IB\ SOLO, SMALL FIRM AND GENERAL PRACTICE DIVISION A PUBLICATION OF THE AMERICAN BAR ASSOCIATION

REAL PROPERTY LAW

NOU.\Il~OSS'11M3 N'o'~lijl~V

Orotd"ViSOd's'nH011'IZIN'o'9ijOlliOijdNON B69n990911 '08\f8IH8 '133~lS >lWII

"How Real Estate Lawyers Can Use Technology to Guard Against Security and Compliance Threats"

By: Ralph J. Schumann President, Illinois Real Estate Lawyers Association (www.irela.org)

Reprinted by permission.

How Real Estate Lawyers Can UseSecurity and Compliance Threats

42- GPSOLO I March/April 2016

GPSOLO I ambar.orgjgpsolomag 43

Technology to Guard AgainstBy Ralph J. Schumann

"May you live in interesting times."

- Traditional (likely apocryphal) Chinese curse

Intoday's interesting times, real estate practitionersare witnessing some troubling trends:• increasing prevalence of digital scams to sepa-rate money from individuals and lenders, suchas wire instruction scams utilizing keystrokeanalysis software and other malware;

• increasingly widespread and sophisticatedtechniques used by thieves to steal moneyfrom law firm trust and operating accounts;

• increasingly complex regulatory requirementsin the area of residential real estate transac-tions involving mortgage financing; and

• increasing emphasis on the part of mortgagelenders to have practitioners meet "best prac-tices" and similar standards in their real estatepractices.

Given these trends, it is more important than everfor real property law practitioners to familiarize them-selves with and implement the latest technology toprotect themselves. In particular, practitioners mustensure they are meeting their obligations as expressedin the TRID (Truth in Lending Act/Real Estate Settle-ment Procedures Act Integrated Disclosure) Rule,American Land Title Association (ALTA) Best Prac-

"'"tice Number 3, and ABA Model Rule of Professionalo

~ Conduct 1.1: Competence, Comment [8].

-

TRID RULEThe Consumer Financial Protection Bu-reau (CFPB), created by the Dodd-FrankAct in the aftermath of the 2008 mort-gage meltdown and the resulting reces-sion, is charged with implementation andenforcement of TRID. The CFPB alsorefers to the program as "Know BeforeYou Owe." (New regulations imple-mented by the CFPB went into effectOctober 3, 2015.)

Most real estate practitioners areaware that the new system involves newforms and new procedures. The Truthin Lending Act's (TILA) "Good FaithEstimate" (GFE) and "HUD-1 Settle-ment Statement" (named for the U.S.Department of Housing and Urban De-velopment) are being replaced in mostclosed-end financing transactions by thenew "Loan Estimate" and "Closing Dis-closure" forms. UnderTRID, the lenderis responsible for preparing and deliveringthe Closing Disclosure to the borrower-consumer and has 100 percent liabilityfor any violations of the new regulations.

imposed billions of dollars in fines andpenalties in connection with efforts toprotect consumers.

In the context of its enforcement ofTRID, the CFPB has stated that its viewof the Gramm-Leach-Bliley Act of 1999(GLB), and later pronouncements bythe Federal Trade Commission (FTC)regarding privacy safeguards, is thatreal estate practitioners acting as titleagents are required to take appropriatesteps and utilize appropriate technol-ogy to create an information securityprogram outlining procedures to pro-tect consumer information. The CFPB'sthird-party service provider bulletin is-sued in 2012 reiterated prior regulationsand reinforced the message that lendersare 100 percent liable for the actionsof their service providers. Real estatepractitioners involved as title agents inmortgage financing transactions are cov-ered service providers and are held to thesame standard.

In addition, don't forget that attor-neys are required under the ABA Model

TRID represents a dramatic seachange in residential real estate prac-tice of the sort that has not been seenfor more than 40 years. Moreover, theCFPB is a "new sheriff in town" withformidable resources and enforcementpower. Under TRID, a single violationof the regulations can result in a penaltyof $5,000 per day. If the violation is reck-less, the penalty increases to $25,000 perday, and a knowing violation triggers apenalty of $1 million per day. Make nomistake: This new sheriff has plenty ofweapons, and they are all loaded andat the ready. The CFPB has already

44-

Rules of Professional Conduct to pro-tect clients' confidential information,and that this may require implementingreasonable measures to prevent the in-advertent or unauthorized disclosure ofwhat has been referred to by the FTC asNPI (non-public personal information;see Rule 1.6: Confidentiality of Infor-mation, Comment [18].) A lawyer isrequired to take reasonable precautionswhen transmitting a communicationcontaining confidential information toprevent the information from cominginto the hands of unintended recipients.

PI includes Social Security

Numbers, birth dates, bank accountnumbers, and other information thatcan be used to personally identify aconsumer. The requirements apply tolenders and other parties, and becausereal estate practitioners often act as titleagents and third-party service providersto lenders in the closing process, they,too, must protect NPL

ALTA BEST PRACTICE NUMBER 3The CFPB has not explicitly laid out for-mal requirements for protecting NPI,but in this regard the American LandTitle Association (ALTA) has promul-gated its Title Insurance and Settle-ment Company Best Practices (alta.orglbestpractices). Title companies and lend-ers are increasingly requiring that attor-neys acting as title agents in transactionsbe third -party certified (or, in some cases,self-certify) that they are in compliancewith ALIA Best Practices.

Given the robust enforcement pow-ers of the CFPB, the prudent real estatepractitioner would be well served to be-come familiar with ALTA Best Practicesin this r;gard.

ALTA defines NPI as "[p]ersonallyidentifiable data such as information pro-vided by a customer on a form or appli-cation, information about a customer'stransactions, or any other informationabout a customer which is otherwiseunavailable to the general public." Ac-cording to ALTA Best Practices, NPIincludes first name or first initial andlast name coupled with any of the fol-lowing: Social Security Number, driver'slicense number, state-issued ID number,credit card number, debit card number,or other financial account numbers.This definition is consistent with thedefinition used by the FTC for GLBcompliance. All seven pillars of ALTABest Practices should be reviewed intheir entirety by real estate practitio-ners, but perhaps the most significantin the context of NPI is Best PracticeNumber 3. (The full text can be foundin the sidebar on page 46.)

A complete analysis of digital securityrequirements is beyond the scope of thisbrief article, but certain basics should beobserved in order to comply with ALTABest Practices:

GPSOLO I March/April 2016

1. Only allow authorized persons toaccess your hardware and equip-ment, including servers, com-puters, laptops, tablets, mobiledevices, fax machines, copiers,scanners, and printers.

2. Use strong passwords to accessnetwork computers. Includeupper- and lowercase letters, num-bers, symbols, and perhaps evenspaces in passwords.

3. Password-protect all computers inyour office. Require employees tolock their computers when leaving.

4. Establish aprivate domain for yourbusiness. You should have a web-site and a business-specific e-rnail,

5. Do not allow staff to use any re-movable media with any machineson the network. Do not send NPIbye-mail unless required to do soby the e-rnail recipient. Old-schoolsending ofNPI by facsimile trans-mission may be more secure, aslong as the transmission goes toa digital" e-fax" or similar digitalinbox-pages sent by fax that situnguarded on a recipient's regularfax machine may lead to inadver-tent disclosure of NPL (As an aside,using a fax machine to send wireinstructions to a mortgage lenderor a buyer can be an improvementover using e-mail; notably, the scamartists who have been frequentlyintercepting wire instructions andthen modifying them to send outapparently bona fide "corrected"instructions directing the wire to besent to the scam artist's controlledbank account have so far not de-voted much attention to "hacking"fax transmissions.)

6. If you send NPI bye-mail, usesecure means. Subscribe to an e-mail encryption service throughthe e-rnail provider for your do-main. Send any NPI only in apassword-protected document.It is relatively easy to passwordprotect Microsoft Word, AdobePDF, and WordPerfect documents.When sending the protected docu-ment, be sure the text of the e-rnai]"cover message" does not itselfcontain the password or any NPI.

Some practitioners require that therecipient call on the phone to getthe necessary access information.

Note that sending NPI by encryptede-rnail may not be a foolproof methodof protecting NPI - an encryptede-rnail,once deciphered and read by a recipi-ent, may sit on the recipient's computerindefinitely in a download or other fold-er and be subject to access by keystrokeanalysis software or other malware re-siding on the recipient's computer unbe-knownst to the recipient.

result would be unfortunate.I am honored to serve as president of

a statewide bar association of real estatelawyers in Illinois (Illinois Real EstateLawyers Association; irela.org). We havethousands of members. When we sendout e-mail notices of upcoming meetings,bulletins, and case law updates to ourmembers, however, they go electroni-cally to fewer than 1,200 of our members.This is not because we have neglectedto request e-rnail addresses of all ourmembers; it is because fewer than 1,200

Additional information can be foundon ALTA's "Title Insurance and Settle-ment Company Best Practices Resources& Documents" website page (alta.orglbestpractices/documents.cfm).

have provided e-rnail addresses. Oursuspicion is that some of our folks arehaving trouble giving up using their IBMSelectric typewriters to prepare real es-tate documents or are slow to embracetechnology and do not have computersor use e-rnail. In this current environ-ment, however, it may be necessary toget a bit more "techy" or risk death, inthe professional sense. It may be time tojoin the current century and amass com-puting power and capabilities beyondthose of the venerable Commodore 64machine of yore. Some practitioners mayalready have passed a "tipping point" inthis regard.

There is no substitute today for devel-oping the requisite technological exper-tise to meet the current demands facingreal estate practitioners. TRID, ALTABest Practices, and, in many states, Rulesof Professional Conduct now require thereal estate practitioner to develop andimplement policies and procedures toprevent inadvertent disclosure of cli-ent confidential information, prevent

ABA MODEL RULE OF PROFESSIONALCONDUCT 1.1, COMMENT [8]ABA Model Rule 1.1: Competence,Comment [8], provides that attorneysmust not only keep abreast of changesin the law and its practice but must alsokeep abreast of "the benefits and risksassociated with relevant technology."The revised Model Rule and Commenthave been adopted by at least 17 states.

Some commentators worry that the"perfect storm" of compliance require-ments currently faced by real estatepractitioners- TRID regulations, ALTABest Practices requirements, and require-ments of ABA Model Rules such as Rule1.1- may cause some practitioners whoare less technologically proficient to giveup the practice of residential real estatein favor of other practice areas. Such a

45-GPSOLO I ambar.org/gpsolomag

inadvertent interception of e-mailedwire instructions resulting in significantlosses, and "stay current" with relevanttechnology.

Does this mean the practitioner hasto be an "early adopter" and install thelatest operating system for a PC as soonas it comes out? Does each Mac userneed to study to become an Apple "Ge-nius"? No. Moreover, prudence oftendictates a more methodical approach,but practitioners should at least be awareof what current operating systems areavailable for office computer equipmentand make appropriate decisions. (I amthinking here of those "Luddite lawyers"out there-those, for example, who stillcling tenaciously to their beloved Win-dows XP Professional operating systemeven though it is no longer supported byMicrosoft.) With new operating systemsmay come" growing pains," but there arealso security improvements.

Staying abreast of "the benefits andrisks associated with relevant technol-ogy" requires no less.

WE'RE FROM THE GOVERNMENT ANDWE'RE HERE TO HELPThe Federal Bureau of Investigation(FBI) has provided some helpful guid-ance recently. Going beyond standardwarnings not to use Hotmail, Comcast.net, AOL, Yahoo, and similar non-securepublic domains (not only are they notsecure, most user agreements with thesesorts of public domains allow the opera-tors to access and retrieve data from youre-mails), the FBI offers some simple, buteffective, suggestions. Declaring Octo-ber 2015 to be National Cyber SecurityAwareness Month, the FBI provided sev-eral pithy observations regarding how tostay safe (tinyurl.com/qgemgwb). Whileno single suggested defense will providecomplete protection these days, use ofmultiple methods will cumulatively pro-vide a fairly helpful defense. The FBI'stips include some obvious suggestions(keep your firewall turned on, install orupdate your antivirus and anti-malwaresoftware, and keep your operating sys-tem up-to-date and install all securityimprovements) along with several lessobvious suggestions, such as implement-ing two-factor authentication.

GPSOLO I March/April 2016

Best Practice: Adopt and maintain a written privacy and information securityprogram to protect Non-public Personal Information as required by local, stateand federal law.

Purpose: Federal and state laws (including the Gramm-LeaclrBliley Act) require titlecompanies to develop a written information security program that describes the proce-dures they employ to protect Non-public Personal Information. The program must beappropriate to the Company's size and complexity, the nature and scope of the Com-pany's activities, and the sensitivity of the customer information the Company handles. ACompany evaluates and adjusts its program in light of relevant circumstances, includingchanges in the Company's business or operations, or the results of security testing andmonitoring.

Procedures to meet this best practice:

• Physical security of Non-public Personal Information.t Restrict access to Non-public Personal Information to authorized employees

who have undergone Background Checks at hiring.t Prohibit or control the use of removable media.t Use only secure delivery methods when transmitting Non-public Personal

Information.• Network security of Non-public Personal Information.

t Maintain and secure access to Company information technology.t Develop guidelines for the appropriate use of Company information

technology.t Ensure secure collection and transmission of Non-public Personal

Information.• Disposal of Non-public Personal Information.

t Federal law requires companies that possess Non-public Personallnfor-mation for a business purpose to dispose of such information properlyin a manner that protects against unauthorized access to or use of theinformation.

• Establish a disaster management plan.• Appropriate management and training of employees to help ensure compliance

with Company's information security program.• Oversight of service providers to help ensure compliance with a Company's in-

formation security program.t Companies should take reasonable steps to select and retain service pro-

viders that are capable of appropriately safeguarding Non-public PersonalInformation.

• Audit and oversight procedures to help ensure compliance with Company's infor-mation security program.

t Companies should review their privacy and information security proceduresto detect the potential for improper disclosure of confidential information.

• Notification of security breaches to customers and law enforcement.t Companies should post the privacy and information security program on

their websites or provide program information directly to customers in an-other useable form. When a breach is detected, the Company should havea program to inform customers and law enforcement as required by law.

From Title Insurance and Settlement Company Best Practices. All publications of theAmerican Land Title Association, including ALTA Best Practices Resources and Docu- 'ments, are copyrighted and are reprinted herein by specific permission from: AmericanLand Title Association (ALTA),1800 M Street, Suite 300 South, Washington, DC 20036;phone: 202/296-3671; e-mail: service@alta.org; web: http://www.alta.org.

46-

TWO-FACTOR AUTHENTICATIONTwo-factor authentication (TFA) cre-ates an extra layer of security protection.Google calls its version of TFA "2-StepVerification," and in that context usesit to help protect against unauthorizedaccess to Gmail and other Google ac-counts from hackers by requiring theentry of a special code when attemptingto access-upon an attempt to sign infrom a new computer, a code is sent viatext to a mobile phone, via voice call, orvia a mobile app. You can set the systemto require the code only the first timeyou access the Google account on one ofyour trusted computers, but the systemwill be in place and will require entry ofthe code when anyone else tries to accessthe account from another computer.

DEFENSE IN DEPTHThe FBI encourages you to protect yourmobile devices (such as laptops, flashdrives, and smartphones) and be carefulaccessing WiFi networks in public places(the local coffee shop, airport, or hotel of-fering a free WiFi hot spot may not be thebest place to access your online bankingsystem to check your account balance-there are sniffers out there). If you willbe accessing a sensitive account, better touse a virtual private network (VPN) con-nection from awell-established personalVPN provider. The encryption of yourdata over aVPN connection provides anadditional layer of security for your com-munications' making the data harder forcyber-snoops to steal.

REDUNDANT BACKUPUse multiple methods of backing upyour valuable data. Consider a cloudenvironment (Carbonite, Google Drive,Cubby, or Dropbox, with additionalsecurity for professionals), and storinghard copies of data at a different physi-callocation than your office. Considerusing an additional external hard drive toback up data on an established schedule(once per week?) that is not left attachedto your office computer but is kept ata different physical location. Externalhard drives are not very expensive. Adata breach can be very expensive.

Beware of malware, including key-stroke analysis software that can infect

GPSOLO I ambar.org/gpsolomag

your computer unbeknownst to you whenyou visit Facebook, online shopping sites,or use Yahoo, AOL, Hotmail, and otherunprotected domains. Also becomingmore problematic is ransomware, whichallows a bad person to access and "freeze"your computer until you pay a substantial"ransom" to get back access to your pre-cious files and family photos. Backing updata on an external hard drive attached toyour computer is not necessarily a fool-proof solution because ransomware caninfect and "freeze" peripheral devices suchas external hard drives attached to yourcomputer. Turn off your computer whenit is not being used.

You may not be practicing with ahuge law firm with its own IT depart-ment, so consider retaining an IT servicefor additional assistance. Many with thenecessary expertise can 'be found thatcharge affordable fees. Consider it anecessary expense of doing business inthe current environment.

If you work as a title agent with atitle insurance company, it may be ableto provide additional assistance.

A PARTING THOUGHT: THEE-CLOSINGS ARE COMING!The requirements of technological fa-miliarity and competence are with usfor the foreseeable future. In the con-text of TRID, moreover, the benefits oftechnology are seen by the CFPB as thebest solution to eliminating consumer"pain points" typically experienced ina real estate mortgage transaction. Theintroduction of the new Loan Estimateand Closing Disclosure forms representsjust the first step.

The CFPB recently conducted anextensive analysis of the operation andbenefits of various" e-closing" platformsand systems, .and they have declaredthemselves to be "ardent believers inthe promise of technology." With e-closing platforms, consumers are ableto view all documents associated withtheir mortgage transaction on their lap-top or tablet while sitting in the privacyof their home at any time of day or night.More importantly from'the perspectiveof a practitioner tryin~to provide valu-able legal representation to a borrower!consumer, it is possible to press a single

electronic "button" on the screen anddigitally "sign" all of these documents,from promissory note and mortgage toW-9 forms, in one fell swoop.

Companies such as DocuSign aremarketing their services vigorously tomortgage lenders, touting the speedof processing to allow lenders to closebusiness faster to earn revenue sooner,as well as the enhancement of client sat-isfaction by allowing review of digitalversions of documents and fast and con-venient "anytime, anywhere" signing onany device. Many marketing pitches byDocuSign and similar providers empha-size the benefit to lenders of using digitalsigning to streamline a process describedby many consumers as frustrating andtime-consuming: the finalizing of mort-gage paperwork. Signing mortgage docu-ments electronically, however, has moreserious consequences than just clicking"ok" to accept a new version of an iTunesuser agreement. While lenders clearlybenefit from promoting digital signing,is it better for the borrowing consumer?

Attorneys may wish to remind cli-ents of the importance of obtaining legaladvice from an experienced practitionerbefore committing to a financial obliga-tion that may well be the largest in theseclients' lives. The whole purpose ofTRID's"Three-Day Rule" is to allow aconsumer three business days to reviewthe important numbers in the closing dis-closure form and decide whether or not toproceed. During that period, a consumercan consult with his or her attorney, butthe attorney may not be able to do any-thing about the client's ill-advised priordigital signing of all mortgage documentswithout benefit of any consultation.

Faster may not be better in all cases.The growing pressure to agree to allthe terms and provisions of mortgagedocuments by signing electronically ona tablet or smartphone with the push of asingle button is not conducive to carefulevaluation of risks .•

,

·1

Ralph J, Schumann (rjs@schumannlaw.com)is a sole practitioner in Schaumburg, Illinois,with concentrations in real estate law, includingresidential and commercial transactions, andestate planning and litigation, He is president ofthe Illinois Real Estate Lawyers Association,

47-