- May 23, 2003
- All Issuing Offices and Affiliated Companies
- Privacy of Personal Information of Consumers and Customers; Update
The Gramm-Leach-Bliley Financial Services Modernization Act (G-L-B) protects the privacy of nonpublic personal financial information relating to consumers and customers (Customer Information). Bulletin NL000103 discusses G-L-B and existing requirements.
Safeguarding Nonpublic Personal Financial Information
G-L-B requires the adoption of regulations relating to administrative, technical and physical safeguards by financial institutions of Customer Information. Financial institutions include title insurance companies, title insurance agents, and settlement agents.
The National Association of Insurance Commissioners has prepared the "Safeguarding Customer Information Regulation," which applies to "licensees," and several states have adopted this Regulation. Licensees typically include title insurance companies and title insurance agents.
The Federal Trade Commission has adopted a similar Safeguards Rule, which applies to certain financial institutions, such as entities that provide real estate settlement services. This Safeguards Rule applies to settlement agents.
Safeguard requirements for title companies and settlement agents include the following:
- You must develop, implement, and maintain a
comprehensive written information security program. (See SISCO Information
Security Program, applicable to SISCO and its subsidiaries, for sample of a
written information security program in Exhibit 1.)
- Your information security program must contain
administrative, technical, and physical safeguards appropriate for your size
and complexity, the nature and scope of your activities, and the sensitivity
of the Customer Information.
- Your information security program must be designed to
(1) insure the security and confidentiality of Customer Information, (2)
protect against anticipated threats or hazards to the security and integrity
of the Customer Information, and (3) protect against unauthorized access to or
use of the Customer Information.
- You must designate one or more employees to coordinate
your information security program, pursuant to the Safeguards Rule.
- You must identify reasonably foreseeable internal and
external risks that could result in unauthorized disclosure, misuse,
alternation, destruction or other compromise of Customer Information.
- You should assess the likelihood and potential danger
of these threats, taking into consideration the sensitivity of Customer
- You should assess the sufficiency of safeguards in
place to control risks to Customer Information.
- Your risk assessment should include
Employee training and management
Consideration of risks in your information systems, including network and software design, information storage, transmission, and disposal
Detection, prevention and response to attacks, intrusions and other failures
- You must design and implement safeguards to control
risks you identify through risk assessment.
- You must regularly test or monitor the effectiveness of
- You must exercise due diligence in selecting your
service providers that can maintain appropriate safeguards. A service provider
is a person or entity that receives Customer Information from you when
performing services for you.
- You must require your service providers by contract to implement and maintain safeguards for Customer Information. Because existing law in some cases requires a specific confidentiality provision in service contracts with service providers who receive Customer Information, those contracts should require the service provider to use and disclose the Customer Information only for the purposes for which the Customer Information was disclosed, except as otherwise permitted by law.
Real Estate Brokers
Real Estate Brokers often request copies of signed HUD-1 and other unrecorded forms at closing that disclose Customer Information. In order to provide such forms, cautious settlement agents include language such as the following in documentation signed by the buyers and sellers:
"The undersigned hereby authorize Title Company to provide copies of any closing statements, loan documents, financial information, commitments, approval letters, appraisals, inspection reports, insurance policies, contracts, payoffs, transaction documents, and other nonpublic personal information in connection with our transaction to the real estate broker and real estate agent."
HUD-1 to Lender
RESPA contemplates that separate HUD-1 forms may be provided for sellers and buyers, or one (combined) HUD may be given to both. If a separate HUD-1 is provided to the seller and to the borrower, lines and columns in Section J that relate to the borrower's transaction may be left blank on the copy of the HUD-1 furnished to the seller, and lines and columns in Section K that relate to the seller's transaction may be left blank on the copy of the HUD-1 furnished to the borrower. RESPA also states that the borrower's information and the seller's information may be provided on separate pages.
Even if a separate HUD-1 is provided to the seller and to the borrower, RESPA requires that both copies shall be provided to the lender.
Insurance Department Examination Standards
NAIC Examination Standards for review of title insurance agent and title insurer compliance with privacy requirements include review of privacy policies and procedures, privacy notices, sample service agreements, and written information security programs. Bank Required Confidentiality Agreements
Many banks require title companies to sign Confidentiality Agreements. Reasonable provisions could include:
- Agreement to maintain the confidentiality of Customer
Information, except as permitted by law
- Use the Customer Information only for the purposes for
which it was disclosed
- Safeguard the Customer Information by the Title Company
and any of its Service Providers
- Cooperate with the Bank and allow audits of Customer
- Exception for information that is publicly available
- Exception for disclosure as required by law
Recording Customer Information
Many states now prohibit the recordation in the public records of social security numbers. Title companies should not file for record affidavits or other documents that disclose nonpublic personal financial information, such as social security numbers or driver license numbers.
Amended Privacy Notice
The American Land Title Association revised its Sample Privacy Notice in 2001. We recommend that you incorporate the terms of this revised form as your Privacy Notice.
THIS BULLETIN IS FURNISHED TO INFORM YOU OF CURRENT DEVELOPMENTS. AS A REMINDER, YOU ARE CHARGED WITH KNOWLEDGE OF THE CONTENT ON VIRTUAL UNDERWRITER AS IT EXISTS FROM TIME TO TIME AS IT APPLIES TO YOU, AS WELL AS ANY OTHER INSTRUCTIONS. OUR UNDERWRITING AGREEMENTS DO NOT AUTHORIZE OUR ISSUING AGENTS TO ENGAGE IN SETTLEMENTS OR CLOSINGS ON BEHALF OF STEWART TITLE GUARANTY COMPANY. THIS BULLETIN IS NOT INTENDED TO DIRECT YOUR ESCROW OR SETTLEMENT PRACTICES OR TO CHANGE PROVISIONS OF APPLICABLE UNDERWRITING AGREEMENTS. CONFIDENTIAL, PROPRIETARY, OR NONPUBLIC PERSONAL INFORMATION SHOULD NEVER BE SHARED OR DISSEMINATED EXCEPT AS ALLOWED BY LAW. IF APPLICABLE STATE LAW OR REGULATION IMPOSES ADDITIONAL REQUIREMENTS, YOU SHOULD CONTINUE TO COMPLY WITH THOSE REQUIREMENTS.
SAMPLE PROGRAM - CONSULT WITH YOUR COUNSEL IN PREPARING A WRITTEN PROGRAM
SISCO Information Security Program
PURPOSE OF THE PROGRAM
The purpose of the Stewart Information Services Corporation (SISCO) Information Security Program is to outline the administrative, technical, and physical
safeguards designed to:
· Ensure the security and confidentiality of SISCO customer information
· Protect against anticipated threats or hazards to the security or integrity of such information; and
· Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer.
SCOPE OF AUTHORITY
All employees, affiliates, contractors, temporary workers, vendors, and other third-party personnel who have been commissioned by SISCO to handle customer information are governed by this program. In turn, this Information Security Program is governed by applicable state and federal regulations in compliance with Title V of the federal Gramm-Leach-Bliley Financial Services Modernization Act (G-L-B).
ASSIGNMENT OF RESPONSIBILTY
The Board of Directors has appointed the Chief Information Security Officer (CISO) to be responsible for implementing and administering the Information Security Program. The CISO reports to the SISCO Board's Audit Subcommittee and provides quarterly updates on the overall status of the Information Security Program including:
· Current risk assessment, management, and control activities
· Service Provider arrangement concerns
· Overview and status of known security breaches, violations, or other concerns
· Summary results of security testing procedures
· Recommendations for program modifications or enhancements
On-going internal and external vulnerability assessments will be conducted for the current high risk areas of the corporation. These assessment will be designed to identify technical and procedural vulnerabilities as well as the effectiveness of existing security policies and procedures. Additionally, the CISO will maintain a Corporate Risk Assessment Grid comprised of various anticipated risk factors, weighted with their forecasted probability, resulting in a calculated risk value for a variety of technology systems, procedures, and data sources. The Risk Assessment Grid will be reviewed and updated on a quarterly basis.
RISK MANAGEMENT AND CONTROL PROCEDURES
The following security measures will be routinely employed to ensure the security, confidentiality, and integrity of all non-public customer and corporate information:
· All corporate applications will require individual user access controls and only specific access required to perform assigned duties will be granted.
· Security awareness issues will be communicated to all employees to reduce the probability of unauthorized individuals fraudulently gaining application access information.
· Physical security measures will be implemented at all locations where customer information is stored and at all corporate data center locations.
· Encryption technology will be employed for confidential corporate or customer information that is transmitted electronically over the Internet.
· A change management process will be implemented to ensure that all production system modifications are consistent with the Information Security Program.
· Information systems will be actively monitored to detect actual or attempted attacks on or intrusion into customer system information systems.
· An incident response procedure will be implemented to outline specific actions to be taken when a suspected or actual security breach or
unauthorized access of customer or confidential corporate information has occurred.
· Corporate business continuity and disaster recovery programs will be established and maintained.
Individual policies, technical standards and management bulletins have been created to address the above concerns. These have been published on an internal web site for easy accessibility and global dissemination. Currently these documents can be found at https://itportal.stewart.com.
SECURITY TRAINING AND AWARENESS
The CISO will endeavor to promote on-going information security awareness through the following channels:
· Distribution of Employee Manuals to all employees requiring annual sign-off of agreement and compliance.
· Implementation of a security and privacy awareness Intranet web site including safeguarding customer data guidelines, incident reporting form, e-mail virus and hoax information, and other related topics.
· Regular articles published in corporate newsletters.
· Information security bulletins distributed to all employees to address security policy modifications, security alerts, and other urgent security issues.
OVERSIGHT OF SERVICE PROVIDERS
The CISO will ensure that due diligence is exercised in selecting Service Providers. All agreements with 3rd party service providers must be reviewed by Legal Counsel and include provisions for safeguarding SISCO customer information. All Service Provider contracts will require that a corporate Confidentiality Agreement be signed. When appropriate, proof that the Service Provider has met the requirements of the Gramm-Leach-Bliley privacy act will be required. Acceptable forms of proof are Service Provider audit reports, SAS 70 reports, or test by the CISO.
SECURITY PROGRAM EVALUATION AND ADJUSTMENT
The CISO will continually monitor, evaluate, and adjust the Information Security Program to account for technology changes, emerging vulnerabilities and threats, and other relevant factors that may have an impact on the security or integrity of confidential corporate or customer information.
SISCO has voluntarily adopted this Information Security Program for its sole
and exclusive use and may amend, modify, or withdraw it at any time without
- Bulletins Replaced:
- Related Bulletins:
- NL000103 Privacy of Personal Information of Consumers and Customers
- Underwriting Manual:
- Exceptions Manual: