Best Practice Pillar #3

Download Report

Transcript Best Practice Pillar #3

Best Practice
Pillar #3:
Securing NPI
Mary Schuster
Mike Murphy
 Gramm-Leach-Bliley Act
•
Enacted to control the ways that financial institutions deal with the
private information of individuals consisting of three sections:
o
The Financial Privacy Rule, which regulates the collection and disclosure of
private information
o
The Safeguards Rule, which stipulates that financial institutions must
implement security program to protect private information
o
The Pretexting Rule, which prohibits accessing private information using
false pretenses
 The CFPB
•
Responsible for consumer protection in the financial sector
•
Authorized by the Dodd-Frank Act in 2010 in response to the financial
crisis of 2007-08
•
Service Provider Memo of 4/13/12 extends some GLB service providers
of the lender
•
Has developed new rules and forms related to the closing of a real
estate transaction
 ALTA
•
Advocacy on behalf of title agents related to proposed CFPB regulations
o
Educated the CFPB on the value of the title industry and title agent
o
Formed a task force that worked with the CFPB related to changes
o
Created Best Practices as industry-wide proactive offering of Standards – as
opposed to waiting for each lender to set individual standards
o
Worked with title agents to review and comment on the proposed CFPB
changes
 But what does the coming together of these parts really mean?
•
Lenders have a greater responsibility than ever before
o
Responsible for title agents and their processes, practices and procedures
used in transactions
o
Ultimately responsible for title agency 3rd party vendors
•
•
•
Notaries
Cleaning staff
IT service providers
That’s 4th party level responsibility and that got the Lender’s
attention!
 ALTA’s answer…Best Practices
•
7 Pillars
•
ALTA/Underwriter/Software Vendor Tools
o
o
•
Webinars
Readiness Assessments
Certification
o
o
Pillars 1, 2, 4, 5, 6, 7
Pillar 3
 Develop a security program to protect NPI – Electronic & Paper
•
Identify where NPI exists in your organization
o
Data in use
•
•
•
•
o
Data in motion
•
•
o
Active order data within Title Production Software
Active order data in paper files
Active order data in documents (Word, Excel, etc)
Documents at the closing table
Any order data moving along your network
Any order data being shared with other parties
Data at rest
•
•
•
Inactive order data within Title Production Software
Inactive order data in data warehouse
Offsite backups, tapes, etc.
 Develop a security program to protect NPI
•
Examples of NPI
o
The obvious
•
•
o
The little less obvious
•
•
•
o
SSN/EIN
Credit card numbers
Bank or credit card payoff statements
Insurance, retirement, divorce or tax information
Dates of birth
How about this one?
•
•
Buyer/Seller names with property address on a HUD on an active order?
Yep, that’s NPI until the data is recorded
 Develop a security program to protect NPI
•
Ask questions about your operation
o
Do you have a clean desk policy?
o
Are you shredding sensitive documents?
o
If you use a shredding service are documents to be shredded secured?
o
Does you scanning solution have levels of security to limit access?
o
Are all files locked and secured? Common area stand-ups?
o
Do you conduct background checks of employees? How often?
 Develop a security program to protect NPI
•
Ask questions about your operation
o
Are devices password protected and are they locked down at night?
o
Are your servers secure with limited access?
o
Do you destroy old hard drives of computers and copiers?
o
Are mobile devices secure and can they be remotely wiped clean?
o
How are paper files secured that leave the office or are with couriers?
o
Do you have oversight of service providers to be sure they secure NPI?
 Develop a security program to protect NPI
•
Ask questions about your operation
o
Does your office and work areas have secured entry points with individual
access codes or keyed access?
o
Do you control the use of removable media devices like flash drives?
o
Do you have Disaster Recovery and Business Continuity plans?
o
Do you have audit procedures to insure that staff comply with security
measures and procedures?
o
Are email and attachments containing NPI encrypted?
 Develop a security program to protect NPI
•
Ask questions about your operation
o
Are you restricting personal email accounts?
o
Does a training program for employees related to protecting NPI exist?
o
Do you have guidelines and controls for use of company technology that has
access to NPI?
 Develop a security program to protect NPI
•
Build company policies, educate staff and review regularly
o
o
o
o
o
o
o
o
o
Clean Desk Policy
Acceptable Use Policy
Password Policy
Information Technology Electronic Asset Disposition Policy
Security of Information and Records Policy
Privacy of Personal Information of Consumers and Customers Policies
Exception Standard
Firewall Policy
Vulnerability Scanning Policy
 Do continue to educate yourselves
 Do take action – get started as this is a process. Compliance is a
continuous journey, not a destination.
 Do ask questions and get help
 Do train your staff members about NPI
 Do review your Security Program
 Do become compliant – get certified
 Don’t be this title agent
 Don’t be this title agent
 Business Continuity
•
How we work when we can’t get to work or when equipment isn’t available
•
Can Business Continuity be built into our systems?
 Disaster Recovery
•
What we do when resources are gone for good or gone for an extended period of
time
•
Recovery Point Objective
•
Recovery Time Objective
•
Developing the process to determine if/when to enable Disaster Recovery
•
Testing
Application
Database
Storage
Web
Email
Nice 10 years ago – Today’s grade F
Application
Database
Storage
Web
Email
Nice 10 years ago – Today’s grade F
Application
Database
Storage
Web
Email
Application
Application
Database
Database
Storage
Storage
Web
Web
Email
Email
Application
Application
Database
Database
Storage
Storage
Web
Web
Email
Email
Getting better– Today’s grade C-
Applicatio
Application
n
Database
Database
Application
Storage
Storage
Storage
Web
Web
Web
Email
Email
Email
Database
Getting better– Today’s grade B
Application
Application
Database
Database
Storage
Storage
Web
Web
Email
Email
Application
Application
Application
Database
Database
Database
Storage
Storage
Storage
Web
Web
Web
Email
Email
Email
This is it! – Today’s grade A+
Best Practices
Lender Questionnaires
Pressure on Lenders for not 3rd Parties but 4th Parties
Build It or Lease It
Cloud Basics
 State Land Title Associations
 American Land Title Association Best Practices
•
www.alta.org/bestpractices
 Underwriters
•
Webinars, White Papers, Checklists
 Op2
•
[email protected]
•
Mary Schuster – RamQuest/op2
o
o
•
[email protected]
[email protected]
Mike Murphy – op2
o
[email protected]