17 Hoosier Banker August 2014 Continued on page 18. What Is GLB? The Gramm-Leach-Bliley Act was first enacted for the financial sector. Financial institutions that collected NPI from consumers were required to comply. GLB goes on to include restrictions on businesses that receive NPI from covered financial institutions. If your organization fell into this category, your activities would be limited to the collection, use, storage and disposal of NPI. The requirements of GLB basically extend to all parties that are providing “financial services.” Section 4(k) (6) of the Bank Holding Company Act extended these privacy rules to all financial activities, specifically including “providing real estate settlement services.” ALTA Best Practice No. 3: Adopt and maintain a written privacy and information security program to protect Nonpublic Personal Information as required by local, state and federal law. The stated purpose of ALTA Best Practice No. 3 is as follows: “Federal and state laws (including the Gramm-Leach-Bliley Act) require title companies to develop a written information security program that describes the procedures they employ to protect Nonpublic Personal Information. The program must be appropriate to the Company’s size and complexity, the nature and scope of the Company’s activities, and the sensitivity of the customer information the Company handles. A Company evaluates and adjusts its program in light of relevant circumstances, including changes in the Company’s business or operations, or the results of security testing and monitoring.” There are three basic steps required to comply with and fulfill the purpose of ALTA Best Practice No. 3: 1. Have a written information security program; 2. Include in your written information security program all of the necessary elements; and 3. Adhere to your written information security program. What Should Be in the Written Information Security Program? a. Risk assessment. In order to tailor any information security program to a specific office, a candid and critical assessment of the risks facing that particular office should be performed. These risks could include any or all of the following: • Who has access to NPI? • How is NPI transmitted? • How and where is NPI stored? • How is NPI used in the workplace? • How vulnerable is NPI to loss due to data corruption or natural disaster? • How is NPI decommissioned, destroyed or discarded? • How is NPI vulnerable to internal and external threats? • How many third parties (e.g. IT professionals) have access to NPI? The most important step is to take the time to complete a candid risk assessment. Remember, the risk assessment is for internal use. Once it is completed, then the findings should be appropriately prioritized. b. Privacy officer. For any process or procedure in an office, someone has to take ownership of it if it is going to see a successful completion. In a small office, this duty could be another title for the principal of the company. In a larger office, this responsibility may find that a committee is needed to effectively implement and monitor an information security program. c. Authorized personnel only. Access to NPI should be granted to authorized employees who have the requisite training to be allowed to handle NPI. Regardless of who you permit to access NPI in your care, you should perform adequate employee training which conveys the importance of NPI, ensures the protection of NPI from internal and external threats, and requires the trainee to acknowledge receipt and comprehension of the information security plan. Additionally before you allow any employee access to your office and NPI, you should perform a criminal background check. Subsequent checks every three years (going back five years) are also part of this process. Your supplier for over 150,000 marketing and promotional items. FORMING A PARTNERSHIP WITH INDIANA BUSINESSES. 1419 Fabricon Blvd. • Jeffersonville, IN 47130 (800) 736-1326 • Full-Service Printing • Document Imaging • On-Demand Printing • On-Line Ordering Systems • Micr-Encoded Documents • Forms Management Call us for your FREE forms cost analysis! Adam McCoskey Vice President - Sales Southern Indiana 812-989-9236 arm@voluforms.com Tom Staley Vice President - Sales Central / Southern Indiana 812-258-2722 tjs@voluforms.com Susan Voyles Garr Vice President - Sales Southern Indiana 812-987-6008 svg@voluforms.com Jim Hutchinson Vice President - Sales Southern Indiana 812-258-2723 jfh@voluforms.com Scan QR code to visit www.voluforms.com
RkJQdWJsaXNoZXIy MTg3NDExNQ==