Posts Tagged ‘compliance’

FTC Complying with the Safeguards Rule

FTC updates Safeguards Rule: here’s your overview

(Updated June 20, 2023)

The Federal Trade Commission (FTC) updated a key data security rule, and the changes will place new compliance requirements on nonbank financial institutions including title, escrow and settlement agents. Among other things, the Safeguards Rule amendments finalized in October 2021 require covered institutions to beef up their information security programs (ISPs). The changes are a response to widespread data breaches and attacks that have caused significant consumer harm in recent years, the FTC said.

Before discussing the changes, it may be helpful to review the state and federal compliance framework of which the Safeguards Rule is an important element.

GLBA, state law and the Safeguards Rule

The 1999 Gramm-Leach-Bliley Act (GLBA), codified as amended at 15 U.S.C. Chapter 94: Privacy, establishes basic privacy standards for “financial institutions,” including title insurers, title agents, and settlement/escrow agents. Unique in their role as third-party vendors to lenders, real estate settlement service providers also have a separate obligation to comply with the GLBA on behalf of the obligations owed by their lenders.

As long as states afford consumers the same or greater protection as GLBA, they can enact their own privacy laws, and they have all done so to different degrees and standards. Asserting their own authority, many states have privacy laws that substantially mirror GLBA, while others have their own, distinctive laws; and still others simply point to GLBA and mandate compliance with it. 

Typically, state privacy laws and the federal GLBA overlap in the following general categories of privacy protections:

  • Disclosure Protections consisting of a privacy notice, “Opt Out” or “Disclosure Authorization” notice, and limits on what types of disclosures of Nonpublic Personal Information (NPI) may be made by a nonaffiliated third party who receives the information from a “financial institution”;

  • Security Protections consisting of a written security program, including administrative, technical, and physical safeguards;

  • Security Breach Notification Requirements consisting of laws requiring a business to send out notice of any improper disclosure of NPI in its possession or control. 

The FTC’s Safeguards Rule (16 CFR Part 314) is one of the federal regulations that implements the GLBA by requiring a written security program. The rule provides “elements” in 16 CFR 314.4 to develop, implement, and maintain the ISP, including risk assessment, management and control, oversight of service providers, evaluation and adjustment. 

Rule changes

On Oct. 27, 2021, the FTC issued a news release announcing that the agency was updating the Safeguards Rule to provide better protection against breaches and cyberattacks; it includes a link to the publication of the final rule’s amendments in the Federal Register. The agency later posted a webpage to help businesses understand their compliance obligations under the rule.

There have been numerous newsletters and blog articles buzzing about the final rule’s new requirements. Davis Wright Tremain LLP has a particularly good blog that summarizes the key requirements of the final rule.

There is a lot to talk about, and while the amended final rule is much more prescriptive in its approach, it is also drafted to provide flexibility and clarity. In particular there are helpful suggestions and information about alternative security options for small businesses that may qualify for limited exemptions. It also makes it clear that the ISP is intended to protect information in both its digital and physical forms. 

The final rule contains tons of commentary, including discussion regarding stakeholder input and the commission’s rationale behind its final decisions. Some noteworthy highlights, as abbreviated, are:

  • designating a single, qualified individual as responsible for overseeing, implementing, and enforcing the ISP;
  • base the ISP on a written risk assessment which includes specific criteria described in the amendment;
  • designing and implementing safeguards, including:
    • access controls;
    • system inventory (i.e. knowing where the data is kept, and how everything is connected);
    • encryption;
    • secure development practices for in-house developed applications, and security assessments for externally developed applications (reference applications involving customer information);
    • multi-factor authentication; 
    • disposing of customer information which hasn’t been used for two years (unless required for a legitimate business purpose);
    • periodically reviewing record retention policies to minimize unnecessary retention of information;
    • change management procedures;
    • monitoring and logging user activity;
  • biannual vulnerability testing on information systems, and additional assessments when there is an elevated risk of new vulnerabilities (e.g. when there are material changes to operations or business arrangements, and those changes will have a material impact on the ISP);
  • implementing policies and procedures – which include training, updating, and verification requirements – and ensuring qualified personnel are available to enact the ISP;
  • overseeing service providers, requiring them by contract to implement and maintain appropriate safeguards;
  • evaluate and adjust the ISP due to circumstances which may have a material impact upon it;
  • establish a written incident response plan which addresses specific areas described in the amendment;
  • required regular reporting, in writing, by the qualified individual – at least annually – to the board of directors, or to a senior officer (when there is no board of directors) responsible for the ISP, concerning 1) the overall status of the ISP and its compliance with the final rule; and 2) material matters related to the ISP; and
  • exemptions for financial institutions which handle the information of fewer than 5,000 customers, from the requirements of (referring to sections of 16 CFR Part 314, as amended by the final rule):
    • 314.4(b)(1) – a written risk assessment
    • 314.4(d)(2) – continuous monitoring or annual penetration testing and biannual vulnerability assessment
    • 314.4(h) – a written incident response plan
    • 314.4(i) – an annual report by the Qualified Individual

Effective dates

The FTC is phasing implementation of the final rule, with certain parts having already taken effect Jan. 10, 2022. Other rule provisions that had been scheduled to take effect Dec. 9, 2022, were delayed six months to June 9, 2023 as announced in the Federal Register’s Supplementary Information. Provisions taking effect June 9 included (referring to sections of 16 CFR Part 314, as amended by the final rule):

  • 314.4(a) – appointment of a qualified individual
  • 314.4(b)(1) – conducting a written risk assessment
  • 314.4(c)(1)-(8) new elements of the ISP
  • 314.4(d)(2) – continuous monitoring or annual penetration testing and biannual vulnerability assessment
  • 314.4(e) – training for personnel
  • 314.4(f)(3) – periodic assessment of service providers
  • 314.4(h) – a written incident response plan
  • 314.4(i) – annual written reports from the qualified individual

This article is for informational purposes and does not contain or convey legal advice. Any opinions, or perceived opinions, are strictly those of the authors and should not be construed as legal advice or a legal opinion. Consultation with an attorney for specific advice based upon the reader’s situation is recommended.

SOC for service organizations

Alliant National Title meets rigorous SSAE 18 Type II standards for the 7th consecutive year

Alliant National Title Insurance Company’s Agent Quality Management System Passes Service Organization Control Exam.

Longmont, Colo. – (March 23, 2021) – Alliant National Title Insurance Company, a unique title insurance underwriter that partners with independent agents to improve their competitive position in the marketplace, announces the successful completion of the Service Organization Control (SOC) 1 SSAE 18 Type II examination for the seventh consecutive year.

By completing the examination, Alliant National will receive mention in an AICPA-endorsed report, stating that the company has maintained effective controls over its Agent Quality Management System. It also verifies that Alliant National’s processes for approving, monitoring and reviewing its agents, which results in their designation as Authorized Service Providers, include rigorous quality standards. 

Additionally, SSAE 18 certified compliant status validates Alliant National’s systems for minimizing customers’ risk of financial loss in connection with real estate closings. As a result, lenders relying upon Alliant National’s oversight of its agents and Authorized Service Provider program receive additional assurance that processes are complete and accurate. 

“Alliant National was the first title insurance underwriter in the nation to obtain compliant status and is the only title insurance underwriter to achieve compliant status for seven consecutive years,” said David Sinclair, President and CEO of Alliant National. “This certification provides further independent assurance of our agent oversight systems to lenders. Providing lenders with unequivocal evidence of the quality of our agents through an independently audited system is a top priority of Alliant National.”

A-Lign Certified Public Accountants of Tampa, Fla., performed the engagement and certification. The unqualified satisfactory report, with no exceptions, was issued January 11, 2021, and the audit scope covered the full year 2020. 

Alliant National distinguishes itself from competitors by combining strong underwriting capability with independent agents’ in-depth knowledge of local markets. The result is a nationwide network with deep roots in local communities, and a wealth of expertise that is flexible, nuanced, and continuously growing.

Visit alliantnational.com for additional information.

MEDIA INQUIRIES

Cathie Beck
Capital City Public Relations
e: cathie@capitalcitypr.com
p: 303-241-0805

ABOUT ALLIANT NATIONAL TITLE INSURANCE COMPANY

The Independent Underwriter for The Independent AgentSM – Alliant National believes in empowering people to thrive.
The company protects the dreams of property owners with secure title insurance and partners with 500+ trusted independent title agents as a licensed underwriter in 27 states and the District of Columbia

for immediate release blue

Alliant National Successfully Completes SSAE 18 Type II Exam for Fifth Consecutive Year

Successful SSAE 18 Type II examination validates Alliant National’s processes for approving, monitoring and reviewing its agents

LONGMONT, Colo. – Alliant National Title Insurance Company, a unique title insurance underwriter that partners with Independent Agents to improve their competitive position in the marketplace, announces the successful completion of the Service Organization Control (SOC 1) SSAE 18 Type II examination for the fifth consecutive year.

The examination results in an AICPA endorsed report stating that Alliant National Title Insurance Company has maintained effective controls over its Agent Quality Management System. A-Lign Certified Public Accountants of Tampa, Fla., performed the engagement and certification.

The successful SSAE 18 Type II examination validates Alliant National’s processes for approving, monitoring, and reviewing its agents, which results in its agents being designated as Authorized Service Providers or Certified Service Providers of Alliant National. Under this framework, Alliant National’s Independent Agents are reviewed annually against rigorous quality standards.

Lenders relying upon Alliant National’s oversight of its agents and Authorized and Certified Service Provider programs receive additional assurance that processes and controls are designed and function properly and accurately.

Alliant National was certified to the SSAE 16 Type I standard on Dec. 1, 2013 and received compliant status to the more rigorous SSAE 16 Type II standard effective Aug. 31, 2014 and each year through December 31, 2018. That makes 2018 the fifth consecutive year of continued compliance to SSAE Type II standards. The unqualified report was issued without exceptions.

“Alliant National was the first title insurance underwriter in the nation to obtain an SSAE16 Type II compliant status and is the only title insurance underwriter to achieve compliant status for five consecutive years. This certification provides strong independent assurance of our agent oversight systems to lenders and all stakeholders,” Alliant National President and CEO, Bob Grubb said. “Our goal is to provide unequivocal evidence of the quality of our agents through an independently audited system.”

Let's Connect

Discover more stories and conversations on our social media networks,
or drop us a line on our contact page.


The Independent Underwriter for
the Independent AgentSM