www.NCClosingAttorneyBestPractices.orgwww.NCClosingAttorneyBestPractices.org
Part 2
Slide 3
Made Possible By a Grant From: relanc.com
Slide 4
Nancy Ferguson Sr. State Counsel, VP, Chicago Title State
Counsel, Fidelity National Title Group Relevant Memberships: NCBA
(Real Property Section Council), NCLTA, RELANC, NC Closing Attorney
Best Practices Task Force, ABA, ALTA, ACREL, ACMA NC State Bar
Certified Specialist, Real Property Transactions Co-Author, NC Real
Estate with Forms, 3d Ed.
Slide 5
Christopher J. Gulotta, Esq. Founder & CEO Real Estate Data
Shield, Inc. 271 Madison Avenue Suite 700 New York, NY 10016
212-951-7302 [email protected] 5 Real Estate Data Shield,
Inc. 2014
Slide 6
Non-public Personal Information (NPPI): Personally identifiable
data such as information provided by a customer on a form or
application, information about a customers transactions, or any
other information about a customer which is otherwise unavailable
to the general public. NPPI includes first name or first initial
and last name coupled with any of the following: Social Security
Number Drivers license number State-issued ID number Credit or
debit card number Other financial account numbers 6
Slide 7
1.Gramm-Leach Bliley Act (GLBA) 2.Federal Trade Commission
(FTC) Privacy Rule (1999) Safeguard Rule (2003) Disposal Rule
(2005) 3. Consumer Financial Protection Bureau (CFPB) April 2012
Bulletin Supervisory Highlights (2012) 4.Office of the Comptroller
of the Currency (OCC) Interagency Guidelines Establishing Standards
for Safeguarding Customer Information (2001) Third Party
Relationship Bulletin (Oct. 2013) 5.American Land Title Association
(ALTA) 1.Best Practices for Title Insurance and Settlement
Companies (Jan 2013) 6.State Agencies & Regulators 7.Attorney
Code of Professional Conduct 7
Slide 8
-It is now commonly accepted in the legal profession that the
confidentiality duty applies to attorney client information in
computer and information systems. -Comment 18 to ABA Model Code:
notes that lawyers are required to act competently to safeguard
information relating to the representation of a client against
unauthorized access by third parties and against inadvertent or
unauthorized disclosure by the lawyer or other persons who are
participating in the representation of the client or who are
subject to the lawyers supervision. 8
Slide 9
Nearly every state have adopted the American Bar Associations
Model Rules of Professional conduct. Rule 1.6 Confidentiality of
information (a) a lawyer shall not reveal information relating to
the representation of a client.. 9
Slide 10
- every state has its own legislative or judicial rules
pertaining to the practice of law that prohibit lawyers from
disclosing information about their clients to third parties and
that the GLBA would not add anything to the local regulations. -
The court pointed out that the legal guidelines within the legal
profession are very similar to the disclosure requirements of the
GLBA, also stating that this area is typically left to states to
enforce. - Pre-existing state ethical rules that govern attorneys,
would be prohibited from affiliating with financial institutions
and, as a result of the affiliation, disclosing clients information
without their clients consent. - The ABA stated during trial that
professional conduct rules in every state and the District of
Columbia impose stringent confidentiality requirements on attorneys
that protect the privacy of clients far more effectively than
provisions in the GLBA.
Slide 11
-It is now commonly accepted in the legal profession that the
confidentiality duty applies to attorney client information in
computer and information systems. -Comment 18 to ABA Model Code:
notes that lawyers are required to act competently to safeguard
information relating to the representation of a client against
unauthorized access by third parties and against inadvertent or
unauthorized disclosure by the lawyer or other persons who are
participating in the representation of the client or who are
subject to the lawyers supervision. 11
Slide 12
60: A Lawyers Duty to Safeguard Confidential Information (1)
During and after representation of a client: (a) the lawyer may not
use or disclose confidential client information as defined in 59 if
there is a reasonable prospect that doing so will adversely affect
a material interest of the client or if the client has instructed
the lawyer not to use or disclose such information; (b) the lawyer
must take steps reasonable in the circumstances to protect
confidential client information against impermissible use or
disclosure by the lawyer's associates or agents that may adversely
affect a material interest of the client or otherwise than as
instructed by the client. 12
Slide 13
Comment D: A lawyers duty to safeguard confidential client
information A lawyer who acquires confidential client information
has a duty to take reasonable steps to secure the information
against misuse or inappropriate disclosure, both by the lawyer and
by the lawyer's associates or agents to whom the lawyer may
permissibly divulge it. This requires that client confidential
information be acquired, stored, retrieved, and transmitted under
systems and controls that are reasonably designed and managed to
maintain confidentiality. A lawyer must take reasonable steps so
that law-office personnel and other agents such as independent
investigators properly handle confidential client information. That
includes devising and enforcing appropriate policies and practices
concerning confidentiality and supervising such personnel in
performing those duties. 13
Slide 14
North Carolina adopted the ABA Model Rules of Professional
Conduct on October 7, 1985 (with subsequent amendments). Rule 1.6:
Confidentiality of Information (a) A lawyer shall not reveal
information relating to the representation of a client unless: (1)
the client gives informed consent; (2) the disclosure is impliedly
authorized in order to carry out the representation Comment 3 The
confidentiality rule, for example, applies not only to matters
communicated in confidence by the client but also to all
information relating to the representation, whatever its source. A
lawyer may not disclose such information except as authorized or
required by the Rules of Professional Conduct or other law. Comment
19, paragraph (c) Requires a lawyer to act competently to safeguard
information relating to the representation of a client against
inadvertent or unauthorized disclosure by the lawyer or other
persons who are participating in the representation of the client
or who are subject to the lawyer's supervision. A client may
require the lawyer to implement special security measures not
required by this Rule, or may give informed consent to forgo
security measures that would otherwise be required by this Rule.
Whether a lawyer may be required to take additional steps to
safeguard a clients information to comply with other lawsuch as
state and federal laws that govern data privacy, or that impose
notification requirements upon the loss of, or unauthorized access
to, electronic informationis beyond the scope of these Rules.
14
Slide 15
Comment 20 When transmitting a communication that includes
information relating to the representation of a client, the lawyer
must take reasonable precautions to prevent the information from
coming into the hands of unintended recipients. This duty, however,
does not require that the lawyer use special security measures if
the method of communication affords a reasonable expectation of
privacy. Special circumstances, however, may warrant special
precautions. Factors to be considered in determining the
reasonableness of the lawyer's expectation of confidentiality
include the sensitivity of the information and the extent to which
the privacy of the communication is protected by law or by a
confidentiality agreement. A client may require the lawyer to
implement special security measures not required by this Rule or
may give informed consent to the use of a means of communication
that would otherwise be prohibited by this Rule. Whether a lawyer
may be required to take additional steps to comply with other law,
such as state and federal laws that govern data privacy, is beyond
the scope of these Rules. 15
Slide 16
Wells supports customer choice provided such third party
providers consistently meets all applicable requirements Wells is
expanding and enhancing third party oversightin order to monitor
and measure performance Prepare for Top Performer status Wells
supports ALTA Best Practices, which should already be in place for
businesses providing title and closing services Wells recognizes
some may need transition time If not currently following ALTA Best
Practices, do you have a plan in place for adoption? Can you
document and demonstrate inspection processes to validate your
adoption of ALTAs Best Practices? 16
Slide 17
1.Establish and maintain current license(s) as required to
conduct the business of title insurance and settlement services.
2.Adopt and maintain appropriate written procedures and controls
for Escrow Trust Accounts allowing for electronic verification of
reconciliation. 3.Adopt and maintain a written privacy and
information security program to protect Non-public Personal
Information as required by local, state and federal law. 4.Adopt
standard real estate settlement procedures and policies that ensure
compliance with Federal and State Consumer Financial Laws as
applicable. 5.Adopt and maintain written procedures related to
title policy production, delivery, reporting and premium
remittance. 6.Maintain appropriate professional liability insurance
and fidelity coverage. 7.Adopt and maintain procedures for
resolving consumer complaints. 17
Slide 18
Establish a Disaster Management/Recovery Plan Notification of
Security Breaches to Customers and Law Enforcement 47 states have a
data breach notification law; know the requirements particular to
your state so that you are prepared in the event of a breach Post
your companys privacy and information security program on your
website or provide program information directly to customers in
another useable form When a breach is detected, your company should
have a program to inform customers and law enforcement as required
by law 18
Slide 19
The FTC looks for : Written data security policies Sound
document destruction policy and practice Password protection
procedures Proof of ongoing staff training in data security and GLB
Act compliance The CFPB looks for: Appropriate training and
oversight of employees and agents that have consumer contact
Comprehensive data security policies, procedures and internal
controls Compliance with federal consumer financial laws Lenders
look for: Compliance by their Service Providers with federal and
state laws, rules and regulations (e.g. OCC & CFPB) OCC looks
for: Oversight and management of Third Party Relationships,
including: independent assessments, due diligence and appropriate
agreements, on-site, independent audits, safeguarding of NPPI, etc.
19
Slide 20
Practical Steps to Take: Develop all required privacy and data
security policies, procedures, and plans Information Security Plan
Incident Response Plan Disaster Recovery Plan Secure Password
Policy Electronic Communications and Internet Use Policy Assess
your companys risk profile Educate and train your work force Secure
your work flows Ensure compliance of all service providers
Implement a sound document destruction policy 20
Slide 21
A.Administrative B.Physical C.Network 21
Slide 22
Common Settlement Documents Containing NPPI Common Title
Documents Containing NPPI Uniform Residential Loan Application
(Form 1003) Identification (Drivers License, passport, etc.)
Borrower Tax ReturnsTitle Order Form Lender Engagement LetterPayoff
Letter Identification (Drivers License, passport, etc.) Escrow
Agreements with Tax Searches Settlement Statement (HUD-1)Real
Estate Transfer Tax Forms IRS Form 4506-T, Request for Transcript
of Tax Returns Affidavits IRS Form W-9, Request for Taxpayer
Identification Number and Certification Recordable Docs Payoff
LetterTitle Bill 22
Slide 23
1.Staff Training 2.Manual of Policies and Procedures 3.Privacy
Notice 4.Shred-All Policy 5.Vendor Non-Disclosure Agreements (NDAs)
6.Background checks on employees handling NPPI 7.Clean Desk, Office
and Screen Policy 8.Authorized Devices 23
Slide 24
1.Entryway Security & Sign-in Log 2.Clean Desk Policy
3.Locked Filing Cabinets 4.Security Cameras 5.Privacy Screens
6.Locked Offices 7.Shredding of Paper and Digital Media 8.Locks on
Computers 24
Slide 25
1.Password Protection 2.Computer Screen Timed Lockout 3.Using
Various Brands of Firewalls (Defensive Depth) 4.Port Lockdown
5.Network Printers/Scanners 6.Restrictive Access to Programs, files
etc. 7.Updates and Patches 8.Email Encryption 25
Compliance must now be a core competency Compliance is the NEW
marketing Lenders have identified Data Security as their Number 1
concern with regard to their Service providers Data Security
compliance is the law and lenders are more actively enforcing our
compliance requirements Prepare for Lender & Regulator audits
now! 28
Slide 29
Christopher J. Gulotta, Esq. Founder & CEO Real Estate Data
Shield, Inc. 212-951-7302 [email protected]
www.realestatedatashield.com 29
Slide 30
Data Security/Best Practices Preparation and Implementation Jim
Brahm Chief Executive Officer Security Compliance Associates 2727
Ulmerton Rd., Suite 310 Clearwater, FL 33762 727-571-1141
[email protected]
Step 1 - Initial call The company will need the information
security policy, acceptable-use policy and business
continuity/disaster recovery plan. Explain the personnel interview
process and who will be interviewed. The company being assessed
will want to ask any questions they may have about the on-site
visit.
Slide 33
Step 2 - Pre-assessment due diligence Review/update policies
and procedures for content and relevance review network topology,
which means ensuring security devices are configured correctly
check web-content filtering ensure firewalls, and intrusion defense
systems (IDS) or intrusion prevention systems are configured
properly remove old user accounts and rename default administrative
account names
Slide 34
Step 3 - External Assessment Provides proof of how a company
could be exploited. IP address(es) tested to deduce vulnerabilities
Test vendor response for intrusion defense systems (IDS) or
intrusion prevention systems (IPS) Social engineering test/employee
awareness & training Examples of tests include spear-phishing
emails phishing emails containing a forged link pretense calling
which is similar to phishing where the caller attempts to obtain
sensitive information via telephone.
Slide 35
Step 4 - On-site assessment Conducting an external physical
assessment of the site Internal physical assessment Conducting an
internal network vulnerability scan Conduct interviews with
management & IT staff Review in-place policies & procedures
Workstation reviews Server configuration reviews
Slide 36
Step 5 - Post-assessment report Detailed findings of all parts
of the assessment List of vulnerabilities discovered and the
associated hosts Recommendations for vulnerability remediation,
policy recommendations, acceptable-use recommendations and
implementation of business continuity/disaster recovery plan.
Slide 37
Component of AssessmentRisk Level Information Security
ProgramInformation Security PolicyMedium Information Security Plans
& ProceduresMedium Roles & ResponsibilitiesLow Personnel
SecurityLow Risk Identification and AssessmentInfoSec Risk
AssessmentLow Critical Application Risk AssessmentMedium Employee
Training Management and Responsibilities Security Guidance and
TrainingLow Social EngineeringMedium
Slide 38
Internal Information SecuritySecurity Administration
(Authentication and AuthorizationMedium Network Security
(Communications, Network and Internet Security)Medium Host Security
(Operating Systems, Hardening, Patch Management)Medium Change
ManagementMedium User Equipment Security (Operating System,
Workstation Imaging)Low Security Monitoring (Audit and Log
Review)Medium Security Monitoring (Vulnerability Scanning &
Penetration Testing)Low Virus and Malware MitigationLow FTP
Configuration - InternalLow FTP Configuration - ExternalLow
Physical SecurityMedium EncryptionMedium Publicly Accessible
ServicesLow
Slide 39
Perimeter Defense Systems Response HandlingHigh ICMP TestingLow
DNS Registration InformationLow Banner EnumerationLow
AutocompleteLow Frameable Response (Clickjacking)Low Retention and
Destruction of Personal Information Data Security (Data
Classification)Low Overseeing Service ProvidersThird Party
ManagementLow Data Breach Incident ReportingIncident Response
PlanLow Business Continuity and Disaster Recovery BCP /
DRPMedium
Slide 40
Phase 5 Post Assessment Report
Slide 41
Slide 42
Step 6 - Remediation stage Company must determine its ability
to address shortfalls and vulnerabilities Work with IT support on
remediation steps for technical vulnerabilities Address
non-technical shortfalls/vulnerabilities and Document remediation
steps that are performed
Slide 43
Use ISO on-demand availability to answer questions you may have
and provide guidance Its a resource for you Take advantage of
it!
Slide 44
Policies & Procedures incomplete or outdated. No back-up
plan or Disaster Recovery Policy Antivirus shortfalls Disabling
antivirus active scan due to speed issues No antivirus on the
server because it is not accessed No firewalls Not monitoring
firewalls, IPS/IDS, and event logs
Slide 45
Allowing anyone to access files on file servers (Not using
permissions) Allowing anyone on the internal network through the
wireless access point Employees providing username/password Missing
Security Patches/Updates Third Party Vendor Due Diligence
Slide 46
Slide 47
Document Security: Secure email delivery of Non-Public Personal
Information (NPPI)
Slide 48
Travels the open internet on its way to the recipient inbox
Many server to server hops along route Content is viewable and can
be stolen - without your knowledge Like sending private information
on a postcard
Slide 49
Compliance Grade Encryption Cloud-Based Service Premise-Based
Gateway Secure from Desktop to Desktop to Mobile High Availability
/ Disaster Recovery "Encryption works. Properly implemented strong
crypto systems are one of the few things that you can rely on.
Edward Snowden Email Encryption Works Against the NSA
Slide 50
Non-public personal information Social security number Drivers
license number Credit card number Other financial account number
Secure electronic delivery solutions Selective email encryption
(desktop) Automatic email encryption (policy gateway)