Lots of attorneys are breathing a sigh of relief right now: “I am so glad that I don’t practice residential real estate.” If you are not a real estate attorney, you may not be aware that new federal regulations coming down the pike from the Consumer Financial Protection Bureau (CFPB) will impact how real estate attorneys practice every day. If you are a real estate attorney, you should be (or will soon be) very familiar with these regulations that require extra protections for your office, your data, and your financial systems.
Despite being a burden on many real estate attorneys, and even putting some of them out of the real estate business, many of the requirements are good practical advice for all attorneys to follow. The CFPB regulations may not apply to your practice area right now, but, the regulations are not unreasonable to help keep your data and your client’s data protected. Take a page from the Boy Scouts: be prepared!
As a little background, the CFPB is forcing the financial industry to comply with regulations that protect consumer’s private information as it flows through their system. Residential real estate attorneys, as agents in the real estate process, are also subject to these regulations. While there has been lots of speculation about these regulations, suggestions of how to comply, and “Best Practices” recommendations, real estate attorneys are now under a deadline for compliance—October 1st.
So what does this have to do with non-real estate attorneys? Lots.
The steps for compliance are centered on the American Land Title Association’s (ALTA) “Best Practices Pillar #3: Privacy and Information Security.” This recommendation deals with technology and the protection of Non-Public Information (NPI), which is data like social security numbers, bank accounts, financial records, and any personally identifiable information that is not publicly available. Sound familiar? It should. Bankruptcy, family law, and wills and estates attorneys are just a few practice areas that deal with NPI. No, they are not subject to these regulations, but they could be in the future. You may want to consider implementing some of these best practices now, before they are forced upon you.
These practices to protect client data are not unreasonable from an IT point of view, but may be quite burdensome to a real estate practice that is behind on technology. Many are written policies and procedures that are important to maintain the health of your firm, while others are solid technology processes a firm would benefit from implementing. In fact, these regulations might be beneficial for your firm to consider now as part of a firm’s annual technology review process (you do that, don’t you?).
This is not a comprehensive list of all of the requirements of Best Practices #3, but it will give you a good idea of the type of regulations that real estate attorneys will be subjected:
- Create and implement a written Privacy and Information Security Policy which describes how Non-Public Information (read client data) is protected. This policy should include data stored on mobile devices.
- Obtain an Information Security Risk Assessment to verify where data is stored, processed, transmitted and disposed—including external threats to data exposure.
- Verify that your data security system is regularly tested and any issues resolved.
- Create an Acceptable Use Policy that is annually reviewed, updated and verified by employees including use of the internet, email and company resources.
- Confirm that data is only available to authorized users, including procedures for removing terminated employees. (Lock down your network and don’t give everyone access to all of the firm’s data unless they need it).
- Create, test and implement complex password policies.
- Create and implement a policy regarding removable media and restricted use of USB drives.
- Provide encrypted email and encrypted hard drives.
- Document intrusion detection and security alerts. If this has been outsourced, have external party provide reporting of detection and security.
- Verify physical security to the office, server room and other data (offsite storage) is limited to authorized personnel.
- Create and implement a Clean Desk Policy.
- Create, implement and test a Disaster Recovery Plan.
- Create and implement policies for hardware and software updates and modification.
- Create, implement and test backup procedures to prevent data loss, including if this is done through a third-party backup company.
- Require third-parties that have access to your data that they comply with all of the same security procedures.
- Include a privacy statement on your website and describe how the data that is collected on your website is protected.
- Create and implement a policy for record retention and destruction, including these same policies for third parties that retain and destroy firm data.
This is only an example of one of the seven of the Best Practices to which real estate attorneys will be subjected. Given this one, would your firm be compliant? Few are right now, and real estate attorneys will need to comply with all of them.
One of the other Best Practices that you should consider involves formal processes for any of your financial transactions, trust transactions, three-way reconciliation and limited access to your financial system. We need to talk about that another time—that is Best Practice #2.
I encourage you to begin implementing many of these policies and procedures. Even though you do not have a federal agency forcing compliance, these best practices are sound advice to protect your clients and your firm from data theft or physical loss. However, unless you have all of these procedures in place, you will not be smarter than a real estate attorney—they will be ahead of the curve.