How to Protect Data at Rest, in Use and in Motion
|October 3, 2013
Federal and state laws (including the Gramm-Leach-Bliley Act) require title companies to develop a written information security program that describes their procedures to protect non-public customer information
To help protect this information, ALTA's Technology Committee encourages title companies to understand there are three types of data that need protected:
Data at Rest
- Data at rest, which includes information on servers or stored on servers or stored on mobile/smart devices;
- Data in use, such as information on computers, mobile phones and tablets and websites; and
- Data in motion, which is information passing through a computer network.
Data at rest is data, files, and other information stored on computer servers, desktops, copiers, laptops, smart phones, tablet computers, removable storage devices, etc. Here are tips to protect data at rest:
Protect Data in Use
- Only store NPI in encrypted storage locations on the network (not a desktop/workstation) or on encrypted portable devices and electronic media.
- Never load database files or applications, such as title production software, on personal computers.
- Never store NPI on personally owned devices.
- Delete files from portable devices and electronic media when they are no longer needed.
- Physically secure assets with NPI by securing physical access to the server room and/or server hardware.
- Encrypt all laptop computers, portable devices and electronic media containing NPI.
- Vendors/products which may be helpful: McAfee Safeboot, TrueCrypt (free), Microsoft BitLocker, FileVault for Mac, etc.
Data in use is information that is being processed at a point in time. Here are tips to protect data in use:
Data in Motion
- Don’t allow unauthorized persons to view other clients NPI such as displayed on computer monitors or on documents where photo images could be captured.
- Train staff to be aware of “snooping” whereby persons can view documents, or computer or mobile device screens containing NPI.
- Websites that allow entry of information should protect against malicious software that capture key strokes and information as its entered.
Data in motion is found when data including data files, documents or other communications containing NPI are sent or received over a network or from one device/user to another device/user. (e.g., via e-mail, FTP, or online document sharing methods like SendSpace or shared DropBox folders). Here are tips to protect data in motion:
- Identify Requirements: Practices for handling data in motion requires special consideration because of the diversity and number of customers or transaction participants the agent must interact with on a transaction. Review with customers what works best for them and their requirements but be aware that there is likely not one solution that will work equally well for all the individuals and businesses an agency is required to interact with. Consider that different customer types may have different requirements and systems, security, compliance or usability considerations of their own.
- Identify Current Practices: Identify and document all methods and procedures that are used to transmit or receive NPI or that come into your company’s possession and control. Companies should review all of the methods and procedures that are used to receive and to send information containing NPI. Common methods of delivery that require protection include email, internet-based services, websites, and online backup services.
- Email: Inbound and outbound email should be reviewed to determine if data containing NPI is being sent unencrypted from the company or received by the company. If email containing un-encrypted NPI is being received (e.g., closing packages from lenders, preliminary HUD-1 statements) the company should proactively contact the sender to request an alternative delivery method.
- Protect email content
- Companies should establish and own their own true business domain. (@yourtitlecompany.com) email account and address and avoid public email addresses like gmail.com, aol.com, hotmail.com, etc.
- Vendors/products which may be helpful: www.godaddy.com, etc.
- For transmission of NPI in the subject or body of the email, companies should use email encryption services.
- Spam or content filtering should be used on email servers.
- Vendors/products which may be helpful: www.comodo.com, www.ironport.com, www.google.com/postini, www.baracuda.com, www.symantec.com, etc.
- Protect email file attachments with NPI
- Password protect electronic files sent outside the company network as attachments with passwords and communicate the passwords (or password instructions like “first 4 letters of street name + last 4 of borrower SSN”) in a separate message from the file.
- Internet Based Services
- Use HTTPS, SSL, and FTPS. HTTPS is web traffic which is encrypted using a Secure Socket Layer (SSL). A Secure Socket Layer is protected encryption Web protocol for data transmission. It comes in a form of a digital, signed certificate. A SSL certificate should be used to protect NPI on web pages/ servers that request, collect, or send data. SSL should also exist on email servers that send NPI to email recipients. It can also be used on FTP servers to secure file and data transmissions (FTPS.) Suggested SSL Vendors are www.comodo.com, www.godaddy.com, www.thawte.com, www.verisign.com, and www.networksolutions.com.
- Use online secure document delivery platforms or transaction management systems with secure access mechanisms and controls.
- Verify that providers or systems have measures in place to protect the identity and authentication information stored on the system such as usernames and passwords.
- Verify that the vendor has measures in place to protect data that is at rest on their systems.
- Verify that if the system sends hyperlinks to customers in order to access information containing NPI that procedures are in place to require authentication prior to accessing information containing NPI.
- Vendors/products which may be helpful: www.closingtracker.com, www.sureclose.com, www.transactionpoint.com, www.softprocorp.com/SoftProLive, www.beespath.com.
- Websites: Websites and self-hosted portals used for order placement, file tracking and customer communications should use generally accepted encryption protocols for data transmission.
- Online Backup Services: Use generally accepted encryption protocols.