The American Land Title Association (ALTA) published Title Insurance and Settlement Company Best Practices Version 4.1 on Sept. 17. The new version revises ALTA’s best practices on password management and recommended due diligence, among other things.
In its proposal for the revisions, ALTA noted it was revising its best practices on password management to align with the National Institute of Standards and Technology (NIST). NIST revised its recommendations on changing user passwords to include “incidents when there is a known or suspected compromise of the security of the password.”
Under Pillar 3, Adopt and maintain a written information security plan and a written privacy plan to protect nonpublic personal information (NPI), its best practice for passwords now states:
“Password management plan that requires unique login names and system passwords to access systems containing NPI. System passwords must meet the minimum standards which include:
- “Re-entry of the password after system idling;
- “Passwords that expire after a certain period of time or upon a triggering event as reflected “in the NIST guidelines (https://www.nist.gov); and
- “Difficult-to-guess passwords that include a combination of uppercase letters, lowercase letters, special characters, with a minimum length of eight total characters.”
ALTA also added the following language to Pillar 4 to address concerns about performing closing transactions that do not involve state-regulated title insurance policies: “Perform due diligence and analyze risk profile when providing functions that fall outside of the title agency’s relationship with the title insurer and when not issuing a title insurance policy for the transaction. These functions may include (1) collection and/or disbursement of premiums, escrows, security deposits or other funds, (2) handling escrow or settlement, and/or (3) recording documents. If engaging in these functions, a company should:
- “Review its state licensing requirements to determine if it is legally allowed to engage in the function. Some states have additional licensing requirements to hold funds in escrow. Other states only authorize a company to conduct a settlement when the company is issuing a title insurance policy;
- “Review closing instructions with company management to confirm that management approves any risk assumption, liability and other matters identified in the closing instructions;
- “Review state laws, including case law, to understand the duties and responsibilities that may be imposed by law when engaging in these functions; and
- “Evaluate whether, in the event of a loss or claim, the company will continue to be solvent. Such evaluation may include determining whether a loss or claim may be covered by the company’s professional liability insurance including E&O and cybersecurity insurance.”