April 01, 2016 Feature

How Real Estate Lawyers Can Use Technology to Guard Against Security and Compliance Threats

Ralph J. Schumann
“May you live in interesting times.”

—Traditional (likely apocryphal) Chinese curse

In today’s interesting times, real estate practitioners are witnessing some troubling trends:

  • increasing prevalence of digital scams to separate money from individuals and lenders, such as wire instruction scams utilizing keystroke analysis software and other malware;
  • increasingly widespread and sophisticated techniques used by thieves to steal money from law firm trust and operating accounts;
  • increasingly complex regulatory requirements in the area of residential real estate transactions involving mortgage financing; and
  • increasing emphasis on the part of mortgage lenders to have practitioners meet “best practices” and similar standards in their real estate practices.

Given these trends, it is more important than ever for real property law practitioners to familiarize themselves with and implement the latest technology to protect themselves. In particular, practitioners must ensure they are meeting their obligations as expressed in the TRID (Truth in Lending Act/Real Estate Settlement Procedures Act Integrated Disclosure) Rule, American Land Title Association (ALTA) Best Practice Number 3, and ABA Model Rule of Professional Conduct 1.1: Competence, Comment [8].

TRID Rule

The Consumer Financial Protection Bureau (CFPB), created by the Dodd-Frank Act in the aftermath of the 2008 mortgage meltdown and the resulting recession, is charged with implementation and enforcement of TRID. The CFPB also refers to the program as “Know Before You Owe.” (New regulations implemented by the CFPB went into effect October 3, 2015.)

Most real estate practitioners are aware that the new system involves new forms and new procedures. The Truth in Lending Act’s (TILA) “Good Faith Estimate” (GFE) and “HUD-1 Settlement Statement” (named for the U.S. Department of Housing and Urban Development) are being replaced in most closed-end financing transactions by the new “Loan Estimate” and “Closing Disclosure” forms. Under TRID, the lender is responsible for preparing and delivering the Closing Disclosure to the borrower-consumer and has 100 percent liability for any violations of the new regulations.

TRID represents a dramatic sea change in residential real estate practice of the sort that has not been seen for more than 40 years. Moreover, the CFPB is a “new sheriff in town” with formidable resources and enforcement power. Under TRID, a single violation of the regulations can result in a penalty of $5,000 per day. If the violation is reckless, the penalty increases to $25,000 per day, and a knowing violation triggers a penalty of $1 million per day. Make no mistake: This new sheriff has plenty of weapons, and they are all loaded and at the ready. The CFPB has already imposed billions of dollars in fines and penalties in connection with efforts to protect consumers.

In the context of its enforcement of TRID, the CFPB has stated that its view of the Gramm-Leach-Bliley Act of 1999 (GLB), and later pronouncements by the Federal Trade Commission (FTC) regarding privacy safeguards, is that real estate practitioners acting as title agents are required to take appropriate steps and utilize appropriate technology to create an information security program outlining procedures to protect consumer information. The CFPB’s third-party service provider bulletin issued in 2012 reiterated prior regulations and reinforced the message that lenders are 100 percent liable for the actions of their service providers. Real estate practitioners involved as title agents in mortgage financing transactions are covered service providers and are held to the same standard.

In addition, don’t forget that attorneys are required under the ABA Model Rules of Professional Conduct to protect clients’ confidential information, and that this may require implementing reasonable measures to prevent the inadvertent or unauthorized disclosure of what has been referred to by the FTC as NPI (non-public personal information; see Rule 1.6: Confidentiality of Information, Comment [18].) A lawyer is required to take reasonable precautions when transmitting a communication containing confidential information to prevent the information from coming into the hands of unintended recipients.

NPI includes Social Security Numbers, birth dates, bank account numbers, and other information that can be used to personally identify a consumer. The requirements apply to lenders and other parties, and because real estate practitioners often act as title agents and third-party service providers to lenders in the closing process, they, too, must protect NPI.

ALTA Best Practice Number 3

The CFPB has not explicitly laid out formal requirements for protecting NPI, but in this regard the American Land Title Association (ALTA) has promulgated its Title Insurance and Settlement Company Best Practices (alta.org/bestpractices). Title companies and lenders are increasingly requiring that attorneys acting as title agents in transactions be third-party certified (or, in some cases, self-certify) that they are in compliance with ALTA Best Practices.

Given the robust enforcement powers of the CFPB, the prudent real estate practitioner would be well served to become familiar with ALTA Best Practices in this regard.

ALTA defines NPI as “[p]ersonally identifiable data such as information provided by a customer on a form or application, information about a customer’s transactions, or any other information about a customer which is otherwise unavailable to the general public.” According to ALTA Best Practices, NPI includes first name or first initial and last name coupled with any of the following: Social Security Number, driver’s license number, state-issued ID number, credit card number, debit card number, or other financial account numbers. This definition is consistent with the definition used by the FTC for GLB compliance. All seven pillars of ALTA Best Practices should be reviewed in their entirety by real estate practitioners, but perhaps the most significant in the context of NPI is Best Practice Number 3. (The full text can be found at the end of this article.)

A complete analysis of digital security requirements is beyond the scope of this brief article, but certain basics should be observed in order to comply with ALTA Best Practices:

  1. Only allow authorized persons to access your hardware and equipment, including servers, computers, laptops, tablets, mobile devices, fax machines, copiers, scanners, and printers.
  2. Use strong passwords to access network computers. Include upper- and lowercase letters, numbers, symbols, and perhaps even spaces in passwords.
  3. Password-protect all computers in your office. Require employees to lock their computers when leaving.
  4. Establish a private domain for your business. You should have a website and a business-specific e-mail.
  5. Do not allow staff to use any removable media with any machines on the network. Do not send NPI by e-mail unless required to do so by the e-mail recipient. Old-school sending of NPI by facsimile transmission may be more secure, as long as the transmission goes to a digital “e-fax” or similar digital inbox—pages sent by fax that sit unguarded on a recipient’s regular fax machine may lead to inadvertent disclosure of NPI. (As an aside, using a fax machine to send wire instructions to a mortgage lender or a buyer can be an improvement over using e-mail; notably, the scam artists who have been frequently intercepting wire instructions and then modifying them to send out apparently bona fide “corrected” instructions directing the wire to be sent to the scam artist’s controlled bank account have so far not devoted much attention to “hacking” fax transmissions.)
  6. If you send NPI by e-mail, use secure means. Subscribe to an e-mail encryption service through the e-mail provider for your domain. Send any NPI only in a password-protected document. It is relatively easy to password protect Microsoft Word, Adobe PDF, and WordPerfect documents. When sending the protected document, be sure the text of the e-mail “cover message” does not itself contain the password or any NPI. Some practitioners require that the recipient call on the phone to get the necessary access information.

Note that sending NPI by encrypted e-mail may not be a foolproof method of protecting NPI—an encrypted e-mail, once deciphered and read by a recipient, may sit on the recipient’s computer indefinitely in a download or other folder and be subject to access by keystroke analysis software or other malware residing on the recipient’s computer unbeknownst to the recipient.

Additional information can be found on ALTA’s “Title Insurance and Settlement Company Best Practices Resources & Documents” website page (http://www.alta.org).

ABA Model Rule of Professional Conduct 1.1, Comment [8]

ABA Model Rule 1.1: Competence, Comment [8], provides that attorneys must not only keep abreast of changes in the law and its practice but must also keep abreast of “the benefits and risks associated with relevant technology.” The revised Model Rule and Comment have been adopted by at least 17 states.

Some commentators worry that the “perfect storm” of compliance requirements currently faced by real estate practitioners—TRID regulations, ALTA Best Practices requirements, and requirements of ABA Model Rules such as Rule 1.1—may cause some practitioners who are less technologically proficient to give up the practice of residential real estate in favor of other practice areas. Such a result would be unfortunate.

I am honored to serve as president of a statewide bar association of real estate lawyers in Illinois (Illinois Real Estate Lawyers Association; irela.org). We have thousands of members. When we send out e-mail notices of upcoming meetings, bulletins, and case law updates to our members, however, they go electronically to fewer than 1,200 of our members. This is not because we have neglected to request e-mail addresses of all our members; it is because fewer than 1,200 have provided e-mail addresses. Our suspicion is that some of our folks are having trouble giving up using their IBM Selectric typewriters to prepare real estate documents or are slow to embrace technology and do not have computers or use e-mail. In this current environment, however, it may be necessary to get a bit more “techy” or risk death, in the professional sense. It may be time to join the current century and amass computing power and capabilities beyond those of the venerable Commodore 64 machine of yore. Some practitioners may already have passed a “tipping point” in this regard.

There is no substitute today for developing the requisite technological expertise to meet the current demands facing real estate practitioners. TRID, ALTA Best Practices, and, in many states, Rules of Professional Conduct now require the real estate practitioner to develop and implement policies and procedures to prevent inadvertent disclosure of client confidential information, prevent inadvertent interception of e-mailed wire instructions resulting in significant losses, and “stay current” with relevant technology.

Does this mean the practitioner has to be an “early adopter” and install the latest operating system for a PC as soon as it comes out? Does each Mac user need to study to become an Apple “Genius”? No. Moreover, prudence often dictates a more methodical approach, but practitioners should at least be aware of what current operating systems are available for office computer equipment and make appropriate decisions. (I am thinking here of those “Luddite lawyers” out there—those, for example, who still cling tenaciously to their beloved Windows XP Professional operating system even though it is no longer supported by Microsoft.) With new operating systems may come “growing pains,” but there are also security improvements.

Staying abreast of “the benefits and risks associated with relevant technology” requires no less.

We’re from the Government and We’re Here to Help

The Federal Bureau of Investigation (FBI) has provided some helpful guidance recently. Going beyond standard warnings not to use Hotmail, Comcast.net, AOL, Yahoo, and similar non-secure public domains (not only are they not secure, most user agreements with these sorts of public domains allow the operators to access and retrieve data from your e-mails), the FBI offers some simple, but effective, suggestions. Declaring October 2015 to be National Cyber Security Awareness Month, the FBI provided several pithy observations regarding how to stay safe (tinyurl.com/qgemgwb). While no single suggested defense will provide complete protection these days, use of multiple methods will cumulatively provide a fairly helpful defense. The FBI’s tips include some obvious suggestions (keep your firewall turned on, install or update your antivirus and anti-malware software, and keep your operating system up-to-date and install all security improvements) along with several less obvious suggestions, such as implementing two-factor authentication.

Two-Factor Authentication

Two-factor authentication (TFA) creates an extra layer of security protection. Google calls its version of TFA “2-Step Verification,” and in that context uses it to help protect against unauthorized access to Gmail and other Google accounts from hackers by requiring the entry of a special code when attempting to access—upon an attempt to sign in from a new computer, a code is sent via text to a mobile phone, via voice call, or via a mobile app. You can set the system to require the code only the first time you access the Google account on one of your trusted computers, but the system will be in place and will require entry of the code when anyone else tries to access the account from another computer.

Defense in Depth

The FBI encourages you to protect your mobile devices (such as laptops, flash drives, and smartphones) and be careful accessing WiFi networks in public places (the local coffee shop, airport, or hotel offering a free WiFi hot spot may not be the best place to access your online banking system to check your account balance—there are sniffers out there). If you will be accessing a sensitive account, better to use a virtual private network (VPN) connection from a well-established personal VPN provider. The encryption of your data over a VPN connection provides an additional layer of security for your communications, making the data harder for cyber-snoops to steal.

Redundant Backup

Use multiple methods of backing up your valuable data. Consider a cloud environment (Carbonite, Google Drive, Cubby, or Dropbox, with additional security for professionals), and storing hard copies of data at a different physical location than your office. Consider using an additional external hard drive to back up data on an established schedule (once per week?) that is not left attached to your office computer but is kept at a different physical location. External hard drives are not very expensive. A data breach can be very expensive.

Beware of malware, including keystroke analysis software that can infect your computer unbeknownst to you when you visit Facebook, online shopping sites, or use Yahoo, AOL, Hotmail, and other unprotected domains. Also becoming more problematic is ransomware, which allows a bad person to access and “freeze” your computer until you pay a substantial “ransom” to get back access to your precious files and family photos. Backing up data on an external hard drive attached to your computer is not necessarily a foolproof solution because ransomware can infect and “freeze” peripheral devices such as external hard drives attached to your computer. Turn off your computer when it is not being used.

You may not be practicing with a huge law firm with its own IT department, so consider retaining an IT service for additional assistance. Many with the necessary expertise can be found that charge affordable fees. Consider it a necessary expense of doing business in the current environment.

If you work as a title agent with a title insurance company, it may be able to provide additional assistance.

A Parting Thought: The E-Closings Are Coming!

The requirements of technological familiarity and competence are with us for the foreseeable future. In the context of TRID, moreover, the benefits of technology are seen by the CFPB as the best solution to eliminating consumer “pain points” typically experienced in a real estate mortgage transaction. The introduction of the new Loan Estimate and Closing Disclosure forms represents just the first step.

The CFPB recently conducted an extensive analysis of the operation and benefits of various “e-closing” platforms and systems, and they have declared themselves to be “ardent believers in the promise of technology.” With e-closing platforms, consumers are able to view all documents associated with their mortgage transaction on their laptop or tablet while sitting in the privacy of their home at any time of day or night. More importantly from the perspective of a practitioner trying to provide valuable legal representation to a borrower/consumer, it is possible to press a single electronic “button” on the screen and digitally “sign” all of these documents, from promissory note and mortgage to W-9 forms, in one fell swoop.

Companies such as DocuSign are marketing their services vigorously to mortgage lenders, touting the speed of processing to allow lenders to close business faster to earn revenue sooner, as well as the enhancement of client satisfaction by allowing review of digital versions of documents and fast and convenient “anytime, anywhere” signing on any device. Many marketing pitches by DocuSign and similar providers emphasize the benefit to lenders of using digital signing to streamline a process described by many consumers as frustrating and time-consuming: the finalizing of mortgage paperwork. Signing mortgage documents electronically, however, has more serious consequences than just clicking “ok” to accept a new version of an iTunes user agreement. While lenders clearly benefit from promoting digital signing, is it better for the borrowing consumer?

Attorneys may wish to remind clients of the importance of obtaining legal advice from an experienced practitioner before committing to a financial obligation that may well be the largest in these clients’ lives. The whole purpose of TRID’s “Three-Day Rule” is to allow a consumer three business days to review the important numbers in the closing disclosure form and decide whether or not to proceed. During that period, a consumer can consult with his or her attorney, but the attorney may not be able to do anything about the client’s ill-advised prior digital signing of all mortgage documents without benefit of any consultation.

Faster may not be better in all cases. The growing pressure to agree to all the terms and provisions of mortgage documents by signing electronically on a tablet or smartphone with the push of a single button is not conducive to careful evaluation of risks.

 


ALTA Best Practice Number 3

Best Practice: Adopt and maintain a written privacy and information security program to protect Non-public Personal Information as required by local, state and federal law.

Purpose: Federal and state laws (including the Gramm-Leach-Bliley Act) require title companies to develop a written information security program that describes the procedures they employ to protect Non-public Personal Information. The program must be appropriate to the Company’s size and complexity, the nature and scope of the Company’s activities, and the sensitivity of the customer information the Company handles. A Company evaluates and adjusts its program in light of relevant circumstances, including changes in the Company’s business or operations, or the results of security testing and monitoring.

Procedures to meet this best practice:

  • Physical security of Non-public Personal Information.
    • Restrict access to Non-public Personal Information to authorized employees who have undergone Background Checks at hiring.
    • Prohibit or control the use of removable media.
    • Use only secure delivery methods when transmitting Non-public Personal Information.
  • Network security of Non-public Personal Information.
    • Maintain and secure access to Company information technology.
    • Develop guidelines for the appropriate use of Company information technology.
    • Ensure secure collection and transmission of Non-public Personal Information.
  • Disposal of Non-public Personal Information.
    • Federal law requires companies that possess Non-public Personal Information for a business purpose to dispose of such information properly in a manner that protects against unauthorized access to or use of the information.
  • Establish a disaster management plan.
  • Appropriate management and training of employees to help ensure compliance with Company’s information security program.
  • Oversight of service providers to help ensure compliance with a Company’s information security program.
    • Companies should take reasonable steps to select and retain service providers that are capable of appropriately safeguarding Non-public Personal Information.
  • Audit and oversight procedures to help ensure compliance with Company’s information security program.
    • Companies should review their privacy and information security procedures to detect the potential for improper disclosure of confidential information.
  • Notification of security breaches to customers and law enforcement.
    • Companies should post the privacy and information security program on their websites or provide program information directly to customers in another useable form. When a breach is detected, the Company should have a program to inform customers and law enforcement as required by law.

 

From Title Insurance and Settlement Company Best Practices. All publications of the American Land Title Association, including ALTA Best Practices Resources and Documents, are copyrighted and are reprinted herein by specific permission from: American Land Title Association (ALTA), 1800 M Street, Suite 300 South, Washington, DC 20036; phone: 202/296-3671; e-mail: service@alta.org; web: http://www.alta.org.

Ralph J. Schumann

Ralph J. Schumann is a sole practitioner in Schaumburg, Illinois, with concentrations in real estate law, including residential and commercial transactions, and estate planning and litigation. He is president of the Illinois Real Estate Lawyers Association.