Ensure Your Service Providers Follow Policies to Protect NPI
|October 3, 2013
While title and settlement companies are encouraged to maintain policies to protect non-public personal information (NPI), businesses also should ensure the third-party service providers that they use comply with an information security program.
Title and settlement companies should take reasonable steps to select and retain service providers that are capable of appropriately safeguarding NPI.
Vendors that may have electronic or digital access to NPI through information systems and associated resources include:
- Network hardware installation/maintenance/service/support
- Workstation installation/maintenance/service/support
- Software application installation/maintenance/service/support (e.g., title production software, customer relationship management database, email applications, etc.)
- Browser-based software applications
- Online backup services
Additionally, companies should consider the vendors that may have access to NPI in paper-based files, including:
- Mobile notaries, mobile closers
- Online backup services or off-site backup tape storage vendors
- Email service providers
- Server hosting vendors
- Website hosting vendors
To help ensure a title or settlement company is protected if NPI is stolen from a service provider, vendors and vendor personnel should be provided with a copy of the company’s information security policy annually. The policy should be signed acknowledging that the vendor understands the policy and agrees to follow the policy.
Banks frequently require at a minimum that their vendors maintain a current service auditor’s report using the Statement on Standards for Attestation Engagements No. 16 (SSAE 16) (replacement for the SAS 70 Auditing Standard). Title and settlement companies may want to consider including this in their due diligence with service providers.