Security and privacy are popular topics these days. In recent months, the American Land Title Association (ALTA) and the new TILA/RESPA Integrated Disclosure (TRID) Rule have emphasized the need for real estate professionals to provide a higher level of security for electronic communications related to real estate transactions. Specifically, in Pillar #3 of ALTA's "Pillars of Best Practices", ALTA states the importance of protecting sensitive data of clients and recommends using encryption to ensure security of non-public information (NPI).
The Consumer Financial Protection Bureau (CFPB) has also weighed in, making it clear that lenders must provide adequate safeguards when it comes to the electronic exchange of information with clients. Of most importance is protecting information, specifically NPI that is valuable to hackers and thieves alike, such as names, income information, Social Security numbers, addresses, and other private information. Here at SendSafely, we've pulled together some quick tips on how you can maintain compliance with these new standards.
1. Use email encryption to protect sensitive communications
The new TILA-RESPA regulations call for professionals in the industry to leverage secure methods of communication when exchanging NPI with clients. The best method to meet these standards is the use of email encryption. There is a common misconception that email is private and secure method of communication. The reality is that when you send unencrypted email, it passes through various paths that are vulnerable to interception or hacking. Using encrypted email protects your communication and information, leaving only you and your client access to the NPI sent.
So what forms of NPI need to be protected? Things like SSN/EIN and credit card numbers are private information that are obvious to take caution with. But less obvious things like date of birth, tax information, and retirement forms are are often overlooked by many professionals though and are often sought after by those looking to steal NPI. It is important to take precautious and secure actions with anything that seems close to being NPI to protect your image and your clients safety.
Fortunately, there are many secure email solutions that can work with existing email addresses and require little or no “IT guy” involvement to setup. Usually these take the form of an Outlook Plugin that adds encryption on top of your existing email platform. When evaluating encrypted email solutions, you'll want to make sure you opt with a platform that provides "end-to-end" encryption, meaning that nobody other than the sender and recipient can view the information. The most secure secure email providers use a model where even they can't view your information.
2. Provide a secure repository for clients to submit documents
Almost every real estate transaction requires the buyer to submit forms containing sensitive information. In fact, the new TILA/RESPA Integrated Disclosure rule encourges using electronic versions of the new loan estimate and the new closing disclosure forms to gather private financial information from clients. It is up to you, however, to provide your clients with an easy way to submit the completed forms to you.
A robust secure email system should also include a way to easily collect documents from your client in much the same way that "Dropbox" works but with added security. This is another area where you'll want to look for end-to-end encryption for maximum security.
3. Develop a security policy that covers physical and electronic threats
Protecting client information is no laughing matter. In order to create a firm and reliable stance with employees, it is importatant to create clear rules and guidelines. These guidelines should cover both physical (in-person) threats and electronic (on-line) threats.
Physical Security Considerations:
- Are you shredding sensitive documents?
- Are all files locked and secured?
- Do you enforce a "clean desk" policy where papers can't be left out after hours?
- How are paper files secured that leave the office or are with couriers?
- Does your office and work areas have secured entry points with keyed access?
Logical Security Considerations:
- Are mobile devices and laptop drives encrypted?
- Can mobile devices be remotely wiped clean if lost or stolen?
- Are all computers password protected with locked screensavers?
- Do you control the use of removable media devices like flash drives?
- Do you have Disaster Recovery and Business Continuity plan?
Being secure takes effort and persistence. Always be on your toes.
4. Educate your employees
Policies are only effective when people follow them. In order to protect NPI, your staff needs to be educated and aware. Be sure to remind your staff constantly of what security measures should be followed. Don't be afraid to also educate yourself further, more knowledge never hurts. By being proactive with education, you protect your business and your reputation.
5. Revisit your policy on a regular basis
Technology and regulations are always changing. Keep up to date with news in the industry and the new technology that can help protect your practice. Hackers will find new ways to steal, loopholes will be found. Make sure your business adapts and is up to date with what is going on in the world. If you adapt your policy to the ever changing security landscape, you'll have a much better chance of success. Remember, compliance is a continuous journey not a destination.
SendSafely: Simple to Use End-to-end Encryption for Email and File Transfer
If you are a real estate professional looking for a simple to use email encryption and secure file transfer platform, consider taking a look at SendSafely. Our enterprise platform integrates seamlessly with Microsoft Exchange and Google Apps for Business.