ALTA OFFICE SECURITY AND PRIVACY GUIDELINES ALTA
PURPOSE PURPOSE This document provides guidance to offices about protecting sensitive customer and company information. The protection of Non-public Personal Information (NPI) is vital to the success of your organization. Not only is it important that your customers be able to trust that their private data will be protected, but it is required by federal law. With the advent of State Notification of Breach Laws and Federal legislation like Gramm-Leach-Bliley Act and FACTA, all title operations should work to adequately safeguard NPI and protect their employees, clients, and consumers. The information outlined in this document should be considered as your company develops office security and privacy policies. ALTA OFFICE SECURITY AND PRIVACY GUIDELINES
DEFINITIONS Non-public Personal Information (NPI) DEFINITIONS Personally identifiable information such as information provided by a customer on a form or application, information about a customer s transactions, or any other information about a customer which is otherwise unavailable to the general public. NPI includes first name or first initial and last name coupled with any of the following: Social Security Number, Driver s License Number, Stateissued ID Number, Credit Card Number, Debit Card Number, or other Financial Account Numbers. Portable Devices Laptops, netbooks, handheld mobile phones and devices (iphone, Blackberry, etc.), and similar portable devices. Electronic Media USB/Thumb drives, CDs, DVDs, memory cards, tapes, diskettes, and similar portable electronic media. A LTA O F F I C E S E C U R I T Y A N D P R I VAC Y G U I D E L I N E S
PHYSICAL DOCUMENT SECURITY OF NPI DOCUMENT POLICIES Identify and locate all NPI in your company s possession and control. Document your company policies, processes and procedures for collection, storage, protection, and disposal of NPI. PHYSICAL SECURITY Adopt a clean desk policy to ensure NPI is not inadvertently disclosed. Employees should close files containing NPI when they are away from their desks. Lock all documents, portable devices, and electronic media containing NPI in a desk, file cabinet, or secure room overnight. Never leave documents, portable devices, or electronic media containing NPI in an unlocked vehicle or where they are visible from outside the vehicle. Never leave any item containing NPI in a hotel room, conference room, reception area or any other location that can be accessed by others. REGULAR MAIL AND FAXING Always use sealed envelopes to send NPI via inter-office mail. Use registered mail services such as FedEx or UPS to send NPI to external parties. Use the signature services of FedEx and UPS to require a recipient signature, either at the place of delivery or at a package pickup location. Never send faxes containing NPI to public fax machines. Follow up to ensure documents containing NPI safely reached their destination. ALTA OFFICE SECURITY AND PRIVACY GUIDELINES
ELECTRONIC DOCUMENT SECURITY OF NPI ELECTRONIC SECURITY Restrict access to NPI to employees who have a legitimate business need to access that information. Maintain tight controls over user login and password credentials and, if possible, disable access after unsuccessful login attempts. Immediately change passwords and block access when users are terminated. E-MAIL Do not send e-mail that contains NPI in the body text or subject line. Instead, omit or obscure the NPI (especially when replying or forwarding messages). NPI may be sent via encrypted e-mail or in password-protected attachments (if the password is sent separately). Delete older, unnecessary e-mail to reduce exposure if a computer is lost or stolen. WEB SITES Encryption (SSL/TLS) must be enabled for any Web site that collects NPI. Check for the padlock icon at the bottom right of the browser window or look for https instead of http in the address bar. Never enter NPI into third party Web sites that you do not completely trust. Always check the address bar to ensure that you have not been directed to a look-a-like web site. Do not use public file stores or transfer utilities, such as LeapFILE, FindMyFile, SendSpace, etc., for any files containing NPI. Respond NO whenever you are asked to update or load software on your computer, unless you have been informed by your IT department that it is safe to do so. A LTA O F F I C E S E C U R I T Y A N D P R I VAC Y G U I D E L I N E S
SECURITY OF SERVERS AND PERSONAL PC S FILE SERVERS Physically secure all servers in a locked room with limited and controlled access. Limit access to directories, file shares, databases, and critical applications containing NPI to only those persons who require access for legitimate business purposes. Never store NPI on publicly accessible file shares. Ensure that server backups are encrypted and taken offsite by an approved tape storage vendor. PERSONAL COMPUTERS Always log off and lock your computer screen when you will be away from the computer for more than 5 minutes. Use strong passwords (8+ characters including numbers, symbols, upper and lowercase letters) and require frequent password updates. Never share your user login and password information. Change your password immediately if you think someone has discovered it. Have your IT department encrypt all laptop computers. Never load database files or applications, such as title production software, on personal computers. Keep virus protection and security patches updated. Backup important electronic files regularly. Ensure backups are encrypted. ALTA OFFICE SECURITY AND PRIVACY GUIDELINES
PORTABLE STORAGE AND DISPOSAL OF NPI PORTABLE STORAGE Only store NPI on encrypted portable devices and electronic media. Use strong passwords on company-owned portable devices and electronic media. Never store NPI on personally owned devices such ipods, cameras, or mobile phones. Delete files from portable devices and electronic media when they are no longer needed. Protect portable devices and electronic media containing NPI in the same manner as laptop computers. DISPOSAL Wipe all hard drives and other electronic media before disposal, donation, or transfer to any unauthorized third party company. Remember that hard drives may be found in servers, desktop computers, laptops, scanners, copiers, and other office equipment. Portable devices may also have hard drives as well as electronic media components like flash cards. Shred all documents containing NPI instead of throwing them in a trash can or recycle bin. Use a cross-cut or confetti shredder. Dispose of all unnecessary documentation received from lenders, realtors, customers, or others as soon as legally allowable. Do not store documents that are no longer needed. A LTA O F F I C E S E C U R I T Y A N D P R I VAC Y G U I D E L I N E S
DISCLOSURES DISCLOSURES In the event that NPI is lost or potentially disclosed to an unauthorized third party, immediately contact your supervisor, information security or legal personnel. CAVEAT These guidelines describe practices that should be implemented within each title company to ensure security in real estate transactions. They are not intended to be a substitute for legal advice. State laws and regulations vary. Please seek the advice of counsel. These guidelines were created for members of the American Land Title Association by the ALTA Technology Committee with special recognition to the leadership of Stewart Title Guaranty Company. AMERICAN LAND TITLE ASSOCIATION (ALTA) 1828 L Street, NW, Suite 705 Washington, DC 20036-5104 p. 202.296.3671 f. 202.223.5843 w. www.alta.org e. service@alta.org ALTA OFFICE SECURITY AND PRIVACY GUIDELINES