man peering over a desk with the words "who you gonna call?"

Data Breach Prep: Texas

When a data breach occurs, it’s an intense, frightening moment. Who you ‘gonna call? Ghostbusters aren’t the ones for this job, so the best way to make the specter of a breach less scary is to have an incident response plan in place; to know what your legal and regulatory requirements are; and to have the contact information that you need close at hand.

While this new series of blogs is not intended to provide legal advice, it is intended to provide you with recommendations for resources that may be useful; to increase awareness regarding notification and reporting requirements; and to provide helpful notification contact information, unique to each state. In each issue, we will present you with contact information regarding a different state in which Alliant National is licensed, and in which you may be its appointed agent. It is up to you to make sure that you know when to use these contacts – either because you are legally required to do so, or because you have optionally decided to provide notification. Lastly, for our legal disclaimers, we’ve made our best efforts to acquire the correct and current contact information, but we can make no guarantees as to its accuracy or that the information will not change over time.

Understanding State Reporting Responsibilities

There are two kinds of laws that impact your reporting responsibilities: (1) state data breach notification laws that generally apply to all entities who “own” data, and (2) insurance data security laws that apply to those who are regulated for doing the business of insurance. A great summary of the state data breach notification laws is published quarterly by the law firm of Foley & Lardner. Another useful resource for tracking both the state data breach notification laws and the insurance data security laws is a tool published by the law firm of Lewis & Brisbois

Now that we’ve discussed both the general and insurance data breach notification laws, please be aware that sometimes notification requirements derive from other sources, including statutes which are not labeled as Insurance Data Security Laws (or which don’t even fall under the category of such laws), and bulletins issued by insurance regulators.

State data breach notification laws vary from state to state and may have some exemptions which apply to you, but often include the following common components:

  • Notification to affected state residents without unreasonable delay.
  • Notification to certain agencies, including state attorneys general and/or consumer reporting agencies under certain circumstances.

The variances are quite considerable and include (but are not limited to) how (e.g. by what method) to give notice, permitted delays when a law enforcement agency investigation is pending, timing of the notice, what particular information is required information to be provided, and record retention.

Consumer Reporting Agency Notification

For your convenience, when these laws do require notification to Consumer Reporting Agencies, the following information may be helpful to you:

Common Notification Requirements

Insurance Data Security Laws also vary from state to state and may have some exemptions that apply to you (typically based upon the size of the licensee, its year-end total assets, and its gross annual revenue), so, again, be sure to check your state’s specific requirements. However, these laws generally include the following common notification components:

  • Notification to the insurance commissioner of the cybersecurity event (usually within three days in most states).
  • Notification to affected state residents without unreasonable delay.
    • But if you’ve had a breach and determined that notice is not required (according to the state law or other authority), then typically that determination is required to be documented in writing and retained for at least five (5) years.
  • Notification (usually within 10 days) to a covered third-party (such as your *title insurance underwriter) when you have determined or believe that a breach occurred.
    *(for Alliant National Title, you can contact Elyce Schweitzer, Regulatory Compliance Officer, at eschweitzer@alliantnational.com)

Texas Notification Requirements And Contact Information  

Contact Information Pursuant to State Data Breach Notification LawsContact Information Pursuant to Insurance Data Security Laws (or Pursuant to Other Authority Requiring Notice to Regulator)
Tex. Bus. & Com. Code §§ 521.002, 521.053, 521.151-152 (these are all sections of the Identity Theft Enforcement and Protection Act but note that Tex. Bus. & Com. Code § 521.053 is the statute pertaining to actual notification / reporting requirements).   When breach affects ≥ 250 residents, notify: * TX Attorney General whose informational webpage for data breach reporting is  https://texasattorneygeneral.gov/consumer-protection/data-breach-reporting; from there, access online data breach reporting form at https://oag.my.site.com/datasecuritybreachreport/s/   When breach affects > 10,000 residents, notify: *Consumer Reporting Agencies (see contact information provided above)No Insurance Data Security Law.  However, Commissioner’s Bulletin #B-0009-23 requires data breach reporting to the Texas Department of Insurance (TDI):   *For all other regulated entities and individuals (besides domestic insurance companies and HMOs), send breach notices to CyberReporting@tdi.texas.gov.
dark photo of a disheveled man in a business suit standing next to washing machines that are laundering money

Beyond GTOs: FinCEN Proposes Expansion Of Industry Reporting Requirements

The U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) issued a Notice of Proposed Rulemaking (NPRM) on Feb. 7 to expand its efforts on a permanent basis to combat and deter money laundering through the residential real estate sector.

According to the FinCEN announcement, the proposed rule would require professionals involved in real estate closings and settlements to report information to FinCEN about non-financed transfers of residential real estate to legal entities and trusts.

“Illicit actors are exploiting the U.S. residential real estate market to launder and hide the proceeds of serious crimes with anonymity, while law-abiding Americans bear the cost of inflated housing prices,” said FinCEN Director Andrea Gacki. “Today marks an important step toward not only curbing abuse of the U.S. residential real estate sector but safeguarding our economic and national security.”

Expansion of GTO efforts

Since 2016, FinCEN has issued multiple Geographic Targeting Orders (GTOs) requiring title insurance companies to file reports on all-cash purchases having specific dollar thresholds in designated geographic areas. These GTOs last for six months at a time. The most recent GTO was issued in October 2023 and expanded the list of affected venues.

According to FinCEN’s proposed rule, expanded reporting requirements would apply on a permanent basis across the entire country, without limit to specific geographic locations or a dollar threshold. The agency will accept comments on the new proposed rule for a 60-day period following its publication in the Federal Register, scheduled for Feb. 16. According to the American Land Title Association’s (ALTA) blog of Feb. 8, FinCEN has proposed that the final rule become effective one year after it is issued.

“We are still reviewing the proposed rule and will work to ensure that FinCEN considers the information they are collecting under the new Beneficial Ownership rule, among other things, so as not to be unnecessarily duplicative and also provide clarity regarding the obligations of all real estate parties under the rule,” said Diane Tomb, ALTA’s chief executive officer. “We also appreciate, and intend to continue, the ongoing dialogue with FinCEN to craft a tailored approach limiting the transactions that must be reported to those of the greatest concern and providing avenues to help reduce the compliance burden on title and settlement companies.”

Proposed reporting structure

The proposed rule would require reporting on transfers of single-family houses, townhouses, condominiums, and cooperatives, as well as buildings designed for occupancy by one to four families. Going a step beyond the GTOs, it would also require reporting on transfers of vacant or unimproved land that is zoned, or for which a permit has been issued, for occupancy by one to four families.  Furthermore, both purchasing entities and transferee trusts are reportable unless a specific exception is applicable.

ALTA’s Feb. 8 blog summarizes reportable information under the proposed rule to include (but is not limited to) the following:

  • Name, address and taxpayer identification number (TIN) for the transferee and transferor.
  • Beneficial owner information for the transferee and anyone signing the transfer documents. (names, date of birth, addresses and TINs for those individuals).
  • Name, DOB, address and TIN for all transferors on title or the beneficial owners if the seller is an entity.
  • Address and legal description of the property.
  • information about the payments made by or on behalf of the transferee.
  • Information about any hard money or other lender not subject to anti-money laundering rules. That participated in the deal.
  • Individuals representing the transferee entity or transferee trust.
  • The business filing the report.

For a more detailed summary of requirements and exceptions under the proposed rule, please see the  Fact Sheet published by FinCEN. At Alliant National, we are committed to keeping you updated on legislation and regulations that affect your business. Stay tuned for more, as the comment period progresses.

foreboding cyborg

AI Safety For Small Business

The rapid rise of AI in business sometimes evokes memories of the 1984 sci-fi classic The Terminator, and particularly its description of a technology that “can’t be reasoned with,” “can’t be bargained with,” and which “will not stop, ever” until it completes its mission.

We’re obviously a long way off from cyborgs, but all signs indicate that AI’s march forward will inevitably disrupt the way people work in our industry. This disruption will come − ready or not. Fostering a culture of adaptability will be important as we position our teams to capitalize on tomorrow’s opportunities. The good news is that, with appropriate safeguards in place, people can work in parallel with AI to radically increase productivity. Let’s discuss some steps you can take to keep people, processes and data safe as you consider AI use in your business.  

AI: Amazing promise with potential pitfalls

You have likely already dipped your toe into applications like Chat GPT and Google Bard, and you’ve probably been amazed by the results. Leveraging sophisticated language models, these applications have an uncanny ability to understand user input and to generate responses that mimic human communication. End users have put these tools to work generating content, conducting research, designing graphics and even producing full application and website code.  

The ChatGPTs of the world are undoubtedly marvels of engineering, but using these programs without restraint may imperil sensitive consumer and company data. Moreover, AI models are not an exact science, with research pointing to how outputs are often marred by programmer bias and inaccurate information. Finally, relying on AI-generated code without additional review can cause problems with your website or other digital real estate. Safe to say, it is wise to proceed with caution.             

Cover your bases

So how then can you unleash AI’s power while maintaining your security posture? I wish I could say there was a silver bullet, but in reality, it requires a multi-prong security approach. Here are some areas to consider when developing a plan your business:

  • Information classification and hierarchy: A great place for title agencies to begin is to build a classification hierarchy for the data held within your corporate ecosystem. Apart from our consideration of AI, a classification system like can be deeply important for risk management and creating customized data controls. Once you have this in place, it is much easier to instruct your team regarding the types of data that can be used within an AI system and what must be kept sequestered.
  • End user education: Unless you have extensive experience with language models, it can be difficult to understand how AI applications work and how to use them safely. Seeking out resources and training can be an important step toward making the most of specific AI tools while still adhering to corporate policies and procedures.
  • Incident response: This is a standard part of your typical cybersecurity plan. Designed to encompass all actions your organization will take in the event of data breach or other security problem, it is advisable to expand your incident response plan to also include AI. That way, you will be able to execute efficiently in the event of an issue and mitigate potential negative impacts.

  • Compliance and regulations: Given the rapid rise of AI, it’s not surprising that lawmakers and regulators have lagged in their attempts to address the potential negative consequences of these new technologies. But you can bet regulation is coming.Considering the large volume of personal data title professionals deal with every day, it is enormously important to stay apprised of regulatory developments so you can respond appropriately and remain compliant.

AI will be back, but we can be ready

Easily one of the most memorable quotes from The Terminator comes when Arnold Schwarzenegger remarks in a complete deadpan, “I’ll be back.” This iconic line also describes where we currently are with the AI revolution. When ChatGPT was released on November 30, 2022, it was lauded as a revolution in the modern workforce. While some of that early hoopla has now died down, there is no doubt that the AI will come roaring back as it continues to integrate into our workflows. The only real question is whether we will be ready to deploy future iterations of this technology to maximize efficiency without sacrificing safety. By updating your security plan now, you will be better positioned to embrace AI advancements, ensuring a balance between technological progress and cybersecurity.

mail flying with people giving it a "thumbs-up"

Why “Affirmative Consent” Matters In Email Marketing

Developing and launching an email campaign requires several steps. One of the most important is “affirmative consent”: the process of gaining explicit permission from your audience before you send them messages. By not fulfilling the requirements of affirmative consent, you run the risk of annoying your email recipients at best to violating compliance requirements at worst. Let’s talk about how you can gain this consent from your audience.

Demystifying affirmative consent

What does affirmative consent need to look like in practice? Primarily, it needs to be unambiguous. Affirmative consent consists of your recipient taking a clear, direct action to indicate that they want to receive further contact from you. Examples include checking a box, filling out an online form or putting a name and an email down on a contact sheet.

Self-serve subscriptions

Another part of affirmative consent is making it clear to your audience what they are signing up for. To do this, create a self-serve subscription page that people can navigate to and opt into the different types of messaging that you offer. Specify, in detail, what the mailing is and how often they should expect to receive it. You will also want to add a link to your data privacy page and instructions on how to opt-out.

Opt-out pages

Speaking of opt-outs, it’s important to have a page where your audience can go if they no longer want to receive communications from your agency. Here are some best practices:

  • Clarity and brevity: Get to the point as quickly as possible by listing how people can end their subscription to your email marketing.
  • Tailored options: You can provide the option for your readers to modify the type of content they are subscribed to and how often they receive it.
  • Automate where possible: Use your email software to set up an automated confirmation email that is sent to those who successfully unsubscribe. You should also automate the opt-out logging process. Recording and maintaining a history of opt-outs is an important part of CAN-SPAM Act compliance.

For additional guidance on setting up trigger emails, check out these resources from major marketing providers like MailChimp and Constant Contact.

Why it all matters

The consequences of not gaining affirmative consent are significant. They can range from getting banned from the inboxes of potential leads to receiving CAN-SPAM fines to the tune of over $50,000 per email.

Even if you set aside the consequences, however, you still would not want to start blasting emails to folks who have not given you permission. Why? It just isn’t very effective. Email marketing success hinges on sending the right messages to the right people at the right time. Emailing people who don’t want to hear from you probably won’t pay off. In the end, all it will do is alienate a potential audience.

The tortoise and the hare

In the story of the tortoise and the hare, we get a timeless lesson on the virtue of going slow and steady to win the race. That same idea holds true for email marketing.

While it can be tempting to send mass emails to any contacts you have, you simply shouldn’t do it. Instead, work toward gaining affirmative consent by building out the right infrastructure like subscription centers and opt-out pages. You’ll be glad you did once you start seeing improved results.

To learn more about email marketing compliance, check out our recent blog.

Crime watch banner above a picture of Florida's Cherie Breitenbecker and Gina Preston Brick City and Alliant National's Chris Yates.

Fraud Busting with Brick City Title

Brick City Title, a full-service title insurance agency, is a loyal member of the Ocala, Florida, business community and dedicated to protecting the integrity of its customers’ transactions. This commitment served them well recently when a fraudulent transaction came across the desks of two of the agency’s title professionals. By working together and proactively communicating with other transaction stakeholders, the agency foiled the fraudster and received recognition through Alliant National’s crime watch program, which offers a $1,000 reward to agents who help prevent a fraudulent transaction from closing.

A suspicious package

When the package first arrived from the buyer, Brick City Title’s Gina Preston and Cherie Breitenbecker felt like it was a step in the right direction. For some time, their agency had been attempting to collect a deposit from a cash buyer of a residential property who claimed to be conducting the deal through a trust.

Any positive feelings quickly dissipated, however, once they opened the parcel. While the sales contract for the transaction was included, there was no form of currency. Instead, the buyer had tucked several postal stamps inside the package.

Alarm bells

Naturally, receiving such a bizarre item immediately set off alarm bells for Preston and Breitenbecker, especially since Brick City Title had repeatedly clarified to the buyer about which forms of payment the agency could accept. “If we feel or suspect anything unusual, we dig into available resources to resolve any possible fraudulent dealings,” said Preston, reflecting upon the incident. The next step for both professionals was to get on the horn to the buyer’s agent and reiterate which forms of payment were permissible – including a bank wire or a cashier’s check. A three-way call between the agent, Brick City Title and the buyer followed shortly after.

Any title agent who has been in Preston’s and Breitenbecker’s shoes will likely be able to predict what happened next. The buyer was incensed about being called out for the package and that Brick City Title was asking for more information about the trust involved in executing the transaction. After some back and forth, the buyer clammed up and ended the call. Preston, Breitenbecker and Brick City Title then took stock of what happened. A consensus quickly emerged that the whole transaction was highly suspect. The experience of other parties in the transaction further supported this view, with both the agent and seller having their own misgivings about the buyer’s behavior and demeanor.

The final step taken was to send the transaction materials to Alliant National and to subsequently cancel the transaction – much to the relief of all involved. “The seller wasn’t surprised this buyer was fraudulent,” said Preston when discussing the aftermath, “and was glad that we uncovered what we found and cancelled the transaction so that [they] could move on.”

Lessons learned

As with any fraudulent transaction, the experience of Brick City Title provides important takeaways. It showcases how agents must not only adhere to their companies’ policies and procedures but also follow their gut instincts. In this case, the buyer’s behavior alone was a clear red flag. “I had a couple of conversations with the buyer and the conversations were not pleasant,” Preston explained. “This person had a very demanding and insulting demeanor which put me on guard.” Brick City Title’s experience also highlights how successful anti-fraud efforts are bigger than the actions of a single party. Instead, having a strong working relationship with every transaction stakeholder is the key to safe and secure transactions.

Through interfacing with its partners in the transaction, Brick City Title gained additional information that backed up their original assessment. The transaction was indeed fraudulent, and the way it was prevented is an essential reminder of how stopping fraud requires all hands on-deck.

Learn more about Alliant National’s crime watch program.

Let's Connect

Discover more stories and conversations on our social media networks,
or drop us a line on our contact page.


The Independent Underwriter for
the Independent AgentSM