ALTA OFFICE SECURITY AND PRIVACY GUIDELINES ALTA



Similar documents
HIPAA Training for Hospice Staff and Volunteers

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)

HIPAA Training for Staff and Volunteers

BERKELEY COLLEGE DATA SECURITY POLICY

2014 Core Training 1

DATA PROTECTION IT S EVERYONE S RESPONSIBILITY. An Introductory Guide for Health Service Staff

Written Information Security Plan (WISP) for. HR Knowledge, Inc. This document has been approved for general distribution.

Page 1. NAOP HIPAA and Privacy Risks 3/11/2014. Privacy means being able to have control over how your information is collected, used, or shared;

MONTSERRAT COLLEGE OF ART WRITTEN INFORMATION SECURITY POLICY (WISP)

Approved By: Agency Name Management

ASCINSURE SPECIALTY RISK PRIVACY/SECURITY PLAN July 15, 2010

INFORMATION SECURITY GUIDE. Employee Teleworking. Information Security Unit. Information Technology Services (ITS) July 2013

Best Practices for Information Security

DSHS CA Security For Providers

Tenth Judicial Circuit of Florida Information Systems Acceptable Use Guidelines Polk, Hardee and Highlands Counties as of January 2014

Administrators Guide Multi User Systems. Calendar Year

Title Insurance and Settlement Company Best Practices. American Land Title Association

Policy Scope: The policy applies across the Division to all DPH workgroups who maintain, use, have access to, or come into contact with IIHI.

DRAFT National Rural Water Association Identity Theft Program Model September 22, 2008

Wellesley College Written Information Security Program

Cyber Self Assessment

Security Best Practices: How to make it happen in your firm

Information Security It s Everyone s Responsibility

Hamilton College Administrative Information Systems Security Policy and Procedures. Approved by the IT Committee (December 2004)

Implementing an Effective Information Security Program in Your Agency

ALTA Title Insurance & Settlement Company Best Practices

HIPAA Privacy and Security. Rochelle Steimel, HIPAA Privacy Official Judy Smith, Staff Development January 2012

SAMPLE TEMPLATE. Massachusetts Written Information Security Plan

Policies and Procedures for Electronic Protected Health Information (ephi) and Personally Identifiable Information (PII)

Information Security Policy

Privacy & Security of Patient Information 2010

Volume UC DAVIS HEALTH SYSTEM. HIPAA Security Compliance Workbook. Multi User Guide

Georgia Institute of Technology Data Protection Safeguards Version: 2.0

SCRIPT: Security Training

County Identity Theft Prevention Program

EAA Policy for Accepting and Handling Credit and Debit Card Payments ( Policy )

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

Privacy Data Loss. Privacy Data Loss. Identity Theft. The Legal Issues

Section 5 Identify Theft Red Flags and Address Discrepancy Procedures Index

Cyber Security Best Practices

Statement of Policy. Reason for Policy

Ensure all ephi that is created, received, maintained or transmitted by URMC/Strong Health is kept secure.

Order. Directive Number: IM Stephen E. Barber Chief Management Officer

General Security Best Practices

Guide to INFORMATION SECURITY FOR THE HEALTH CARE SECTOR

PROPOSED PROCEDURES FOR AN IDENTITY THEFT PROTECTION PROGRAM Setoff Debt Collection and GEAR Collection Programs

User Guide. Active Online Backup - Secure, automatic protection

Fraud Prevention Guide

University for the Creative Arts. Mobile Working and Remote Access Policy

Network Security for End Users in Health Care

HELPFUL TIPS: MOBILE DEVICE SECURITY

Identity Theft Prevention Program Compliance Model

Protecting. Personal Information A Business Guide. Division of Finance and Corporate Securities

How To Ensure Your Office Meets The Privacy And Security Requirements Of The Health Insurance Portability And Accountability Act (Hipaa)

8.03 Health Insurance Portability and Accountability Act (HIPAA)

HIPAA 101: Privacy and Security Basics

OFFICE OF CHIEF COUNSEL OPERATION R.E.D. GUIDANCE

Guadalupe Regional Medical Center

All Users of DCRI Computing Equipment and Network Resources

Road to Recovery Fact Sheet

HIPAA Compliance (DSHS and HCA) Preamble: This section of the Contract is the Business Associate Agreement as

Information Technology Services Guidelines

Client Advisory October Data Security Law MGL Chapter 93H and 201 CMR 17.00

EASTERN OKLAHOMA STATE COLLEGE ACCEPTING AND HANDLING CREDIT AND DEBIT CARD PAYMENTS POLICIES AND PROCEDURES

Secure and Safe Computing Primer Examples of Desktop and Laptop standards and guidelines

Information Security Awareness Training Gramm-Leach-Bliley Act (GLB Act)

Internet Banking Agreement & Disclosure

CYBERSECURITY POLICY

Why do we need to protect our information? What happens if we don t?

Information Technology Security Policies

CLEAR LAKE BANK & TRUST COMPANY Internet Banking Customer Awareness & Education Program For Businesses

M E M O R A N D U M. Revised Information Technology Security Procedures INFORMATION TECHNOLOGY SECURITY PROCEDURES. I. General

PHI- Protected Health Information

NC DPH: Computer Security Basic Awareness Training

Cultural Human Resources Council (CHRC) Personal Information Protection and Electronic Documents Act (PIPEDA) Privacy Policy

Stewart Secure User Guide. March 13, 2015

Computer Security at Columbia College. Barak Zahavy April 2010

CONNECTICUT RIVER WATERSHED COUNCIL, INC. DOCUMENT MANAGEMENT & WRITTEN INFORMATION SECURITY POLICY

Research Information Security Guideline

Data Privacy: What your nonprofit needs to know. Donna Balaguer and Ed Lavergne Washington, D.C. February 5, 2015

PRIVACY AND INFORMATION SECURITY INCIDENT REPORTING

If you have any questions about our Policies and Procedures documents included in this manual, please feel free to contact me personally.

Acceptable Usage Guidelines. e-governance

HFS DATA SECURITY TRAINING WITH TECHNOLOGY COMES RESPONSIBILITY

SmartHIPAA! 5 simple and inexpensive tips to protect patient information

CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy

GroupWise Web Access 8.0

CITY UNIVERSITY OF HONG KONG. Information Classification and

HIPAA: Bigger and More Annoying

A California Business Privacy Handbook

How To Protect Research Data From Being Compromised

PimaCountyCommunityCollegeDistrict Standard Practice Guide Administrative Procedure

Personal Information Protection Policy

Tameside Metropolitan Borough Council ICT Security Policy for Schools. Adopted by:

Sierra College ADMINISTRATIVE PROCEDURE No. AP 3721

HIPAA Policy, Protection, and Pitfalls ARTHUR J. GALLAGHER & CO. BUSINESS WITHOUT BARRIERS

Viterbo University Credit Card Processing & Data Security Procedures and Policy

Protecting Personal Information: The Massachusetts Data Security Regulation (201 CMR 17.00)

Information Security. Annual Education Information Security Mission Health System, Inc.

Transcription:

ALTA OFFICE SECURITY AND PRIVACY GUIDELINES ALTA

PURPOSE PURPOSE This document provides guidance to offices about protecting sensitive customer and company information. The protection of Non-public Personal Information (NPI) is vital to the success of your organization. Not only is it important that your customers be able to trust that their private data will be protected, but it is required by federal law. With the advent of State Notification of Breach Laws and Federal legislation like Gramm-Leach-Bliley Act and FACTA, all title operations should work to adequately safeguard NPI and protect their employees, clients, and consumers. The information outlined in this document should be considered as your company develops office security and privacy policies. ALTA OFFICE SECURITY AND PRIVACY GUIDELINES

DEFINITIONS Non-public Personal Information (NPI) DEFINITIONS Personally identifiable information such as information provided by a customer on a form or application, information about a customer s transactions, or any other information about a customer which is otherwise unavailable to the general public. NPI includes first name or first initial and last name coupled with any of the following: Social Security Number, Driver s License Number, Stateissued ID Number, Credit Card Number, Debit Card Number, or other Financial Account Numbers. Portable Devices Laptops, netbooks, handheld mobile phones and devices (iphone, Blackberry, etc.), and similar portable devices. Electronic Media USB/Thumb drives, CDs, DVDs, memory cards, tapes, diskettes, and similar portable electronic media. A LTA O F F I C E S E C U R I T Y A N D P R I VAC Y G U I D E L I N E S

PHYSICAL DOCUMENT SECURITY OF NPI DOCUMENT POLICIES Identify and locate all NPI in your company s possession and control. Document your company policies, processes and procedures for collection, storage, protection, and disposal of NPI. PHYSICAL SECURITY Adopt a clean desk policy to ensure NPI is not inadvertently disclosed. Employees should close files containing NPI when they are away from their desks. Lock all documents, portable devices, and electronic media containing NPI in a desk, file cabinet, or secure room overnight. Never leave documents, portable devices, or electronic media containing NPI in an unlocked vehicle or where they are visible from outside the vehicle. Never leave any item containing NPI in a hotel room, conference room, reception area or any other location that can be accessed by others. REGULAR MAIL AND FAXING Always use sealed envelopes to send NPI via inter-office mail. Use registered mail services such as FedEx or UPS to send NPI to external parties. Use the signature services of FedEx and UPS to require a recipient signature, either at the place of delivery or at a package pickup location. Never send faxes containing NPI to public fax machines. Follow up to ensure documents containing NPI safely reached their destination. ALTA OFFICE SECURITY AND PRIVACY GUIDELINES

ELECTRONIC DOCUMENT SECURITY OF NPI ELECTRONIC SECURITY Restrict access to NPI to employees who have a legitimate business need to access that information. Maintain tight controls over user login and password credentials and, if possible, disable access after unsuccessful login attempts. Immediately change passwords and block access when users are terminated. E-MAIL Do not send e-mail that contains NPI in the body text or subject line. Instead, omit or obscure the NPI (especially when replying or forwarding messages). NPI may be sent via encrypted e-mail or in password-protected attachments (if the password is sent separately). Delete older, unnecessary e-mail to reduce exposure if a computer is lost or stolen. WEB SITES Encryption (SSL/TLS) must be enabled for any Web site that collects NPI. Check for the padlock icon at the bottom right of the browser window or look for https instead of http in the address bar. Never enter NPI into third party Web sites that you do not completely trust. Always check the address bar to ensure that you have not been directed to a look-a-like web site. Do not use public file stores or transfer utilities, such as LeapFILE, FindMyFile, SendSpace, etc., for any files containing NPI. Respond NO whenever you are asked to update or load software on your computer, unless you have been informed by your IT department that it is safe to do so. A LTA O F F I C E S E C U R I T Y A N D P R I VAC Y G U I D E L I N E S

SECURITY OF SERVERS AND PERSONAL PC S FILE SERVERS Physically secure all servers in a locked room with limited and controlled access. Limit access to directories, file shares, databases, and critical applications containing NPI to only those persons who require access for legitimate business purposes. Never store NPI on publicly accessible file shares. Ensure that server backups are encrypted and taken offsite by an approved tape storage vendor. PERSONAL COMPUTERS Always log off and lock your computer screen when you will be away from the computer for more than 5 minutes. Use strong passwords (8+ characters including numbers, symbols, upper and lowercase letters) and require frequent password updates. Never share your user login and password information. Change your password immediately if you think someone has discovered it. Have your IT department encrypt all laptop computers. Never load database files or applications, such as title production software, on personal computers. Keep virus protection and security patches updated. Backup important electronic files regularly. Ensure backups are encrypted. ALTA OFFICE SECURITY AND PRIVACY GUIDELINES

PORTABLE STORAGE AND DISPOSAL OF NPI PORTABLE STORAGE Only store NPI on encrypted portable devices and electronic media. Use strong passwords on company-owned portable devices and electronic media. Never store NPI on personally owned devices such ipods, cameras, or mobile phones. Delete files from portable devices and electronic media when they are no longer needed. Protect portable devices and electronic media containing NPI in the same manner as laptop computers. DISPOSAL Wipe all hard drives and other electronic media before disposal, donation, or transfer to any unauthorized third party company. Remember that hard drives may be found in servers, desktop computers, laptops, scanners, copiers, and other office equipment. Portable devices may also have hard drives as well as electronic media components like flash cards. Shred all documents containing NPI instead of throwing them in a trash can or recycle bin. Use a cross-cut or confetti shredder. Dispose of all unnecessary documentation received from lenders, realtors, customers, or others as soon as legally allowable. Do not store documents that are no longer needed. A LTA O F F I C E S E C U R I T Y A N D P R I VAC Y G U I D E L I N E S

DISCLOSURES DISCLOSURES In the event that NPI is lost or potentially disclosed to an unauthorized third party, immediately contact your supervisor, information security or legal personnel. CAVEAT These guidelines describe practices that should be implemented within each title company to ensure security in real estate transactions. They are not intended to be a substitute for legal advice. State laws and regulations vary. Please seek the advice of counsel. These guidelines were created for members of the American Land Title Association by the ALTA Technology Committee with special recognition to the leadership of Stewart Title Guaranty Company. AMERICAN LAND TITLE ASSOCIATION (ALTA) 1828 L Street, NW, Suite 705 Washington, DC 20036-5104 p. 202.296.3671 f. 202.223.5843 w. www.alta.org e. service@alta.org ALTA OFFICE SECURITY AND PRIVACY GUIDELINES

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information