Every day we handle large amounts of information in the course of our jobs. Most of it comes from public sources, some of it comes from lenders involved in our transactions, and some of it is sensitive information concerning buyers and sellers.
What is considered to be consumer sensitive data has changed throughout the years. 40 years ago, your Social Security Number (SSN) was used to identify you everywhere. It was not uncommon for people to have their SSN and Driver’s license numbers printed on their checks.
Today if you ask someone for their SSN most people will ask, “why do you want it”. They want to know what you are going to use it for. They want to know how you are going to protect it. Over the past several years more types of information have become considered as sensitive, and the list differs by state.
Along with defining the information that is deemed to be sensitive (SSN, Driver’s License Number, etc…) new terms were created to identify those groupings such as; Non-Public Information (NPI), Non-Public Personally-Identifying Information (NPPI).
With the recent passage of the laws such as New York Cybersecurity Requirements for Financial Services Companies (23 NYCRR 500), the California Consumer Privacy Act (CCPA) of 2018, and the South Carolina Insurance Data Security Act, the definition of sensitive information is expanding yet again, as well as adding additional requirements for the protection of sensitive information.
These requirements cover the sending, receiving, and storage of sensitive information, and they all revolve around encryption.
You should have policies and procedures in place to classify the information you collect and store, and how to protect consumer information. All sensitive information entered into your production system should be encrypted when saved. And emails you send that contain sensitive inf0rmation should be encrypted before they are sent.