Updated: 2/13/2020
Following the consumer data scandal with Facebook and Cambridge Analytica, the European Union responded with the General Data Protection Regulation (GDPR) to provide more transparency and control for consumers over their private information. Recently, California passed the California Consumer Privacy Act (CCPA) dubbed “GDPR lite” to address the same issue. How do these types of law affect the real estate and settlement services industry?
I spoke to Elizabeth Reilly, Senior Privacy Counsel at Fidelity National Financial, to learn more about data privacy, the current federal requirements of title agents, and resources to get started or improve your current information security program.
Listen to the interview now and learn more about data privacy best practices.
Why is data privacy important?
Beyond potential government investigation or regulatory consequences, there are some major social ramifications for businesses who don’t properly protect consumers’ private data.
Some of the potential pitfalls of a data breach include:
- Loss of trust from your clients
- Customers switching to your competitors
- Potential lawsuits
- Negative publicity
Data breaches are becoming more frequent. These breaches are not always the result of tech-savvy hackers spending hours to find a weakness in a company’s network; often data breaches are the result of poorly enforced cybersecurity policies, social engineering schemes, and neglect. When the exposure of sensitive data happens for any reason, whether due to a stolen laptop or unsecured unique URLs, the public can lose faith in a company.
The Gramm Leach Bliley Act
The Gramm Leach Bliley Act (also known as the Financial Modernization Act of 1999) requires financial institutions, including providers of settlement services and title insurance companies, to follow three key rules to protect consumers’ private data.
The three key components of the Gramm Leach Bliley Act (GLBA) include:
- Privacy Rule
- Safeguards Rule
- Pretexting Protection
All title companies must comply with the GLBA and have a policy in place to protect sensitive customer information they handle.
Privacy Rule
The Privacy Rule of the Act governs the collection and disclosure of customer personal information. It establishes the obligation on the part of the settlement service provider to provide a privacy notice to consumers. Each customer must receive a notice about the financial institution’s privacy policies and practices. The notice must also describe the conditions under which the financial institution may disclose customer information to non-affiliated third parties and provide a method for consumers to opt-out of that disclosure.
Consumers must be notified of any changes to the financial institution’s privacy notice during the customer relationship and must receive a privacy notice at least annually during the customer relationship. Federal regulators issued this final model privacy notice form that can be used by financial institutions (for those of you who get a lot of mail from credit card companies, it’ll look familiar) to comply with the Privacy Rule requirement.
Safeguard Rule
The safeguard rule of the GLBA requires financial institutions to create a written information security program that outlines how your company plans to prevent, mitigate, and respond to data breaches.
The Written Information Security program must include:
- Appointing at least one employee to manage the safeguards
- Conducting risk analysis on each department handling private data
- An ongoing process to monitor and test your security measures
- Updates on safeguards when changes in how data is collected, stored or used occur
Pretexting Protection
Pretexting refers to an effort by an unauthorized person to access personal, non-public information and is commonly known as social engineering. The last key component of the Gramm Leach Bliley Act addresses how companies handling sensitive consumer data train employees to stop pretexting attempts. While attempts can be made by phone, email, mail, or other means, in today’s environment, phishing is a top focus of pretexting training.
A comprehensive Information Security Program created under the guidelines of the Safeguards Rule should include a section on training employees to recognize and thwart social engineering schemes like email spoofing to commit wire fraud.
Why isn’t GLBA enough?
Why are states requiring more regulations? While the main target of current and proposed state legislation is social media platforms like Facebook, the settlement services industry is still affected by state laws like the California Consumer Privacy Act. California does contain a carve-out for information collected pursuant to GLBA, acknowledging that GLBA provides some protection to consumers. The goals of CCPA and proposed laws like it are to require transparency by businesses and give consumers control over their consumer data. CCPA seeks to strengthen consumers’ rights and control over their data, including data like web browsing information and geolocation – information that the GLBA likely didn’t conceive as accessible to businesses at the time of its adoption 20 years ago.
Title agents, attorneys, and Realtors, even those outside of California that collect data on California residents, may still be subject to the CCPA and California rules. Those not directly impacted should pay close attention to how the CCPA may influence their state lawmakers. These consumer data privacy laws will be of special interest to the marketing departments at real estate companies, title companies, and law firms.
The CCPA is only the beginning
Right now, many states are taking a wait and see approach, watching California to determine how to best proceed with similar privacy laws. In the area of information security, states like New York have taken a more prescriptive approach, requiring implementation of specific information security controls in addition to the risk-based plan required by the Safeguards Rule of GLBA.
The National Association of Insurance Commissioners has also adopted a model law for data security that’s been implemented by several states. Texas, Washington, Oregon, New York, and Illinois are some of the states updating their data security laws in response to growing concerns around data breaches.
Resources to help Title Agents with Data Privacy Compliance
As mentioned in the interview, here are some links specific to real estate professionals:
American Land Title Association
Webinar: Best Practices: Protecting Non-Public Personal Information
On February 6th, ALTA released its data privacy principles to address inconsistent protections and confusion over consumers’ rights. ALTA recommends a national approach to bring the patchwork of state privacy laws together. Read more about ALTA’s Data Privacy Principles.
Federal Trade Commission
Stick with Security: A Business Blog Series
Guidance on Privacy and Security
Resources to help Realtors and Real Estate Agents
The National Association of Realtors has lots of information, guides, and checklists to help real estate agents and Realtors better understand the legal requirements and meet best practices.
National Association of Realtor’s Window into the Law: Data Security Program Basics