Social Security number, driver’s license number, state-issued ID number, credit/debit card/other financial account numbers; portable devices like laptops, netbooks, cell phones & similar portable devices; electronic media USB/Thumb drives, CDs, DVDs, memory cards, tapes, diskettes, & similar portable electronic media.
The Sarbanes-Oxley (SOX) Act of 2002 legislates the manner and duration in which certain financial institutions’ data are secured and stored. The act places rigorous requirements on the security, accuracy and reliability of certain records. As a result, data security and storage becomes vitally important because the records of transactions must be secure. The Corporate and Criminal Fraud Accountability aspects of SOX require a broad range of corporate documents be retained for five years and failure to produce certain documents during an audit is subject to severe penalties.
Consumer Financial Protection Bureau (CFPB) Home Mortgage Disclosure Act (HMDA)
CFPB Home Mortgage Disclosure Act (HMDA) regulates how the NPI of a customer is stored. NPI is personally identifiable information such as information provided by a customer on a form or application, information about a customer’s transactions, or any other information about a customer which is otherwise unavailable to the general public.
Any & all NPI in your company’s possession & control needs to be located & identified
Document your company policies, processes & procedures for collection, storage, protection & disposal of NPI
Do this to ensure NPI is not inadvertently disclosed – Employees should close files containing NPI when away from their desks
Lock all documents, portable devices & electronic media containing NPI in a desk, file cabinet or secure room overnight.
Never leave documents, portable devices or electronic media containing NPI in an unlocked vehicle or where they are visible from outside the vehicle.
Never leave any item containing NPI in a hotel room, conference room, reception area or any other location that can be accessed by others.
Regular Mail Fixing & Sending
Always use sealed envelopes to send NPI via inter-office mail.
Such as FedEx or UPS to send NPI to external parties – Use the signature services of FedEx & UPS to require a recipient signature, either at the place of delivery or at a package pickup location.
Never send faxes containing NPI to public fax machines.
To ensure documents containing NPI safely reached their destination.
Restrict access to NPI to employees who have a legitimate business need to access that information.
Maintain tight controls over user login & password credentials &, if possible, disable access after unsuccessful login attempts.
Immediately change passwords & block access when users are terminated.
Do not send E-Mail that contains NPI in the body text or subject line – Instead, omit or obscure the NPI (Especially when replying or forwarding messages)
Delete older, unnecessary E-Mail to reduce exposure of a computer is lost or stolen.
SSL/TLS must be enabled for any Website that collects NPI – Check for the padlock icon at the bottom right of the browser window or look for “https” instead of “http” in the address bar.
Always check the address bar to ensure that you have not been directed to a look-a-like Website.
Such as LeapFILE, FindMyFile, SendSpace, etc., for any files containing NPI.
Respond NO whenever you are asked to update or load software on your computer, unless you have been informed by your IT Department that it is safe to do so.
Physically secure all servers in a locked room with limited & controlled access.
To directories, file shares, databases & critical applications containing NPI to only those persons who require access for legitimate business purposes.
Never store NPI on Publicly Accessible File Shares
Ensure that server backups are encrypted & taken offsite by an approved tape storage vendor.
Always log off & lock your computer screen when you will be away from the computer for more than 5 minutes.
8+ characters including numbers, symbols, upper & lowercase letter & require frequent password updates
Never share your user login & password information – change your password immediately if you think someone has discovered it.
Have IT do this
Never load them or other applications, such as title production software, on personal computers.
Keep virus protection & security patches updated.
Backup important electronic files regularly.
Ensure backups are encrypted.
Wipe all hard drives & other electronic media before disposal, donation, or transfer to any unauthorized third party company
Shred all documents containing NPI instead of throwing them in a trash/recycling bin – use a cross-cut or “confetti” shredder.
Unnecessary documentation received from lenders, realtors, customers, or other as soon as legally allowable.
In the event that NPI is lost or potentially disclosed to an unauthorized 3rd Party, immediately contact your supervisor, information security or legal personnel.
These guidelines describe practices that should be implemented within each title company to ensure security in real estate transactions. They are not intended to be a substitute for legal advice. State laws & regulations vary.