at once.  Management easily can keep track of each staff member’s training by reviewing their grades on online comprehension tests that are administered after key chapters.  Retesting every six months is as easy as asking the staff to log back in and retake the course to reaffirm the importance of your privacy policies.

Chris Gulotta, REDS CEO, also recommends making the use of the training as part of your staff on-boarding process and then annually to keep staff informed and reminded of the emerging threats, tactics of fraudsters and the countermeasures staff can take to identify such threats.

I have taken the course and found it to be far more interactive than many I attend to secure CLE credit.  As you can see from this video’s highlights, the course is self-paced, and requires attendee input at numerous points throughout the presentation.  In about 40 minutes per training session, those taking the course come away with a broad overview of statutes; regulations; and agencies, like the FTC and CFPB, that unequivocally require title agents to protect their customer’s NPI.  Attendees will acquire a new appreciation for the penalties and fines that can be levied for non-compliance with privacy guidelines.  Equally important, they will be better prepared to explain to lenders, realtors, and customers why your company’s privacy procedures have been implemented and must be utilized.  While not free, REDS 2.0 appears to be an affordable option that will help ensure the money and time you have spent on physical and technical security upgrades are not wasted as a result of a careless staffer who prioritized speed over following procedures.

[1] PYA coordinates with Real Estate Data Shield to provide the employee training component of our Certification+ assessment engagements.