This article was originally published in Real Estate Agent Magazine Twin Cities, written by Charity Malmberg, Founder and President of Trademark Title
When you hear the word, cybersecurity, you might immediately think of the Target breech, the Sony hack and other huge catastrophes that affected hundreds, if not thousands, of people. However, cybersecurity is an issue that all business owners and professionals need to pay attention to. Both real estate agents and title companies are privy to loads of nonpublic personal information (NPI) and are perfect candidates for cyber criminals.
What is NPI?
According to the Federal Trade Commission’s (FTC) website, “NPI is any ‘personally identifiable financial information’ collected about an individual in connection with providing a financial product or service.” Th e exception is information that is already publicly available.
The FTC website also states that NPI includes:
• Any information an individual gives you in order to receive a financial product or service (name, address, income, Social Security number, or other information on an application).
• Any information you receive about an individual from a transaction involving your financial products or services, including account numbers, payment history, loan and deposit balances, credit card purchases and more.
• Any information you receive from a third party about an individual in connection with providing a financial product or service, such as information from court records or from a consumer report.
How is NPI at risk?
In one real-life scenario, an agent had been dating online and it turned out the person she was dating was actually a cyber criminal. He sent an email from her account to the title company requesting that money be sent to his account. In this case, the title company called the seller to confirm the change, uncovering the hacker’s scheme. In another case, an agency controller received an email that appeared to be sent from a superior. The email instructed her to wire out funds immediately. Luckily, spam services trapped the email, but the controller also knew that fulfilling the wire was not protocol.
These two scenarios ended well, but there are many ways in which cyber criminals can weasel their way into money or NPI. Consider the process of buying a house. Applications for a mortgage are oft en filled out online, a lender is sending nonpublic personal information to a title company and there may be several other email interactions with NPI. The same goes for selling a home. Many of the interactions between the REALTOR and the title company include NPI, such as Social Security numbers and loan numbers, which is why it is of vital importance that systems are in place to protect this information.
Suggestions for Keeping NPI Safe
Here are some simple suggestions to ensure that your clients’ information is safe and your business is up-to-par on cybersecurity.
1. Conduct data-privacy training for all new hires. New staff has a lot to learn, but data-privacy should never be left out. All new hires should undergo training on how to handle any physical and online documents containing NPI. They should also be trained on identifying phishing emails and other common scams.
2. Create strict NPI procedures. If your staff is not sure what to do with that email containing a client’s Social Security number or the fax containing loan information, then NPI could end up in the wrong hands. Construct a document with clear procedures on what to do with NPI, both online and in print. Be sure your procedures meet the FTC’s privacy rule guidelines.
3. Test staff with phony phishing emails. It may seem silly, but sending out phony phishing emails is a great way to provide teachable moments to your employees while preventing them from falling for these common scams. These kind of “pop quizzes” also help employees know what to look for in the future.
4. Make sure to encrypt any NPI and get rid of the rest. This may go without saying, but don’t let any staff sit there with an inbox full of unprotected NPI. Be sure these emails are encrypted and protected by both email and server passwords. When the information is no longer needed, shred paper documents of NPI so it can’t be stolen or misplaced.
5. Limit the number or people handling NPI. The less people that handle NPI, the less chance it has of ending up in the wrong hands or not being handled correctly. Again, be sure that all employees handling NPI are well-versed on regulations and using computers that are up-to-date with antivirus soft ware and encrypting abilities.
6. Consider contracting a specialist. If protecting NPI and meeting the FTC’s standards is becoming a bigger job than you can bear alone, then consider hiring an outside firm. There are individuals and firms who specialize in cybersecurity and can help ensure your soft ware is safe and equipped to adequately protect your clients’ sensitive information.
Cybersecurity will continue to be an important part of any healthy business as more and more interactions happen over email and online. Solid systems, trained staff and consulting with experts in the field could be what ensures a positive relationship between you and your clients … and saves you from being the bearer of some very bad news.