By Phillip Long, CEO, Business Information Solutions
Operating a business is challenging enough even before you begin taking into account thorny issues like data security — and the threat of some sort of compliance audit or regulatory action is a motivator that’s easy to begrudge. Among title insurance companies and IT solution providers that work with them, there’s the additional hurdle that many companies aren’t all that aware they even have sensitive data to secure. Thus, they tend to have an extra layer of reluctance in just recognizing data security needs exist, let alone in addressing them properly. If the first step toward a solution is admitting there’s a problem, the other early step in this case should be conveying how simple and low-impact the fix can be.
The Issue: ALTA Sets A High Bar
Because of the work they do, title insurance companies naturally handle sensitive personal and financial data belonging to the clients they serve. They also deal with sizable amounts of money that changes hands between banks and clients during closings. In practice, this data ends up stored on desktops, laptops, mobile devices, and USB drives used by employees at these companies. Frequently, title insurers don’t understand they have retained this information on their systems, or don’t understand the risks of exposure to that data.
The American Land Title Association (ALTA) — the key trade association for businesses in the industry to which almost all title insurers belong — has recognized the need for delineated data security standards governing practices at these companies. It has also begun making membership contingent on adhering to more specified guidelines.
ALTA has now adopted standards closely resembling those in place for HIPAA compliance in the healthcare field, requiring businesses have enforceable, auditable, and persistent plans for making sure sensitive data is either completely absent from devices that are at risk, or that such data can be made unreadable, inaccessible, or indiscernible. Data encryption is not explicitly required by ALTA or HIPAA standards, but it is recognized and recommended as a solution, and, in practice, is all but mandatory to achieve compliance.
As ALTA membership is more or less a necessity for title insurers (who rely upon the connections, trust, and other benefits that come with being a part of the association), this shift toward defined data security guidelines has created conditions where companies must adapt to meet these new standards. Unfortunately, as I’ve said, title insurers often don’t know how to go about meeting ALTA compliance standards, or falsely believe that they are already in compliance. But as ALTA enlists compliance auditors to conduct detailed assessments of the sensitive data held by member companies, as well as the risks to that data, these companies have a powerful business incentive to get their houses in order ahead of those audits.
The Bad News: Companies Do Have Data To Protect. The Good News: It’s Pretty Easy.
As a solution provider, we often work with businesses that need to get their practices in shape in a hurry and don’t know how to proceed in doing so on their own. In a recent example, we were approached by a title insurance company that knew it faced an upcoming ALTA audit. The company wanted to be diligent in ensuring it had nothing to worry about — and truly believed that to be the case. The title company’s perception was that any sensitive data files were protected inside of its particular title insurance software, and the mobile devices used by employees at the company didn’t carry any sensitive data (and thus would not need data protection).
However, we performed an audit ahead of the official one coming from ALTA, using tools to search for sensitive personal client information that could be exposed (like social security numbers, dates of birth, credit card numbers, email addresses, and other similar data that would amount to a breach if it got out). In fact, within emails and on the hard drives of mobile devices, this kind of information was both present and completely unprotected.
There are two pieces of good news for companies that are in this situation, or that are shy in taking a hard look at their situation and simply hoping everything is fine. First, with the right tools, assessing a company’s data security situation is quick, painless and easy, and it’s certainly something a company wants to do on its own terms. Second, implementing solutions to protect data across all devices at a company is just about as easy. There are low overhead cloud-based solutions (in this case we used SimplySecure from Beachhead Solutions) that can encrypt data on a company’s devices remotely, and operate unobtrusively enough that employees don’t even know it’s there. Such solutions can handle email security as well, and can easily demonstrate to auditors that a company has gone a step beyond even ALTA (or HIPAA) best practices by delivering the capability to block access and wipe data from lost or stolen devices, in addition to steadfast encryption.
In this example, the company flew through its ALTA audit after making some easy changes to its practices informed by the audit we conducted. Now, instead of avoiding the issue of data security as a potential liability, this title company considers it as asset that it can in turn showcase to clients, who take comfort knowing secure precautions are in place. For any company that handles sensitive data but is considering a head in the sand approach to security, please know that there is nothing to fear and a lot to easily gain from instead facing data safety head on.
Phillip Long is CEO at Business Information Solutions, a full-service IT support company specializing in comprehensive IT solutions to businesses on the Gulf Coast. Business Information Solutions is a division of BIS Technology Group.