You gave away the NPI?
You should be more worried about your data
The press always makes a big hullabaloo over “data breaches” that occur all too frequently these days (i.e. Target, Capital One, First American, etc.). In our industry, we have become sensitized to the importance of protecting personal data and we appreciate more than most how difficult protecting these data can be. Yet, many of us unwittingly expose daily all of the data we use in our title and escrow activities by placing it in some cloud-based system (title/escrow or data storage) without really knowing what happens to it or where it goes afterwards. Why? Because we didn’t carefully read the “terms and conditions” to make sure that the operator of that cloud service acknowledged that the data deposited there would not be used or shared by that operator in any way or for any purpose (allowed by law or otherwise)!
Your cloud service operator has a SOC 2 report? That just means that there are systems in place to protect the data from the outside but doesn’t do a thing to prevent the operator or its employees from accessing and exploiting the data for themselves, of course all in accordance with the terms and conditions to which you agreed by clicking I Agree.
What does your cloud service provider do with the data? What if they don’t sell personally identifiable information? What difference would that make; it’s not your data. What if they only sell aggregated data, not individual details? Again, it’s not your data!
OK, so what do you do? Simple: find, print and carefully review any agreement with any service provider with whom you do business and who stores any of your data in any cloud, public or private. Be sure that the agreement stipulates that no rights to the data transfer to the service provider or anyone else and the service provider will not create any data product from the data which might be sold or shared with others without your specific written agreement. Of course, you should fully understand any data product to be produced and shared prior to giving written authorization. Who knows, maybe you should be paid for your contribution?
Edwin G. Generes, CPA (Inactive)