#AllNat Advantage

Sharing knowledge for better business

Author Archive

man peering over a desk with the words "who you gonna call?"

Data Breach Prep: Texas

When a data breach occurs, it’s an intense, frightening moment. Who you ‘gonna call? Ghostbusters aren’t the ones for this job, so the best way to make the specter of a breach less scary is to have an incident response plan in place; to know what your legal and regulatory requirements are; and to have the contact information that you need close at hand.

While this new series of blogs is not intended to provide legal advice, it is intended to provide you with recommendations for resources that may be useful; to increase awareness regarding notification and reporting requirements; and to provide helpful notification contact information, unique to each state. In each issue, we will present you with contact information regarding a different state in which Alliant National is licensed, and in which you may be its appointed agent. It is up to you to make sure that you know when to use these contacts – either because you are legally required to do so, or because you have optionally decided to provide notification. Lastly, for our legal disclaimers, we’ve made our best efforts to acquire the correct and current contact information, but we can make no guarantees as to its accuracy or that the information will not change over time.

Understanding State Reporting Responsibilities

There are two kinds of laws that impact your reporting responsibilities: (1) state data breach notification laws that generally apply to all entities who “own” data, and (2) insurance data security laws that apply to those who are regulated for doing the business of insurance. A great summary of the state data breach notification laws is published quarterly by the law firm of Foley & Lardner. Another useful resource for tracking both the state data breach notification laws and the insurance data security laws is a tool published by the law firm of Lewis & Brisbois

Now that we’ve discussed both the general and insurance data breach notification laws, please be aware that sometimes notification requirements derive from other sources, including statutes which are not labeled as Insurance Data Security Laws (or which don’t even fall under the category of such laws), and bulletins issued by insurance regulators.

State data breach notification laws vary from state to state and may have some exemptions which apply to you, but often include the following common components:

  • Notification to affected state residents without unreasonable delay.
  • Notification to certain agencies, including state attorneys general and/or consumer reporting agencies under certain circumstances.

The variances are quite considerable and include (but are not limited to) how (e.g. by what method) to give notice, permitted delays when a law enforcement agency investigation is pending, timing of the notice, what particular information is required information to be provided, and record retention.

Consumer Reporting Agency Notification

For your convenience, when these laws do require notification to Consumer Reporting Agencies, the following information may be helpful to you:

Common Notification Requirements

Insurance Data Security Laws also vary from state to state and may have some exemptions that apply to you (typically based upon the size of the licensee, its year-end total assets, and its gross annual revenue), so, again, be sure to check your state’s specific requirements. However, these laws generally include the following common notification components:

  • Notification to the insurance commissioner of the cybersecurity event (usually within three days in most states).
  • Notification to affected state residents without unreasonable delay.
    • But if you’ve had a breach and determined that notice is not required (according to the state law or other authority), then typically that determination is required to be documented in writing and retained for at least five (5) years.
  • Notification (usually within 10 days) to a covered third-party (such as your *title insurance underwriter) when you have determined or believe that a breach occurred.
    *(for Alliant National Title, you can contact Elyce Schweitzer, Regulatory Compliance Officer, at eschweitzer@alliantnational.com)

Texas Notification Requirements And Contact Information  

Contact Information Pursuant to State Data Breach Notification LawsContact Information Pursuant to Insurance Data Security Laws (or Pursuant to Other Authority Requiring Notice to Regulator)
Tex. Bus. & Com. Code §§ 521.002, 521.053, 521.151-152 (these are all sections of the Identity Theft Enforcement and Protection Act but note that Tex. Bus. & Com. Code § 521.053 is the statute pertaining to actual notification / reporting requirements).   When breach affects ≥ 250 residents, notify: * TX Attorney General whose informational webpage for data breach reporting is  https://texasattorneygeneral.gov/consumer-protection/data-breach-reporting; from there, access online data breach reporting form at https://oag.my.site.com/datasecuritybreachreport/s/   When breach affects > 10,000 residents, notify: *Consumer Reporting Agencies (see contact information provided above)No Insurance Data Security Law.  However, Commissioner’s Bulletin #B-0009-23 requires data breach reporting to the Texas Department of Insurance (TDI):   *For all other regulated entities and individuals (besides domestic insurance companies and HMOs), send breach notices to CyberReporting@tdi.texas.gov.
FedNow logo banner with people looking at a computer

FedNow: The Psychology of Instant Gratification

According to PositivePsychology.com, as humans we are innately wired to pursue instant gratification.  It’s natural for us to want good things, and to want them NOW. In fact, the urge for immediacy surely benefited pre-modern humans as their very survival often hinged upon making instantaneous decisions followed by taking immediate actions (e.g. “there’s a Tyrannosaurus rex headed my way … I’d better run and take cover!”). Humans today are not so different from their ancient ancestors – we, too, want immediacy, especially when it comes to the acquisition of wealth – whether that translates into the speed with which we receive funds or the swiftness with which we get title to real property under contract.

A Catalyst Corporate Credit Union blog reported that recent studies have shown “[a] staggering 70% of consumers express that having faster payment options from their financial institution is an important driver of satisfaction.” Thanks to advances in fintech, we now have a payment rail with two trains riding upon it to deliver that instant gratification. These two “trains” are Real Time Payments (RTP) and FedNow. They both move so FAST (almost instantaneously) that you and your customers can enjoy the ability to transfer funds 24/7, 365 days of the year in real time. With no waiting periods to transfer funds, just imagine how much faster your closings can take place – they can occur on holidays, weekends, and anytime convenient for you and the parties to the transaction!

Moving Money White Paper download thumbnail

Since 2017, RTP has been operated by The Clearing House (TCH), a consortium of member financial institutions; TCH’s RTP Network lists approximately 373 participating Financial Institutions (FIs).

On July 20, 2023, FedNow – the Federal Reserve’s interbank, instant payment infrastructure – went live; it launched with 35 participating FIs, the U.S. Department of the Treasury’s Bureau of the Fiscal Service and 16 service providers, but it has the potential to service all depository institutions eligible to hold accounts at the Reserve Banks – currently estimated at more than 10,000 banks and credit unions! FedNow promises to be a real game-changer for the national economy, and especially for our industry.  

Let’s talk about what FedNow can do for you. At this time, the FedNow Service supports account-to-account and consumer-to-business bill pay use cases. The maximum credit transfer amount is $500,000, but participating FIs have the option to provide a lesser amount (so you may want to check with the transferor’s FI in advance to make sure that you know its dollar limits). With FedNow, businesses and individuals can also request a payment (referred to as a RFP or “Request for Payment”) from a recipient.  For example, with FedNow you can electronically send “Betty Buyer” a request for the balance of cash needed to close her transaction; there is even a “zero-dollar request for payment” pre-validation tool available to make sure that the end-customer has the ability to receive and act on the RFP prior to the biller actually sending one. We can anticipate that FedNow will be able to do even more in the future as its functionality is expected to increase in phases. To learn more about FedNow, and when and how it may be available for your use, please visit FedNowExplorer.org.

Lastly, if you want to know more about the BIG picture – RTP, FedNow, the Good Funds Laws, and Payment Service Providers (e.g. Venmo and PayPal) – and how these mechanisms and laws affect each other and work together, read our in-depth white paper, “Moving Money in a Real Estate Transaction.”

Cover of Alliant National's white paper, “Moving Money in a Real Estate Transaction.”

Your Guide To The Real Estate Payments Revolution

Progress is never easy or fast, but the rewards are well-worth the effort (and patience)! With the advent of new inventions, innovations and technology, we are continuously improving the quality of our lives and the freedoms we enjoy – both in our personal and business lives, which are inextricably intertwined.

Did you know that the audio-visual technology that makes it possible for families and friends to stay in touch across the globe, as well as the video-conferencing platforms that enable employees to work at home while remotely collaborating, took root from an idea to transmit images and audio over wire that was conceived by Bell Labs in the 1870s? Step by step, that idea became a reality over time, eventually giving rise to the smartphones and smartphone apps with video conferencing in the 2000’s, and then given a catalytic push in 2020 by the Coronavirus pandemic and the need for videoconferencing to allow workers to safely isolate while still conducting business remotely.

Similar to the evolution of videoconferencing, the development of the U.S. money rails has had a profound effect on the way we live and do business. I remember my mother saying how she thought the invention of the credit card was life-changing during her youth! In the U.S., the financial system has been relatively slow to evolve, but within the last 10 years it has picked up speed and there have been some amazing technological advances, such as Real Time Payments (RTP) and FedNow, the Federal Reserve’s version of RTP, which is on the cusp of being publicly rolled out. These newer payment rails, along with the convenience of modern payment methods – like PayPal, Venmo, Apple Pay and others – hold great promise for transforming the real estate and title insurance industries, and we want to share some special insights with you.

If you’d like to see where we’ve come from, and get a good idea of where we may be headed, then be sure to read the white paper, “Moving Money in a Real Estate Transaction.”

Composition of a young businessman sitting on top of a modern conference building. The businessman is larger than the building.

Title Underwriters: Why Bigger Isn’t Always Better

Ever have a client who was sure their transaction had to be written on a large underwriter? Hey, I get it. Clients are sometimes drawn to the big title insurers, assuming that there are benefits to partnering with a large organization. They may feel a smaller underwriter won’t be able to meet their needs, and the deal is just too large or important to leave anything to chance.

As an independent title agent, you know the importance of selecting a trustworthy, reliable, and responsive partner to provide title insurance for your clients. In this blog, we’ll dive into the features that matter most when selecting an underwriter, debunk some common myths, and show why bigger isn’t necessarily better when selecting a title insurer. First, let’s consider some of the reasons a client might ask you to ensure a transaction with one of the big guys to see if that request aligns with their interests or if they are simply following a common myth.

If I go with a big underwriter, won’t I get better coverage?

There’s a common misconception that the product of the title insurer – the title policy and endorsements – often varies meaningfully in the terms and coverage between underwriters. It’s just not so.

The truth is that generally the product is the same regardless of who underwrites the policy. In states where the forms are promulgated by law, the insurance regulator determines for the entire industry what language is acceptable, and what terms and conditions will be incorporated into their contracts. In states where the forms are not promulgated, most insurers use either the American Land Title Association forms, or the California Land Title Association forms, with little variation.

Basically, the policy will be the same or similar regardless of the underwriter.

If I go with a big underwriter, won’t I get a better rate?

At first glance, this seems like a very reasonable question. In some industries, larger companies have a natural pricing advantage. But in title insurance, it’s hard for an underwriter, no matter how large, to distinguish itself on rates. In states where the rates are promulgated, the insurance regulator decides what to charge and all insurers must follow the regulator’s set rates. Even in those states where regulators do not mandate rates, there may be a ratings bureau that files rates on behalf of its member insurers – which means that most, if not all insurers, will be offering the same rates. And, in those states where insurers file their own rates, they are typically competitive and therefore very similar.

So, the rates will be the same or similar, regardless of the underwriter.

If I have a claim, won’t a big underwriter be in a better position to pay?

Again, this question seems reasonable. Title claims can run into the millions of dollars on commercial properties, so a client might think a big underwriter naturally has more resources to pay claims compared to a smaller underwriter. However, two broad factors level the playing field when it comes to paying claims: state regulation and reinsurance.  

State regulators take great pains to protect the public by ensuring that title underwriters of all sizes have the resources to pay claims. Statutorily required reserves must be set aside to pay claims. Regulators carefully monitor the financial soundness of the insurers authorized to do business in their states, and title insurers submit both annual and quarterly financial statements. Title insurers have annual independent CPA audits and are subject to financial examination by the regulator, typically at least once every five years. This means that no matter the size of the insurer, there is a financial threshold that each insurer must meet to ensure its financial stability and continued operation. Moreover, many states have single risk limit formulas that cap the amount a title insurer may insure for a particular transaction risk without having to provide reinsurance.

When reinsurance is provided, there are essentially two insurers – the primary title insurer, and the reinsurer who stands behind the reinsured policy amount. So, while it’s true that a large title insurer may retain a larger dollar amount by itself as a single risk, a smaller title insurer utilizing reinsurance for that single risk is giving the insured two layers of financial security at no additional expense to the insured. A title insurer should be happy to provide you with information regarding its reinsurance, and as a customer or agent, you are entitled to ask for it.

At Alliant National, we reinsure high liability transactions up to $20 million with the Lloyd’s of London markets, and that’s one of the reasons we can confidently say: No title insurance underwriter can offer you better protection for your title risk than Alliant National.

So, if the policy and the price are similar, and the capability to pay claims is sound, what are the real differences between those big underwriters and a smaller underwriter like Alliant National? Moreover, what are the reasons a client might want to select Alliant National over a larger underwriter?

We Don’t Compete Against You For Customers

Alliant National does not compete against you for the customers in your market. Our sole focus is to support the independent title agent. Alliant National will never take a transaction or a customer from you. We strive to help you build better relationships with your customers, and to help you succeed.

Fast And Innovative Answers To Underwriting Questions

Underwriting delays put deals at risk. That’s bad for you and your clients. Sometimes big underwriters back-burner underwriting requests to service their company-owned title offices, and they sometimes provide “canned” or “by-the-book” responses when an underwriting challenge arises. Alliant National does not compete with its independent agents, so it’s able to put all of its underwriting resources to work for independent title agents and their clients. As a smaller underwriter, Alliant National also has the flexibility to find innovative solutions for you and your clients when underwriting challenges arise.

Less Friction

At larger underwriters, the agency and underwriting units can often be at odds with each other. There can also be communications breakdowns between corporate, regional, and state-based teams. At Alliant National, however, the absence of a multi-tier management structure gives our agency, underwriting and other teams the ability to work together closely and seamlessly. Everyone pulls in the same direction to deliver the best outcomes for our agents and their clients.

Real Service When Claims Emerge

We already discussed why the big underwriters generally are not “better” when it comes to the ability to pay claims. However, some big underwriters fall short when it comes to the claims process by making it seem like their goal is to pay no claims at all. At Alliant National, we have flipped the script when it comes to claims. We recognize that the claims department is where our title insurance product goes to work. We strive for timely and clear communication with insureds and agents, seeking first to understand the situation from all points of view. It’s a unique and collaborative approach to claims that agents and insureds value.

The Courage To Care When it comes to choosing an underwriter, it’s important to consider what really matters: finding a partner who prioritizes your needs and the needs of your clients. Unfortunately, larger underwriters may lack the flexibility and personal touch that independent agents and their clients require. Don’t get me wrong, there are a lot of great people working at large underwriters, but size can lead to conflicts, friction, and a lack of flexibility. At Alliant National, we pride ourselves on being able to deliver customized solutions that meet the goals of the real people behind each transaction. Whether it’s a multi-million-dollar commercial deal or a starter home for a young family, partnering with Alliant National means choosing a team that truly cares about you and your clients.

FTC Complying with the Safeguards Rule

FTC updates Safeguards Rule: here’s your overview

(Updated June 20, 2023)

The Federal Trade Commission (FTC) updated a key data security rule, and the changes will place new compliance requirements on nonbank financial institutions including title, escrow and settlement agents. Among other things, the Safeguards Rule amendments finalized in October 2021 require covered institutions to beef up their information security programs (ISPs). The changes are a response to widespread data breaches and attacks that have caused significant consumer harm in recent years, the FTC said.

Before discussing the changes, it may be helpful to review the state and federal compliance framework of which the Safeguards Rule is an important element.

GLBA, state law and the Safeguards Rule

The 1999 Gramm-Leach-Bliley Act (GLBA), codified as amended at 15 U.S.C. Chapter 94: Privacy, establishes basic privacy standards for “financial institutions,” including title insurers, title agents, and settlement/escrow agents. Unique in their role as third-party vendors to lenders, real estate settlement service providers also have a separate obligation to comply with the GLBA on behalf of the obligations owed by their lenders.

As long as states afford consumers the same or greater protection as GLBA, they can enact their own privacy laws, and they have all done so to different degrees and standards. Asserting their own authority, many states have privacy laws that substantially mirror GLBA, while others have their own, distinctive laws; and still others simply point to GLBA and mandate compliance with it. 

Typically, state privacy laws and the federal GLBA overlap in the following general categories of privacy protections:

  • Disclosure Protections consisting of a privacy notice, “Opt Out” or “Disclosure Authorization” notice, and limits on what types of disclosures of Nonpublic Personal Information (NPI) may be made by a nonaffiliated third party who receives the information from a “financial institution”;

  • Security Protections consisting of a written security program, including administrative, technical, and physical safeguards;

  • Security Breach Notification Requirements consisting of laws requiring a business to send out notice of any improper disclosure of NPI in its possession or control. 

The FTC’s Safeguards Rule (16 CFR Part 314) is one of the federal regulations that implements the GLBA by requiring a written security program. The rule provides “elements” in 16 CFR 314.4 to develop, implement, and maintain the ISP, including risk assessment, management and control, oversight of service providers, evaluation and adjustment. 

Rule changes

On Oct. 27, 2021, the FTC issued a news release announcing that the agency was updating the Safeguards Rule to provide better protection against breaches and cyberattacks; it includes a link to the publication of the final rule’s amendments in the Federal Register. The agency later posted a webpage to help businesses understand their compliance obligations under the rule.

There have been numerous newsletters and blog articles buzzing about the final rule’s new requirements. Davis Wright Tremain LLP has a particularly good blog that summarizes the key requirements of the final rule.

There is a lot to talk about, and while the amended final rule is much more prescriptive in its approach, it is also drafted to provide flexibility and clarity. In particular there are helpful suggestions and information about alternative security options for small businesses that may qualify for limited exemptions. It also makes it clear that the ISP is intended to protect information in both its digital and physical forms. 

The final rule contains tons of commentary, including discussion regarding stakeholder input and the commission’s rationale behind its final decisions. Some noteworthy highlights, as abbreviated, are:

  • designating a single, qualified individual as responsible for overseeing, implementing, and enforcing the ISP;
  • base the ISP on a written risk assessment which includes specific criteria described in the amendment;
  • designing and implementing safeguards, including:
    • access controls;
    • system inventory (i.e. knowing where the data is kept, and how everything is connected);
    • encryption;
    • secure development practices for in-house developed applications, and security assessments for externally developed applications (reference applications involving customer information);
    • multi-factor authentication; 
    • disposing of customer information which hasn’t been used for two years (unless required for a legitimate business purpose);
    • periodically reviewing record retention policies to minimize unnecessary retention of information;
    • change management procedures;
    • monitoring and logging user activity;
  • biannual vulnerability testing on information systems, and additional assessments when there is an elevated risk of new vulnerabilities (e.g. when there are material changes to operations or business arrangements, and those changes will have a material impact on the ISP);
  • implementing policies and procedures – which include training, updating, and verification requirements – and ensuring qualified personnel are available to enact the ISP;
  • overseeing service providers, requiring them by contract to implement and maintain appropriate safeguards;
  • evaluate and adjust the ISP due to circumstances which may have a material impact upon it;
  • establish a written incident response plan which addresses specific areas described in the amendment;
  • required regular reporting, in writing, by the qualified individual – at least annually – to the board of directors, or to a senior officer (when there is no board of directors) responsible for the ISP, concerning 1) the overall status of the ISP and its compliance with the final rule; and 2) material matters related to the ISP; and
  • exemptions for financial institutions which handle the information of fewer than 5,000 customers, from the requirements of (referring to sections of 16 CFR Part 314, as amended by the final rule):
    • 314.4(b)(1) – a written risk assessment
    • 314.4(d)(2) – continuous monitoring or annual penetration testing and biannual vulnerability assessment
    • 314.4(h) – a written incident response plan
    • 314.4(i) – an annual report by the Qualified Individual

Effective dates

The FTC is phasing implementation of the final rule, with certain parts having already taken effect Jan. 10, 2022. Other rule provisions that had been scheduled to take effect Dec. 9, 2022, were delayed six months to June 9, 2023 as announced in the Federal Register’s Supplementary Information. Provisions taking effect June 9 included (referring to sections of 16 CFR Part 314, as amended by the final rule):

  • 314.4(a) – appointment of a qualified individual
  • 314.4(b)(1) – conducting a written risk assessment
  • 314.4(c)(1)-(8) new elements of the ISP
  • 314.4(d)(2) – continuous monitoring or annual penetration testing and biannual vulnerability assessment
  • 314.4(e) – training for personnel
  • 314.4(f)(3) – periodic assessment of service providers
  • 314.4(h) – a written incident response plan
  • 314.4(i) – annual written reports from the qualified individual

This article is for informational purposes and does not contain or convey legal advice. Any opinions, or perceived opinions, are strictly those of the authors and should not be construed as legal advice or a legal opinion. Consultation with an attorney for specific advice based upon the reader’s situation is recommended.

This blog contains general information only, not intended to be relied upon as, nor a substitute for, specific professional advice. We accept no responsibility for loss occasioned to any purpose acting on or refraining from action as a result of any material on this blog.

Let's Connect

Discover more stories and conversations on our social media networks,
or drop us a line on our contact page.


The Independent Underwriter for
the Independent AgentSM