Best Practices > BP 3 Nonpublic Information

ALTA Best Practice 3: Nonpublic Personal Information


Best Practice: Adopt and maintain a written privacy and information security program to protect Nonpublic Personal Information as required by local, state and federal law.
 
Purpose: Federal and state laws (including the Gramm-Leach-Bliley Act) require title companies to develop a written information security program that describes the procedures they employ to protect Nonpublic Personal Information. The program must be appropriate to the company’s size and complexity, the nature and scope of the company’s activities, and the sensitivity of the customer information the company handles. A company evaluates and adjusts its program in light of relevant circumstances, including changes in the company’s business or operations, or the results of security testing and monitoring.
 
Procedures to meet this best practice:
 
1. Physical security of Nonpublic Personal Information
  • Restrict access to Nonpublic Personal Information to authorized employees who have undergone background checks at hiring.
  • Prohibit or control the use of removable media.
  • Use only secure delivery methods when transmitting Nonpublic Personal Information.
 
2. Network security of Nonpublic Personal Information
  • Maintain and secure access to company information technology
  • Develop guidelines for the appropriate use of company information technology.
  • Ensure secure collection and transmission of Non public Personal Information.
 
3. Disposal of Nonpublic Personal Information
Federal law requires companies that possess Nonpublic Personal Information for a business purpose to dispose of such information properly in a manner that protects against unauthorized access to or use of the information.
 
4. Establish a disaster management plan
 
5. Appropriate management and training of employees to help ensure compliance with company’s information security program
 
6. Oversight of service providers to help ensure compliance with a company’s information security program
Companies should take reasonable steps to select and retain service providers that are capable of appropriately safeguarding Nonpublic Personal Information.
 
7. Audit and oversight procedures to help ensure compliance with company’s information security program
Companies should review their privacy and information security procedures to detect the potential for improper disclosure of confidential information.
 
8. Notification of security breaches to customers and law enforcement
Companies should post the privacy and information security program on their websites or provide program information directly to customers in another useable form. When a breach is detected, the company should have a program to inform customers and law enforcement as required by law.
 
(Source: American Land Title Association)
 
For additional resources to help you adhere to the Best Practices, please visit the Best Practices section of the AgentLink site.