Gaining leads is thrilling. It means that something you’ve been doing has worked; and hey, that feels pretty good. But before you market to your leads, it’s best to step back and ensure you are compliant with all relevant regulations and guidelines.
What is a lead?
What exactly is a lead? Basically, a lead is any individual who may have an interest in your products or services. Leads can be broken down into subcategories:
Hot leads – A hot lead has significant awareness of your company and is likely ready to make a purchase.
Cold leads – A cold lead has shown little to no interest in your company.
Qualified leads – A qualified lead has not only expressed interest in your company but has characteristics that align with your buyer personas.
Businesses collect leads through their various marketing channels, and once you gain them, it can be tempting to immediately launch into aggressive marketing campaigns. However, it’s important to consider the rules and best practices governing lead communication.
Tread carefully with email
Marketers must adhere to regulations prior to pushing out commercial messages in a digital context, the most pertinent being the CAN-SPAM Act.
Enacted in 2003 at the dawn of Web 2.0, CAN-SPAM is most associated with email communications and includes several provisions:
Don’t harvest – It is never wise to buy bulk lists or collect email addresses from websites for the purpose of mass emailing. It is true that there is no real “opt-in” feature to CAN-SPAM. Unfortunately, when you mass email a list, you run the risk of mailing someone who has already opted out of your communications,[i] which could result in a violation of over $50,000 for every single email.[ii] Other potential consequences include getting banned from your lead’s email inbox or even from your email marketing software itself.
Affirmative consent – Because of the problems inherent in sending out mass messages to large, unverified lists, many marketers pursue what is known as “affirmative consent.” Getting explicit consent from your contacts means they have articulated a desire to receive marketing messages from you.
Clearly identify yourself – All email communications from a commercial party should be clearly labeled as such. Emails must list your company’s physical address and the headline should mesh with its body content. Lastly, fields like the “From” field need to be accurate and align with the sender’s identity.
Allow them to opt out – You are required to give your email recipients a clear, digital-based way to stop receiving communications from you. Under the CAN-SPAM law, you need to also process opt-outs in 10 days or less.
Compliance must be comprehensive – All of the requirements we’ve just discussed also extend to any vendors or third-party providers.
What about social?
For years now, marketers have also wondered whether the CAN-SPAM law also applies to social media communications. While mostly designed to govern email messages, some federal court cases have interpreted the scope of the law to also include social media platforms.[iii]
Even if direct solicitation on social media won’t necessarily result in CAN-SPAM trouble, it is wise to emulate the statute’s spirit:
Be transparent – Do not try to hide who you are on social or attempt to obfuscate the reasons for contacting someone.
Adhere to platform rules – Each social media network has its own community guidelines and site rules. Before engaging in any direct messaging, familiarize yourself with any relevant codes of conduct to avoid being banned.
Respect consumer privacy – Many social media platforms allow users some control over how their data is used, who can contact them on the site, and which parts of their profiles are publicly available. Be on the lookout for any signs that your messages won’t be received well and act accordingly. For example, if you are thinking about contacting someone who has set their profile to private, think again.
A better approach
Gaining prospects and leads is exciting, but before you send additional electronic messages, ensure you are compliant with regulations and adhering to platform codes of conduct. Failing to do so can land you in a world of hurt, which is why taking things slow and steady is often a better approach.
Instead of utilizing mass emails and social media advertisements, prioritize creating a content marketing strategy that delivers value and nudges leads toward actively consenting to receive further messages and campaigns. That way, you can develop more organic, impactful relationships with leads, close more deals and keep your nose clean all at the same time.
The company meets rigorous SSAE 18 Type II standards for the ninth consecutive year.
Alliant National Title Insurance Company, the title insurer that is uniquely responsive to the needs of independent agents, announces that it has successfully completed the Service Organization Control (SOC 1) SSAE 18 Type II examination of its Agent Quality Management System for the ninth consecutive year.
Upon completing the examination, Alliant National received an American Institute of Certified Public Accountants (AICPA)-endorsed report stating that the company has maintained effective controls over its Agent Quality Management System, the framework it uses to approve and monitor its agents. Alliant National agents are independently reviewed against over 100 rigorous quality standards under this system and are designated as Authorized Service Providers of Alliant National.
“Alliant National was the first title insurance underwriter in the nation to obtain SSAE 16 – which is now SSAE 18 – Type II certified compliant status. It is also the only underwriter to achieve compliance for nine consecutive years,” said David Sinclair, President and CEO of Alliant National.
The SSAE 18 Type II exam also validates the company’s systems for minimizing the risk of insureds’ financial loss with real estate closings. Lenders relying on Alliant National’s oversight procedures gain additional assurances by virtue of the company passing the examination. It firmly establishes that the company’s Quality Management System processes are complete and function at the highest-possible quality.
“This certification provides additional levels of confidence in our agent oversight systems to lenders and stakeholders,” Sinclair said. “Our goal is to provide lenders with strong and unequivocal evidence of our agents’ quality through an independently audited system. By once again achieving this certification, our partners can rest assured that we take these responsibilities seriously.”
A-Lign Certified Public Accountants of Tampa, Fla., conducted the examination and certification. The unqualified satisfactory report, with no findings or exceptions, was issued January 6, 2023, and it covered the full year of 2022.
Alliant National supports its independent agents by combining expert residential and commercial underwriting with a passionate heart for service. The company delivers uncommon help that promotes the wellbeing of agents and the communities they serve.
Alliant National is on a mission to empower independent agents while protecting property owners with secure title insurance. The company partners with its agents and never competes against them with direct or affiliate operations. Alliant National serves thousands of title professionals as a licensed underwriter in 30 states and the District of Columbia.
Longmont, Colo. – (May 24, 2022) – Alliant National Title Insurance Company, the title insurer that is uniquely responsive to the needs of independent agents, announces the completion of the ISO 27001 2022 audit, for which it received a prestigious and coveted certification. Alliant National also recently completed the ISO 27701 audit, becoming the first and only underwriter to obtain this new data privacy certification.
ISO 27001:2013 is an information security standard published by the International Organization for Standardization (ISO), the world’s largest developer of voluntary international standards, and the International Electrotechnical Commission. Successfully completing this audit for a third time (it first completed the audit in 2015 and the again in 2018) reflects Alliant National’s ongoing commitment to excellence in meeting rigorous international standards in ensuring the confidentiality, integrity, availability and protection of non-public information. The recertification is valid through 2025, subject to achieving satisfactory annual surveillance audits.
The new ISO 27701:2019 is a framework for data privacy that builds on ISO 27001. It guides organizations on the policies and procedures required to comply with the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA) and other data privacy requirements. It is built into the Privacy Information Management System (PIMS) and is valid through 2024 – subject to achieving satisfactory annual surveillance audits.
“We are incredibly pleased and proud to have achieved these ISO (27001 and 27701) certifications, which further distinguish the unique capabilities of Alliant National,” said Tom Weyant, Alliant National Vice President of Risk Management. “These certifications provide confidence to lenders, state insurance departments and our other stakeholders in our ability to protect non-public, personally identifiable and confidential information. It speaks directly to our ongoing efforts to meet and exceed the highest standards when securing and protecting the sensitive information that we are entrusted with every day.”
To achieve these certifications, Alliant National had to complete formal, independent certification audits, which tested and validated more than 170 technical and process controls within the Information Security and Privacy Management System frameworks. The audits were conducted by an ISO-licensed and accredited firm, A-lign CPAs of Tampa, Florida.
Alliant National supports its independent agents by combining expert residential and commercial underwriting with a passionate heart for service. The company delivers uncommon help that promotes the wellbeing of agents and the communities they serve.
Alliant National is on a mission to empower independent agents while protecting property owners with secure title insurance. The company partners with its agents and never competes against them with direct or affiliate operations. Alliant National serves thousands of title professionals as a licensed underwriter in 31 states and the District of Columbia.
The company meets rigorous SSAE 18 Type II standards for the eighth consecutive year.
Longmont, Colo.— (February 02, 2022) – Alliant National Title Insurance Company, a unique title insurance underwriter that partners with independent agents to improve their competitive position, announces that it has successfully completed the Service Organization Control (SOC) 1 SSAE 18 Type II examination of its Agent Quality Management System for the eighth consecutive year.
Upon successful completion of the examination, Alliant National received an AICPA-endorsed report stating that the company has maintained effective controls over its Agent Quality Management System, which is the framework it uses to approve and monitor its agents. Under this framework, Alliant National agents are reviewed against rigorous quality standards and are designated as Authorized Service Providers of Alliant National.
The SSAE 18 Type II exam also validates the company’s systems for minimizing the risk of insureds’ financial loss in connection with real estate closings. Lenders relying on Alliant National’s oversight procedures gain additional assurance through the results of the examination, as they firmly establish that the company’s Quality Management System processes are complete and function properly as designed.
“Alliant National was the first title insurance underwriter in the nation to obtain an SSAE16 – now SSAE 18 – Type II compliant status and is the only underwriter to achieve compliance for eight consecutive years,” said Alliant National President and CEO David Sinclair. “This certification provides further independent assurance and validation of our agent oversight systems to lenders. Our goal is to provide lenders unequivocal evidence of the quality of our agents through an independently audited system.”
A-Lign Certified Public Accountants of Tampa, Fla., performed the engagement and certification. The unqualified satisfactory report, with no exceptions, was issued January 7, 2022, and covered the full year of 2021.
Alliant National distinguishes itself from competitors by combining strong underwriting capability with independent agents’ in-depth knowledge of local markets. The result is a nationwide network with deep roots in local communities, and a wealth of expertise that is flexible, nuanced and continuously growing.
Cathie Beck Capital City Public Relations e: cathie@capitalcitypr.com p: 303-241-0805
ABOUT ALLIANT NATIONAL TITLE INSURANCE COMPANY
The Independent Underwriter for The Independent AgentSM – Alliant National believes in empowering people to thrive.
The company protects the dreams of property owners with secure title insurance and partners with 600+ trusted independent title agents as a licensed underwriter in 30 states and the District of Columbia.
The Federal Trade Commission (FTC) updated a key data security rule, and the changes will place new compliance requirements on nonbank financial institutions including title, escrow and settlement agents. Among other things, the Safeguards Rule amendments finalized in October 2021 require covered institutions to beef up their information security programs (ISPs). The changes are a response to widespread data breaches and attacks that have caused significant consumer harm in recent years, the FTC said.
Before discussing the changes, it may be helpful to review the state and federal compliance framework of which the Safeguards Rule is an important element.
GLBA, state law and the Safeguards Rule
The 1999 Gramm-Leach-Bliley Act (GLBA), codified as amended at 15 U.S.C. Chapter 94: Privacy, establishes basic privacy standards for “financial institutions,” including title insurers, title agents, and settlement/escrow agents. Unique in their role as third-party vendors to lenders, real estate settlement service providers also have a separate obligation to comply with the GLBA on behalf of the obligations owed by their lenders.
As long as states afford consumers the same or greater protection as GLBA, they can enact their own privacy laws, and they have all done so to different degrees and standards. Asserting their own authority, many states have privacy laws that substantially mirror GLBA, while others have their own, distinctive laws; and still others simply point to GLBA and mandate compliance with it.
Typically, state privacy laws and the federal GLBA overlap in the following general categories of privacy protections:
Disclosure Protections consisting of a privacy notice, “Opt Out” or “Disclosure Authorization” notice, and limits on what types of disclosures of Nonpublic Personal Information (NPI) may be made by a nonaffiliated third party who receives the information from a “financial institution”;
Security Protections consisting of a written security program, including administrative, technical, and physical safeguards;
Security Breach Notification Requirements consisting of laws requiring a business to send out notice of any improper disclosure of NPI in its possession or control.
The FTC’s Safeguards Rule (16 CFR Part 314) is one of the federal regulations that implements the GLBA by requiring a written security program. The rule provides “elements” in 16 CFR 314.4 to develop, implement, and maintain the ISP, including risk assessment, management and control, oversight of service providers, evaluation and adjustment.
On Oct. 27, 2021, the FTC issued a news release announcing that the agency was updating the Safeguards Rule to provide better protection against breaches and cyberattacks; it includes a link to the publication of the final rule’s amendments in the Federal Register. The agency later posted a webpage to help businesses understand their compliance obligations under the rule.
There have been numerous newsletters and blog articles buzzing about the final rule’s new requirements. Davis Wright Tremain LLP has a particularly good blog that summarizes the key requirements of the final rule.
There is a lot to talk about, and while the amended final rule is much more prescriptive in its approach, it is also drafted to provide flexibility and clarity. In particular there are helpful suggestions and information about alternative security options for small businesses that may qualify for limited exemptions. It also makes it clear that the ISP is intended to protect information in both its digital and physical forms.
The final rule contains tons of commentary, including discussion regarding stakeholder input and the commission’s rationale behind its final decisions. Some noteworthy highlights, as abbreviated, are:
designating a single, qualified individual as responsible for overseeing, implementing, and enforcing the ISP;
base the ISP on a written risk assessment which includes specific criteria described in the amendment;
designing and implementing safeguards, including:
access controls;
system inventory (i.e. knowing where the data is kept, and how everything is connected);
encryption;
secure development practices for in-house developed applications, and security assessments for externally developed applications (reference applications involving customer information);
multi-factor authentication;
disposing of customer information which hasn’t been used for two years (unless required for a legitimate business purpose);
periodically reviewing record retention policies to minimize unnecessary retention of information;
change management procedures;
monitoring and logging user activity;
biannual vulnerability testing on information systems, and additional assessments when there is an elevated risk of new vulnerabilities (e.g. when there are material changes to operations or business arrangements, and those changes will have a material impact on the ISP);
implementing policies and procedures – which include training, updating, and verification requirements – and ensuring qualified personnel are available to enact the ISP;
overseeing service providers, requiring them by contract to implement and maintain appropriate safeguards;
evaluate and adjust the ISP due to circumstances which may have a material impact upon it;
establish a written incident response plan which addresses specific areas described in the amendment;
required regular reporting, in writing, by the qualified individual – at least annually – to the board of directors, or to a senior officer (when there is no board of directors) responsible for the ISP, concerning 1) the overall status of the ISP and its compliance with the final rule; and 2) material matters related to the ISP; and
exemptions for financial institutions which handle the information of fewer than 5,000 customers, from the requirements of (referring to sections of 16 CFR Part 314, as amended by the final rule):
314.4(b)(1) – a written risk assessment
314.4(d)(2) – continuous monitoring or annual penetration testing and biannual vulnerability assessment
314.4(h) – a written incident response plan
314.4(i) – an annual report by the Qualified Individual
Effective dates
The FTC is phasing implementation of the final rule, with certain parts having already taken effect Jan. 10, 2022. Other rule provisions that had been scheduled to take effect Dec. 9, 2022, were delayed six months to June 9, 2023 as announced in the Federal Register’s Supplementary Information. Provisions taking effect June 9 included (referring to sections of 16 CFR Part 314, as amended by the final rule):
314.4(a) – appointment of a qualified individual
314.4(b)(1) – conducting a written risk assessment
314.4(c)(1)-(8) new elements of the ISP
314.4(d)(2) – continuous monitoring or annual penetration testing and biannual vulnerability assessment
314.4(e) – training for personnel
314.4(f)(3) – periodic assessment of service providers
314.4(h) – a written incident response plan
314.4(i) – annual written reports from the qualified individual
This article is for informational purposes and does not contain or convey legal advice. Any opinions, or perceived opinions, are strictly those of the authors and should not be construed as legal advice or a legal opinion. Consultation with an attorney for specific advice based upon the reader’s situation is recommended.