National Business Institute, Inc.
Program 2021-88712
REAL ESTATE TRANSACTIONS
January 11, 2021
***
BRAUCHER & AMANN, PLLC
William J. Amann, Esq.
V. Cybersecurity and Wire Fraud
2:00 - 2:45, William J. Amann
A. Data Privacy Regulations and Real Estate Transactions
The frequent, high-value transactions between multiple parties that occur in the real estate industry make it a prime target for hackers. Add to that the fact that many, if not most, real estate transactions take place digitally and the fact that most real estate companies store a wealth of financial and personal data and you have a perfect storm that is particularly attractive to bad actors interested in stealing your clients’ data.
In order to protect your clients and your business, you must take additional steps to protect clients’ most sensitive data in a real estate transaction. But if you aren’t sure where to start, you aren’t alone. In fact, two in five real estate industry professionals believe that their industry is not prepared to deal with a breach. So, let’s start with the basics.
What’s at Risk? Client non-public information (NPI).
“Personally identifiable financial information – provided by a consumer to a financial institution, resulting from any transaction with the consumer or any service performed for the consumer; or otherwise obtained by the financial institution.”
In fact, two in five real estate industry professionals believe that their industry is not prepared to deal with a breach.
NPI includes:
Basic information provided by a consumer on an application, such as name, address, social security number, or income.
Information from a transaction involving a financial product or service, such as account numbers, credit or debit card purchases, payment history and loan balances.
Information that financial institutions obtain as part of providing a financial product or services, such as credit reports or court records.
The term does not include publicly available information lawfully made available by federal, state and local governments.
If this sensitive data ends up in the wrong hands, it can be used to scam your clients and harm their credit. Failing to protect client NPI can subject real estate agents to costly CFPB compliance penalties, but more importantly, it can damage your reputation and alienate your clients.
One of the largest safeguards protecting your clients’ data privacy is the Consumer Financial Protection Bureau (CFPB). Real estate professionals who handle real estate transactions must maintain CFPB compliance, or else they face steep financial penalties.
How to Protect NPI in Real Estate Transactions
To help organizations in the real estate industry better equip themselves to protect sensitive client data, the American Land Title Association (ALTA) has issued a number of guidelines surrounding best practices for protecting NPI to meet CFPB compliance:
Restrict access to NPI only to those who need to access it, when they need to access it. Also ensure that all employees undergo background checks before being granted access. After an agency no longer has reason to access the data, it should be disposed of thoroughly.
The use of removable data devices, like thumb drives, should be either prohibited outright or strictly controlled via an organization-wide policy.
NPI should only be delivered via secure methods.
Create a disaster management plan in case things go wrong. This could be as straightforward as a security breach, or even just a server or network failure that impacts business continuity.
Establish and follow procedures to audit your organization for CFPB compliance and review those procedures to ensure that the audits themselves do not leak NPI.
Ensure that your agency is well-informed of your state’s security breach notification laws and is prepared to follow them in case of a data leak.
B. Cybersecurity Protections
Cyber security is the application of technologies, processes and controls to protect systems, networks, programs, devices and data from cyber-attacks.
It aims to reduce the risk of cyber-attacks and protect against the unauthorized exploitation of systems, networks and technologies.
Cyber security is often confused with information security.
Cyber security focuses on protecting computer systems from unauthorized access or being otherwise damaged or made inaccessible.
Information security is a broader category that looks to protect all information assets, whether in hard copy or digital form.
TRADITIONAL CLOSING- The process of executing paper documents using wet signatures and wet notarization.
HYBRID CLOSING- A closing process during which certain documents, typically the deed and loan documents, are printed to paper and wet-signed while other documents throughout the process are signed electronically.
The first is increasing global governance of cybersecurity and data privacy.
IN-PERSON ELETRONIC NOTARIZATION (IPEN)- The process of a document being executed in a digital form with the notary electronically notarizing the document while in the same physical location as the signer.
REMOTE ONLINE NOTARTIZATION (RON)- The process of using video and audio technology over the internet to conduct a notarization while the signer and the notary are in separate physical locations.
REMOTE INK NOTARAIZATION (RIN)- A COVID-19 emergency measure that allows a notary to observe over video conference a signer in a different physical location execute a document using wet ink signatures. The document is then delivered to the notary for wet notarization using any state-required ink stamp or seal.
� Encrypt data at rest and in transit
As the cybersecurity and data privacy landscapes continue to shift, the importance of companies in the title and settlement services industries to understand the threats and respond in strategic and coordinated efforts will be greater than ever in 2016. In its 2016 outlook, the law firm Mayer Brown recently highlighted five priorities companies should consider as they assess, refine and operate their cybersecurity and data privacy programs. The first is increasing global governance of cybersecurity and data privacy. Mayer Brown says that many of the most significant cybersecurity and data privacy developments for U.S. companies may well be seen outside the United States in 2016. “A company’s data may very well cross borders—whether to be stored at an international data center (e.g., for a private cloud) or to be processed remotely (e.g., by a payroll service)—even for otherwise domestic businesses,” the law firm reported. Second, expansion of regulatory and enforcement activity is expected. Businesses face a growing patchwork of regulatory requirements—a trend that is set to continue in 2016, Mayer Brown reports. The likely common denominators of these are more expansive and detailed rules and more frequent enforcement of those rules. As an example, the U.S. Court of Appeals for the Third Circuit affirmed last year the FTC’s ability to regulate cybersecurity practices through its “unfairness” authority under Section 5 of the FTC Act. Meanwhile, the trend of financial services regulators aggressively acting aggressively in the cyber area will continue. The New York State Department of Financial Services is set to embark on a major rulemaking in 2016. The chartered-bank regulator is expected to propose new requirements regarding cybersecurity policies and procedures, management of third-party service providers, multifactor authentication, appointment of a chief information security officer, application security, audits and notice in the event of a cybersecurity incident. Companies also should expect the patchwork of state data security and breach notification laws to continue. California revised its data breach laws effective Jan. 1, 2016, to expand and clarify the existing notice requirements and to specify forms for notices. Mayer Brown also expects growth in litigation for cybersecurity and data privacy. The law firm pointed to significant court cases such as the U.S. Court of Appeals for the Seventh Circuit’s decision arising from the Neiman Marcus breach and the U.S. Supreme Court hearing arguments in Spokeo v. Robins, which considers whether the violation of a right that triggers statutory damages can substitute for injury-in-fact for purposes of Article III standing. Plaintiffs filed nearly 250 class actions involving some 35 different data breached last year, according to Mayer Brown. Fourth, companies should develop productive relationships with relevant authorities before a cyber crisis arises. Mayer Brown reports that the number of cybercrime investigations and prosecutions is expected to increase in 2016 and continue the long-term trend of growing collaboration among domestic and foreign agencies to target threat actors around the world. The U.S. Department of Justice plans to disrupt and dismantle 1,000 cyber threat actors and to resolve 90 percent of national security and criminal cyber cases during the next fiscal year. The law firm also reports that:
� Since 2002, the FBI’s number of cyber intrusion investigations has grown by more than 80 percent
� Since 2010, the U.S. Secret Service’s cybercrime investigations have resulted in more than 5,000 arrests associated with more than $12 billion in actual and potential fraud loss Lastly, Mayer Brown said cybersecurity and data privacy issues attracted national and global attention. Policy developments in 2016 likely will continue this trend. For example, according to Mayer Brown, it is expected that:
1. industry will take advantage of significant legal authorities approved in 2015, such as the Cybersecurity Information Sharing Act and new “cyber sanctions,” both of which will require effective collaboration between the private sector and government.
2. Long-standing debates about privacy and security will be moved to the global stage (and likely become more political as the U.S. presidential election approaches
3. Proliferation of toys, devices and machines that are connected to the Internet will present new cybersecurity and data privacy challenges “Cybersecurity and data privacy present novel, complex and global issues across the legal, policy and regulatory spectrum,” Mayer Brown reported. “These developments pose challenges that demand a proactive, risk-based response. Businesses must address these risks in a holistic fashion that reflects the strategic interests of their organizations and is effectively coordinated across their enterprises. According to the Ponemon Institute’s 2015 global breach survey, on a global basis the average cost of a breach was $3.8 million, with a cost of $154 per individual record lost or compromised. Small and large companies run the risk of a data breach. The implications can be grave. In its 2016 Data Protection and Breach Readiness Guide, Online Trust Alliance (OTA) outlined advice to help businesses optimize privacy and security practices to help reduce the risk of data loss. Data loss and identity theft occur from an increasing level of deceptive practices. Social engineering, forged email, malvertising, phishing and fraudulent acquisition of Internet domains are rising, according to OTA. Because of this, OTA recommends businesses implement the following to protect data:
� Encrypt data at rest and in transit
� Enforce effective password management policies
� Implement a Least Privilege User Access (LUA) security strategy � Conduct regular security design and code reviews including penetration test and vulnerability scans
� Secure client devices by deploying multi-layered firewall
� Require email authentication on all inbound and outbound mail servers
� Implement a mobile device management program
� Monitor security in real-time
� Deploy web-application firewalls
� Permit only authorized wireless devices
� Implement Always On Secure Socket Layer
� Review server certificates and vulnerabilities
� Develop, test and continually refine data breach response plan
� Establish and manage vulnerability/threat intelligence reporting program “Whether you are a Fortune 500 company or local merchant, if you collect data then you are at risk,” Online Trust Alliance said in its report. “Data security and privacy must become part of an organization’s culture. Being prepared will help protect your data, detect a loss and quickly mitigate the impact. The responsibility cannot be assigned to a single group or person. It is everyone’s responsibility.” The third pillar of ALTA’s Title Insurance and Settlement Company Best Practices addresses policies and procedures to protect data.
Copyright © 2004-2016 American Land Title Association. All rights reserved. All publications of the American Land Title Association are copyrighted and are reprinted herein by specific permission from: American Land Title Association (ALTA) 1800 M Street Suite 300 South Washington, DC 20036 Phone: 202-296-3671 E-Mail: service@alta.org Web: http://www.alta.org