Posted by Bear900/CA on 2/9/13 3:04am
Msg #454944

What are your Anti-Identity Theft procedures?

http://business.ftc.gov/documents/bus54-financial-institutions-and-customer-information-complying-safeguards-rule

http://www.federalreserve.gov/bankinforeg/interagencyguidelines.htm

http://www.ftc.gov/bcp/edu/microsites/redflagsrule/index.shtml

Think about this:

• Loan officers who transfer loan data to loan processors and banks use (or should) password protected or encrypted email or they upload to secure websites.

• Loan websites that gather 1003 information must be secure.

• Anyone who pulls a credit report is usually required to have a Red Flags Policy (SAFE Act) in place.

• Brokers and banks who have the same information that we do are required to follow the FTC, GLB and FACT Act (Identity theft) rules which require an Anti-Identity Theft Policy, training of personnel and someone in place to manage the process.

• They are also required to ‘verify’ that all third party vendors have their own policies and procedures in place. Theoretically brokers need to verify title company’s policies and procedures.

• If a loan officer or broker wants to use a home office they must have a locked office door, locked cabinets, shredder, and password protected computer and pay $200 for a home office inspection, complete with pictures, annually if they pull credit reports.

• Notaries get to buy ‘privacy guards’ for notary journals and keep them locked up.

• Some disparity here?

After all this expensive and time consuming security to meet rules and regulations, the end notary receives unsecure PDFs with the Full Monty of customer information.

I have seen bits of discussion on GLB here in the past but no real comparison or awareness of what the rest of the chain must do to keep customer information secure.

What steps do you take to keep customer informtion secure? In what ways do you share it and how? How liable should a notary be, considering we probably have more information sent to us then most people in the loan process?

Think about it.

Reply by Beverly Kinlaw on 2/9/13 6:23am
Msg #454947

Good question! So if everyone in the process except the NSA has identity theft procedures in place and bo info got stoken ---seems like the NSA could be held liable--lawsuit etc etc
Suggestions for a good economic anti-identify theft procedure for the NSA??

Reply by Bear900/CA on 2/9/13 11:42am
Msg #454977

Suggestions for a good economic anti-identify theft procedur

I was hoping to hear from more experienced notaries and some techies who could help out here.

I wish NR had separate forum for both Compliance and Anti-Identity Theft procedures. I don’t feel the search button information is sufficient (or accurate) and posts like these disappear quickly.

Compliance to new current laws is difficult to stay on top of. Deterring fraud is an expected duty of notaries.

I will make a LinkedIn forum to discuss both of these for permanent reference and post the name here for any who wish to participate and learn.

Another thread was discussing emailing docs so cybersecuity comes to mind as an issue. Knowledge and a continuously updated plan are essential. Here is a good starting point to devise a cybersecurity plan:

http://csrc.nist.gov/nice/

Reply by 101livescan on 2/9/13 8:10am
Msg #454952

Exactly on the money here Ben. That is why notaries in CA are background checked every two years and every four years live scanned for SOS by DOJ and FBI criminal records. In order to work for the best companies, we must carry $100,000 E&O insurance.

Privacy and document security are highly guarded by settlement agencies, title and escrow, but what about the nickle and dime signing services out there who go in and out of business at the drop of a hat.

You've opened a can of worms my friend. So all these newbie notaries who are being churned out by taking these quick and dirty online NSA courses are clueless about document security, haven't the first idea about ID fraud and consumer protection laws. Receive their documents in a PDF at the HOA business center. Pretty scary stuff. And these are the notaries working for $50 to $90. I think SS's have a lot to be worried about as the monkey in the middle. I don't think they can possibly carry enough E&O to protect themselves in the event of ID fraud if documents fall into the wrong hands.

Reply by Bear900/CA on 2/9/13 11:54am
Msg #454979

Re: Costs assciated with document security

Thanks Cheryl.

There has been much discussion on profits and expenses.

That raises the question, do we budget sufficiently to put in place and maintain identity theft practices and procedures?

There is no doubt you will incur some expense for that. Do you charge enough to cover that additional necessary expense?

Reply by BrendaTx on 2/9/13 8:10pm
Msg #455018

**Receive their documents in a PDF at the HOA business center.**

LMAO.

Reply by Virginia/PA on 2/9/13 8:51am
Msg #454956

One company comes to my mind is Nations Direct who take the time to send docs password protected and call the notary with the password so it is not part of any email that could get hacked, but then asks the notary to "faxback" half the package and the "faxes" are sent to an email address (which I prefer since I need to pay 10 cents per page for faxes) but they don't instruct you to password protect the faxback which contains not only the documents but signed borrower documents. I always password protect all "faxback" when it goes to an email address. I avoid using my faxback service since the file resides on a 3rd party company's server and faxes of that kind cannot be password protected.

Reply by Bear900/CA on 2/9/13 11:46am
Msg #454978

Protecting faxbacks

Thanks for your response Virginia.

Please tell the audience here how you password protect faxbacks.

Thanks!

Reply by FormerEO on 2/9/13 7:48pm
Msg #455013

What are you worried about?

If the title company sends out the docs without securing them (virtually 100% of the time), why are you worried? Just for argument sake, if a borrower's identity was compromised there is no way of anyone knowing at which point in the chain of handling the docs where the data was intercepted.

Reply by Bear900/CA on 2/10/13 7:33am
Msg #455030

I want to make sure I get you input right. Is this what you're saying?

1) The title company doesn’t practice security so I don’t need to worry.

2) Breach of security could happen anywhere in the chain of handling the docs so there is no way I can be held liable.

Reply by FormerEO on 2/10/13 11:26am
Msg #455044

What I am saying is that there are so many hands that the docs pass through it is impossible to discover at what point in the chain of possession did the data get compromised.

If you take prudent precautions and safe business practices you have nothing to worry about, so don't.

This past week the Federal Reserve Bank confirmed that one of their internal computers was hacked into and compromised. If the Federal Reserve, the Washington Post, the Wall Street Journal, the New York Times, the White House, the Pentagon and Congressional servers have been hacked into within the past 30 days, realistically you are not going to stop those intent on doing bad things no matter what steps you take or whatever feeble attempts at security you try. Whatever software you might have access to and can afford will not come close to the security algorithms used by government servers.

You can spend a million dollars on computer security and still get hacked if the hackers want to get you.

Reply by Bear900/CA on 2/10/13 2:09pm
Msg #455063

Best Practices are what I was searching for when I asked “What are YOUR Anti-Identity Theft Procedures?”

Many here would like to know what prudent precautions to take and how they can effectively set them in place.

Since we are hired by title companies who have self-imposed mandates that are driven by lenders who require this of them under the Red Flags Act (FACT ACT) GLBA and CFPB, we may want to develop our own to meet their expectations, or not.

See what you think of this that also happened in the last 30+ days:

http://www.alta.org/bestpractices/docs/13-01-02_Executive_Summary.pdf

"Title Insurance and Settlement Company Best Practices

Executive Summary

Wednesday, January 2, 2013

Best Practice: Adopt and maintain a written privacy and information security plan to
protect Non-public Personal Information as required by local, state and federal law."

Of the seven pillars of the plan, the heart of the plan is based on the following:

• Physical Security of Non-public Personal Information Policy (NPI)
• Network Security of Non-public Personal Information Policy
• Disposal of Non-public Personal Information Policy

Since some here are unfamiliar with what Best Practices may be for Anti-Identity Theft Policies this discussion may be a helpful starting point of whether they should adopt one or not.

Reply by Bear900/CA on 2/10/13 2:30pm
Msg #455065

http://www.alta.org/bestpractices/docs/ALTA_Title_and_Settlement_Company_Best_Practices.pdf

This is the enhanced version I meant to post, my apologies. The bullet points I posted are in item 3.

Reply by Tudi/CA on 2/10/13 11:21pm
Msg #455109

I live near the "Silicon Valley" and have many computer experts as neighbors. Two of them are in charge of the IT security for huge companies. Here's what they told me regarding security:

1. Have one computer that is dedicated strictly to your notary work (use a different computer for your personal use). For maximum security, it should be hardwired into the wall and printer. (Not wireless).
2. If you decide to use your notary computer on a wireless basis, make sure you have a new and good router/modem combination product. These newer products have security aids built into them (old ones do not).
3. Do not tell people a lot about what you do for a living, especially about handling sensitive documents. If a person really wants to hack into your system, they can do it. It would take an expert and a lot of effort, but if they know your email and have a strong desire to break into your system, they can do it. Don't give people the "incentive" to hack into your computer.
4. Make sure you have good and updated security software on your computer.
5. Use a different email address for your business than your personal email account.

Reply by Bear900/CA on 2/11/13 12:02am
Msg #455112

NOW we're getting somewhere - Thanks! :) n/m

Reply by Tudi/CA on 2/12/13 6:22pm
Msg #455553

Re: NOW we're getting somewhere - Thanks! :)

Also, only "surf the web" and only open "personal email" and "unknown email" on your personal use computer (not on the computer you use strictly for Notary Business). My computer expert friends say that most people's computers get corrupted through people being curious and clicking on unknown sites or by messages of unknown people. If you want to do this, do it on your personal computer...if it gets compromised, you can have it cleaned up and your sensitive information hasn't been exposed. Also, beware of clicking/opening up "chain e-mails" that have been forwarded around the internet to many people, because these chain emails often contain viruses/trojans/malware.

Reply by Tudi/CA on 2/12/13 11:08pm
Msg #455603

Re: NOW we're getting somewhere - Thanks! :)

Also, if you're using a modem/router for wireless, it's very important that you change the default password (from the factory) to your own individual password. If you don't, the hackers try the known default passwords and if you haven't changed yours, they can hack into your system.