Superior Service with Exceptional Expertise

What's New At Generes & Associates

Ed Generes
/ Categories: Blog Posts

You gave away the NPI?

You should be more worried about your data

The press always makes a big hullabaloo over “data breaches” that occur all too frequently these days (i.e. Target, Capital One, First American, etc.). In our industry, we have become sensitized to the importance of protecting personal data and we appreciate more than most how difficult protecting these data can be. Yet, many of us unwittingly expose daily all of the data we use in our title and escrow activities by placing it in some cloud-based system (title/escrow or data storage) without really knowing what happens to it or where it goes afterwards. Why? Because we didn’t carefully read the “terms and conditions” to make sure that the operator of that cloud service acknowledged that the data deposited there would not be used or shared by that operator in any way or for any purpose (allowed by law or otherwise)!

Your cloud service operator has a SOC 2 report? That just means that there are systems in place to protect the data from the outside but doesn’t do a thing to prevent the operator or its employees from accessing and exploiting the data for themselves, of course all in accordance with the terms and conditions to which you agreed by clicking I Agree.

So, what types of data are we talking about and to whom does it belong? If you’re in the title, settlement and escrow business, or any facet for that matter, you already know the types of data we are talking about; everything from your own title work to the borrowers’ Form 1003 to the sellers’ social security numbers. A veritable treasure trove of personal and other information and none of it, save the title work, belongs to you! It all belongs to someone else and, in your privacy policy, you promised to keep it secret. Yet, you send it out into the ether for whatever purpose your cloud service provider desires because you agreed to it. Remember?

What does your cloud service provider do with the data? What if they don’t sell personally identifiable information? What difference would that make; it’s not your data. What if they only sell aggregated data, not individual details? Again, it’s not your data!

OK, so what do you do? Simple: find, print and carefully review any agreement with any service provider with whom you do business and who stores any of your data in any cloud, public or private. Be sure that the agreement stipulates that no rights to the data transfer to the service provider or anyone else and the service provider will not create any data product from the data which might be sold or shared with others without your specific written agreement. Of course, you should fully understand any data product to be produced and shared prior to giving written authorization. Who knows, maybe you should be paid for your contribution?

Edwin G. Generes, CPA (Inactive)

Previous Article TIME TO RE-CERTIFY?
Next Article Hey! I’m exempt!

Theme picker