The epidemic of cybercrime has made nonpublic personal information (NPPI) a hot topic — and that is especially true for Notary Signing Agents and everyone else working in the mortgage lending industry.
While protecting a borrower’s personal information has always been a priority, lenders, title companies and settlement services firms have ratcheted up their efforts to keep NPPI out of the wrong hands. Virtually every piece of information you receive — from the closing confirmation to the loan package — should be considered sensitive information.
How Signing Agents treat that information has never been more crucial. Items such as the borrower’s phone number, loan amount, interest rate and email addresses now fall under the umbrella of NPPI. Just knowing that a person is refinancing and who their lender is could be considered NPPI. There are a number of practices we should follow to help keep our customer’s information safe and protect ourselves from suffering a data breach. They fall under two broad categories.
Technology practices
Computers, mobile devices and the internet have been a boon to business transactions the world over. But the convenience and efficiency of technology has also made it easier for criminals to target high-value transactions, such as mortgage originations. So the companies that contract with NSAs expect us to be diligent. The following practices will go a long way toward meeting those expectations:
- Never take a picture of a borrower’s ID. I cannot stress this enough. You should never store any personal information about a consumer on your phone. It could accidentally be saved to a SIM card or your Dropbox account, or you may just forget to delete it. If your phone is hacked or stolen, a thief will get a photo of someone’s driver’s license. Many Notaries email the photo of the license from their phone. If you use a public Wi-Fi network or unencrypted email, that email could easily fall into the wrong hands.
- All emails with NPPI should be either encrypted or password protected.
- Never send documents back to title companies or the lender by email unless they are password protected. If you don’t have the ability to do so, then faxing is the better option.
- Pay close attention to the emails you receive from the title company, lender or anyone else involved in the loan. Does the sender’s address look correct? Does the signature line look correct? Are they asking you for something that seems a bit off? When in doubt, call the sending party and verify.
- Use strong passwords that involve lower case and upper case letters, numbers and special characters. Don’t use the same password over and over, but try to use a new one each time. Also change your passwords frequently, at least every 180 days.
- Never write your passwords down where someone can find them.
- All technology items should be password protected, including computers, smartphones and tablets.
- Your computer should be set to lock out automatically after a short interval of time, such as 15 minutes.
- Install, use and regularly update anti-virus and anti-spyware software on every computing device you use. This protects your information from viruses, spyware and other malicious code.
- Install patches to your operating systems and applications. Software providers regularly identify vulnerabilities in their products and release patches and updates to correct these problems. Make sure to apply all updates as they are released.
- Back up your data. Computers die, hard disks fail, people make mistakes and malicious programs can destroy data. Important information should be backed up regularly so you can recover any lost data quickly. It’s best to set up automated back-ups, and many security software products offer this function.
- Make sure to encrypt the data on your smartphone. Many phones have encryption options, and there are numerous apps that can be downloaded.
- Do not use public Wi-Fi access because it typically is not secure. You should also hide your home Wi-Fi network and change the default password to a more secure one.
- Protect your Internet connection. If you have access to a broadband Internet connection, make sure the router incorporates a firewall. However, you connect to the Internet, install firewall software on every computer you use.
- Many NSAs are tempted to print or copy loan packages at Staples, OfficeMax or other retail stores. But most printers and copiers have hard drives that store information long after you have departed. That allows multiple parties to access your borrower’s information.
- Limit access to any technology you use for work. That includes keeping your home computer and other devices secure from your own family. They might inadvertently do something that exposes NPPI. It’s also a good idea to avoid surfing the web on the same computer you use for work because that can increase exposure to viruses, malware and other cyberattacks, which could lead to a potential breach.
- Never post a signer’s personal information on social media. I have seen Notaries asking for assistance in how a document should be executed on social media and inadvertently not redacting all the signer’s information. Imagine if that were your personal information on the Internet for the whole world to see.
Low-tech practices
Not every risk comes from a cybercriminal. And not every data breach involves the internet. A borrower’s NPPI can be compromised by a variety of old-fashioned lapses.
- Any documents you print, such as the closing confirmation or loan package, should be stored securely in a locked cabinet — but only as long as you need them. Once those documents are no longer necessary, dispose of them using a shredder or reputable shredding service. A loan package in your trash can is a data breach waiting to happen.
- Use caution with utilizing outside services such as computer repairmen, shredding services and copier repair companies. Make certain you have fully vetted them, and limit their access to what could be considered NPPI.
- Never share details of a closing with someone outside of the transaction. Saying something as simple as, “Hey I closed a loan for Mrs. X. Remember her? She was our old lunch lady,” could be considered a breach of information.
- Make sure you handle all of your packages yourself, and keep them secure until you drop them off. Never leave them with a receptionist who keeps a stack of packages on their desk or with a friend who is going to drive by FedEx anyway. Documents should be locked in the trunk of your car or in a locked file cabinet at all times. Try to use a FedEx or UPS location instead of a drop box whenever possible.
Try to find potential weaknesses and tighten up your security. A data breach could have disastrous results — from destroying your reputation, to a financial loss for your customers to a potential lawsuit. Most breaches of technology are not covered under your E&O insurance and the expense of defending a lawsuit could be exorbitant, and potentially close the doors on your business. Don’t let that happen to you. One of the best ways to approach protecting your customer’s information is to treat it as though it were your own.
Quick Checklist for NPPI Protection
Technology Practices:
- Encrypt all emails and files containing NPPI.
- Avoid storing borrower information on personal devices.
- Use strong, unique passwords and change them every 180 days.
- Keep all devices password-protected and set to auto-lock after 15 minutes.
- Install and update antivirus, anti-spyware, and firewall software.
- Avoid public Wi-Fi; use a secure VPN if necessary.
- Back up data regularly with automated tools.
- Apply software updates and patches as soon as they’re available.
Low-Tech Practices:
- Store printed documents securely and shred them when no longer needed.
- Keep loan packages in a locked trunk or cabinet until delivery.
- Avoid sharing borrower details with anyone outside the transaction.
- Vet third-party services (e.g., shredding or repair) before use.
- Personally deliver packages to secure FedEx or UPS locations, avoiding drop boxes.
Professional Habits:
- Verify email requests with the sender before sharing sensitive information.
- Never photograph borrower IDs or documents.
- Stay informed on cybersecurity best practices and industry updates.
Emergency Preparedness:
- Develop a response plan for potential data breaches.
Contact your hiring entity or state Notary agency for guidance on privacy concerns.
If you have questions about a potential privacy situation during a notarization, the best action is to reach out to your hiring entity to see what needs to be done. You can also contact your state Notary regulating agency or the NNA.
Marcy Tiberio is a NNA 2015 Notary of the Year Honoree and owner of Professional Notary Services, Inc., in Rochester, New York. She can be reached at marcy@professionalnotaryservices.biz.
Related Articles:
Notary Trends: Thumbprints and privacy issues
Additional Resources:
NSA Privacy and Security Self-Assessment Test
Common data security terms