The Federal Trade Commission (FTC) is updating a key data security rule, and the changes will place new compliance requirements on nonbank financial institutions including title, escrow and settlement agents. Among other things, the Safeguards Rule amendments finalized October 27 will require covered institutions to beef up their information security programs (ISPs). The changes are a response to widespread data breaches and attacks that have caused significant consumer harm in recent years, the FTC said.
Before surveying the changes, it may be helpful to review the state and federal compliance framework of which the Safeguards Rule is an important element.
GLBA, state law and the Safeguards Rule
The 1999 Gramm-Leach-Bliley Act (GLBA), codified as amended at 15 U.S.C. Chapter 94: Privacy, establishes basic privacy standards for “financial institutions,” including title insurers, title agents, and settlement/escrow agents. Unique in their role as third-party vendors to lenders, real estate settlement service providers also have a separate obligation to comply with the GLBA on behalf of the obligations owed by their lenders.
As long as states afford consumers the same or greater protection as GLBA, they can enact their own privacy laws, and they have all done so to different degrees and standards. Asserting their own authority, many states have privacy laws that substantially mirror GLBA, while others have their own, distinctive laws; and still others simply point to GLBA and mandate compliance with it.
Typically, state privacy laws and the federal GLBA overlap in the following general categories of privacy protections:
- Disclosure Protections consisting of a privacy notice, “Opt Out” or “Disclosure Authorization” notice, and limits on what types of disclosures of Nonpublic Personal Information (NPI) may be made by a nonaffiliated third party who receives the information from a “financial institution”;
- Security Protections consisting of a written security program, including administrative, technical and physical safeguards;
- Security Breach Notification Requirements consisting of laws requiring a business to send out notice of any improper disclosure of NPI in its possession or control.
The FTC’s Safeguards Rule (16 CFR Part 314) is one of the federal regulations that implements the GLBA by requiring a written security program; the FTC offers guidance on its website regarding compliance with the “Safeguards Rule.” The rule provides “elements” in 16 CFR 314.4 to develop, implement, and maintain the Information Security Program (ISP), including risk assessment, management and control, oversight of service providers, evaluation and adjustment.
On October 27, 2021, the FTC issued a news release announcing that the agency was updating the Safeguards Rule to provide better protection against breaches and cyberattacks; it includes a link to the Final Rule containing the amendments (beginning on page 123) and the proposed text of what you can expect to see upon publication in the Federal Register.
In recent days, there have been numerous newsletters and blog articles buzzing about the final rule’s new requirements. Davis Wright Tremain LLP has a particularly good blog that summarizes the key requirements of the final rule.
There is a lot to talk about, and while the amended final rule is much more prescriptive in its approach, it is also drafted to provide flexibility and clarity. In particular there are helpful suggestions and information about alternative security options for small businesses who may qualify for limited exemptions discussed above. It also makes it clear that the ISP is intended to protect information in both its digital and physical forms.
The final rule contains tons of commentary, including discussion regarding stakeholder input and the commission’s rationale behind its final decisions. Some noteworthy highlights, as abbreviated, are:
- designating a single, Qualified Individual as responsible for overseeing, implementing, and enforcing the ISP;
- base the ISP on a written risk assessment which includes specific criteria described in the amendment;
- designing and implementing safeguards, including:
- system inventory (i.e. knowing where the data is kept, and how everything is connected);
- secure development practices for in-house developed applications, and security assessments for externally developed applications (reference applications involving customer information);
- multi-factor authentication;
- disposing of customer information which hasn’t been used for two years (unless required for a legitimate business purpose);
- periodically reviewing record retention policies to minimize unnecessary retention of information;
- change management procedures;
- monitoring and logging user activity;
- biannual vulnerability testing on information systems, and additional assessments when there is an elevated risk of new vulnerabilities (e.g. when there are material changes to operations or business arrangements, and those changes will have a material impact on the ISP);
- implementing policies and procedures – which include training, updating, and verification requirements – and ensuring qualified personnel are available to enact the ISP;
- overseeing service providers, requiring them by contract to implement and maintain appropriate safeguards;
- evaluate and adjust the ISP due to circumstances which may have a material impact upon it;
- establish a written incident response plan which addresses specific areas described in the amendment;
- required regular reporting, in writing, by the Qualified Individual – at least annually – to the board of directors, or to a senior officer (when there is no board of directors) responsible for the ISP, concerning 1) the overall status of the ISP and its compliance with the final rule; and 2) material matters related to the ISP; and
- exemptions for financial institutions which handle the information of fewer than 5,000 customers, from the requirements of (referring to sections of 16 CFR Part 314, as amended by the final rule):
- 314.4(b)(1) – a written risk assessment
- 314.4(d)(2) – continuous monitoring or annual penetration testing and biannual vulnerability assessment
- 314.4(h) – a written incident response plan
- 314.4(i) – an annual report by the Qualified Individual
The anticipated date of publication in the Federal Register is not yet known, but that date will control the effective date(s) of the amendments. The effective date is one year after the publication for the following amendment provisions (referring to sections of 16 CFR Part 314, as amended by the final rule):
- 314.4(a) – appointment of a qualified individual
- 314.4(b)(1) – conducting a written risk assessment
- 314.4(c)(1)-(8) new elements of the ISP
- 314.4(d)(2) – continuous monitoring or annual penetration testing and biannual vulnerability assessment
- 314.4(e) – training for personnel
- 314.4(f)(3) – periodic assessment of service providers
- 314.4(h) – a written incident response plan
- 314.4(i) – annual written reports from the qualified individual
The remainder of the final rule’s amendments are effective 30 days after publication in the Federal Register.
This article is for informational purposes and does not contain or convey legal advice. Any opinions, or perceived opinions, are strictly those of the authors and should not be construed as legal advice or a legal opinion. Consultation with an attorney for specific advice based upon the reader’s situation is recommended.
Extend your security bubble further than your business’s front door.
Managing cybersecurity risk is an arduous task for any organization, one that becomes even more challenging when trying to extend your security to vendor relationships. However, it has never been more important. Not only are cyber threats on the rise, but the U.S. Securities and Exchange Commission (SEC) made ensuring operational resiliency and information security one of its 2021 priorities.
Thankfully, last year the agency published a report on the due diligence companies should practice when dealing with vendor relationships. Covering the monitoring of vendors, contracts, customer information policies and other issues, the guidance provides much-needed advice for these complex business partnerships. Let’s explore some of its main tips, takeaways and findings for addressing security concerns with your vendors.
Why Does Information Security and Operational Resiliency Matter?
According to the SEC’s 2021 Examination Priorities report, breaches in information security can in fact “have consequences that extend well beyond [a] firm,” adversely impacting “other market participants.” The report further explains that, due to the radical increase in remote operations in response to the COVID-19 pandemic, cybersecurity concerns have been elevated further, requiring closer scrutiny of endpoint security, data loss, remote access, use of third-party communication systems and, of course, vendor management.
Understand Your Liability
It is a common misconception that if your vendor experiences a data leak, the onus is on them. Not true. State laws typically lay responsibility at the feet of the entity that collected the customer information in the first place. They usually limit vendor requirements to informing you that a data breach or hack has occurred. To safeguard yourself and your business, ensure that your vendor contracts explicitly detail how your customers’ data needs to be handled, what to do in the event of a breach and the expected timeline for dealing with any disruptions.
Vendor Management Programs
You likely already have some experience working with vendors, as well as an understanding of how time consuming such relationships can be. Unsurprisingly, adding cybersecurity concerns into the mix creates an additional set of concerns that need to be managed. Establishing a program that addresses security concerns and expectations at the beginning of the working relationship can help. This program should cover safeguards, how to evaluate vendors, independent audits and processes for terminating and/or replacing vendors.
Understanding and Monitoring Vendor Relationships
One positive finding from the SEC is that many advisers and their personnel already demonstrate a clear understanding of privacy and cybersecurity contract terms. Furthermore, these advisers display an awareness of the risks inherent to outsourcing work to vendors and best practices for limiting such risks. One way that companies accomplish this is through continuous monitoring of vendor relationships, making sure to stay apprised of any changes in the vendor’s services or personnel.
Despite this good news, firms cannot simply assume that their data protection policies are fully up to snuff or even rest on their laurels. Instead, they must treat vendor security as an ongoing, habitual process.
As the SEC noted, designing a vendor management program is a great place to start. Then, be sure to implement it. Build security requirements into your initial vendor contracts and make them as specific as possible. Run regular security audits, using questionnaires if necessary to rigorously evaluate your vendor’s security practices. You can also demand system and organization controls (SOC) for any vendor you choose to work with, requiring them to conduct a SOC for cybersecurity audit on an annual basis. Lastly, you and your company should be performing access and security reviews daily, always staying vigilant for unusual activity.
The hard truth is that, in our digital-first world, we all must work a bit harder to stay safe online and protect the integrity of our customers’ data. But by doing so, you will have a more resilient organization and satisfied client base.
The Future is Here; Let’s Embrace It
The adoption and implementation of remote online notarization (RON) received a tremendous boost during the COVID-19 pandemic. Buyers, sellers and title agents are looking to close transactions in the safest way possible. According to the American Land Title Association (ALTA), “Forty-eight states and the District of Columbia have either passed a RON law or issued an executive order pertaining to remotely notarizing documents. Some have done both.”
In December of 2020, ALTA reported that RON use had increased 547 percent during the year compared to 2019. If you are a “Star Trek” fan, the lightning-fast adoption of RON – as well as alternative remote closing methods such as Remote Ink-Signed Notarization (RIN) – has felt like the title industry has gone from cruising to warp speed in a nanosecond. It can even feel tempting to utter one of the show’s classic lines like “Beam me up, Scotty!” when thinking about such transformative change.
But let us back up a bit. As the automobile was invented and became a commonplace form of transportation, society built an accompanying infrastructure – including roads, highways, bridges and tunnels. The same is needed for RON. However, it takes time to develop secure and accessible technology that everyone can use. It requires effort to garner the acceptance of the county recorders who must be ready, willing and able to record native electronic instruments. Creating uniform laws to ensure interstate legal recognition and consumer confidence is also no easy matter.
Properly building out RON infrastructure necessitates the continuous collaboration of numerous parties, including individuals, industries and organizations. For example, MISMO, the Mortgage Industry Standards Maintenance Organization, has been working on standards concerning credential analysis, borrower identification, audio-visual requirements (including the recording of the electronic notarization process) and audit trails. PRIA, the Property Record Industry Association, has been developing national standards and best practices for the land records industry. ALTA and the Mortgage Bankers Association (MBA) have also joined forces to establish model RON legislation. Finally, there are numerous other stakeholders not identified here who have, and are, tirelessly working to enable the requisite RON infrastructure.
Currently, the federal Senate bill (SB) 3533, the Securing and Enabling Commerce Using Remote and Electronic Notarization Act of 2020 (otherwise known as the SECURE Notarization Act), is pending. If passed in 2021, the SECURE Notarization Act will permit RON across the nation and provide for minimum standards and interstate recognition. To track the progress of the SECURE Notarization Act, click on the link provided for SB 3533.
Another good resource for tracking the evolution of RON is the DLA Piper financial services alert, which is constantly updated. You can also subscribe to their mailing list to receive alerts via email.
During this time of rapid transition, it is important to keep abreast of the latest RON developments, to “boldly go” forth and not end up like another classic science fiction show: “Lost in Space.”
The future is here; let’s embrace it!
We break down a complicated process by describing the five main components of the Digital Closing Process.
Remote Online Notarization (RON) started making headlines
several years ago but was slow to catch on because, frankly, it didn’t really seem
necessary. Then, we could all gather in the closing office and sign with paper
and pen, and the technology was new and a little scary. It was like a “big
black box.” Few understood how the technology worked, and most approached RON as
a convenience for the few people who perhaps couldn’t easily get to the closing
office. Articles were written, webinars were presented, legislation moved
forward piecemeal, but since RON was considered only a “nice to have” option,
there was no widespread incentive to embrace it. It would be understood and
adopted over time.
Well, “TIMES” HAVE CHANGED!
We are NOW in the
midst of a national pandemic. States are issuing “shelter in place” orders; the
federal government is urging people to stay at home; and we’re afraid of getting
too close to one another lest we expose ourselves or someone else to the COVID-19
virus. The nation is at home and unable to conduct business as usual.
The real estate, title, and financial industries are a
cornerstone of our economy. Our businesses are essential to our country’s entire
system of trade, exchange, and consumption of resources. So how do we continue with
our business without the need for physical contact? In states where we can, one
way is to turn to RON, which enables us to conduct closings remotely. Consumers
can go online and execute documents electronically while the closer and notary
are located elsewhere.
Many states have recognized RON’s potential as a solution
and enacted legislation. There is currently extensive, ongoing efforts to
legalize RON across the nation through federal legislation. However, legalizing
RON is not enough because RON requires the efforts of many stakeholders to be
successful. We all have to work together and be “on the same page.” Do you know
what happens before or after you do your part in the Digital Closing Process?
Alliant National’s new Components of a Digital Closing
series was created to give people a common understanding of both in-person
electronic closings and remote digital closings facilitated by RON. We produced
this series of handbooks to demystify the process – eliminate that “black box” –
and provide readers with the “big picture” of how it all works. There are a lot
of moving pieces and a lot of players who must come together (hence the
“eCollaboration” component of the series) to create the infrastructure needed
for the successful adoption and implementation of Digital Closings. Our series
of handbooks shows how the Digital Closing Process works from beginning to end.
To break down a complicated process, we’ve described five
main components of the Digital Closing Process in these series of articles as:
- eSign = electronic signing or electronic
- eNotary = electronic notary or electronic
- eRecording = electronic recording
- eVault/eNote = electronic vault and electronic
- eCollaboration = electronic collaboration
It all begins with eSign and expands from there. The advent
of recognizing an electronic signature as legally enforceable led to electronic
notarization – after all, an electronic notary (and the principals and
witnesses) must be able to electronically sign documents. Then, that
electronically executed and notarized digital deed, mortgage or deed of trust
must be recorded in the public records, so electronic recording (or the
acceptance of “papering out” as discussed in the article on eRecording) must be
available, or all is for naught! And what about the electronic note? Well,
there is a system set up to facilitate the creation, transfer and sale of
eNotes through the use of an electronic vault.
Within each article, we explain what the component is or does;
we discuss its history or describe its legal evolution; we provide links to
other articles or resources on the subject; and we provide a technological
The current health crisis presents many challenges for our
industry, but it also represents a unique opportunity to implement technologies
that will ultimately make the real estate transaction safer and more efficient
than it has been in the past.
It is our hope that you will find Alliant National’s Components of a Digital Closing series
be a comprehensive, ready reference as the industry transitions toward the
digital closing environment.
Interest in digital closings is surging, and Alliant National is committed to making sure you stay ahead of the curve.
Today, we’re releasing to our
agents a new series of handbooks exploring the elements and principles of
Extensively researched and
content-rich, Alliant National’s Components
of a Digital Closing series demystifies the Digital Closing Process and its
five major components: eSign, eNotary, eNote/eVault, eRecording and
eCollaboration. Each handbook in this series explores one component. The
purpose of the component is briefly described and placed within the context of
the broader Digital Closing Process. Laws, regulations, technological
requirements and specific technologies are discussed where appropriate.
This collection is designed to be a comprehensive, ready reference as the industry transitions toward the digital closing environment.