< Back to Resources

Non-Public Personal Information (NPPI) and the Real Estate Closing Attorney

post thumb

Non-public Personal Information (NPPI) is personal identifiable data provided by a customer or client generally on a form or application.  It includes the first name or first initial and last name coupled with any of the following: Social Security number, driver’s license number, state-issued identification card, credit or debit card number, or other financial account numbers.  A North Carolina lawyer’s duty to protect this information is governed primarily by the NC Rules of Professional Conduct (Rules) and state law, but federal law may also be implicated, depending on who you are representing.

NC Rules of Professional Conduct

The requirements to protect confidential client information, which includes a client’s identity, are set forth in Rule 1.6 and its comments.  Absent certain exceptions, a lawyer “shall not reveal information acquired during the professional relationship with a client unless the client gives informed consent.”  Comment 3 explains that this Rule applies “not only to matters communicated in confidence by the client, but also to all information acquired during the representation, whatever its source.”  The lawyer must “act competently to safeguard information acquired during the representation of a client” against “unauthorized access by third parties” and “inadvertent or unauthorized disclosure by the lawyer or other persons … participating in the representation of the client.”  This duty extends to the transmission of client information.  Comments 19 and 20.  Further, a client can require a lawyer to employ security measures not required by the Rules.  Comments 19 and 20 are clear that whether a lawyer must take additional steps to safeguard information pursuant to state or federal laws is beyond its scope.

State and Federal Law

In addition to complying with the Rules, NC lawyers must also comply with security breach notification laws.  See N.C. Gen. Stat. §§ 75-61 and 71-65.  Lawyers representing lenders will also likely need to comply with the Gramm-Leach-Bliley Act (GLBA).  This Act requires that financial institutions explain their information-sharing practices to their customers and safeguard sensitive data.  Though it was held in American Bar Association v. Federal Trade Commission, 430 F.3d 457 (D.C. Cir. 2005) that GLBA does not directly apply to lawyers, if you represent an entity that is governed by GLBA, you must comply with GLBA as well as the Federal Trade Commission Privacy, Safeguard, and Disposal Rules.  GLBA requirements can be found here.

Bulletins & Newsletters

The Consumer Financial Protection Bureau’s April 2012 Bulletin made it very clear to lenders that they are not only responsible for complying with state and federal law governing the protection of NPPI, but they are also responsible for all of their service providers, third-party vendors, and supply chain vendors.  Several other agencies have released bulletins regarding this matter including: the Office of the Comptroller of the Currency, the FDIC, and the Federal Reserve. In response to the requirements regarding NPPI compliance, Wells Fargo published the Wells Fargo Title and Settlement Newsletter dated March 6, 2014 which stated that they were expanding and enhancing third-party oversight.  They stated that Wells Fargo supports American Land Title Association (ALTA) Best Practices and made it clear that those they work with need a plan in place to ensure compliance.

Best Practices for Closing Attorneys Representing Lenders

In the webinar entitled “Best Practices Boot Camp” presented by the North Carolina Closing Attorney Best Practices Task Force, Attorney Christopher J. Gulotta, Founder and CEO of Real Estate Data Shield, Inc., set forth the best practices to ensure NPPI compliance which includes the following:

  • Develop all required privacy and data security policies, procedures and plans including
    1. Information Security Plan
    2. Incident Response Plan
    3. Disaster Recovery Plan
    4. Secure Password Policy
    5. Electronic Communications and Internet Use Policy (i.e. employees should only access the internet for work-related matters and not personal use)
  • Assess your company’s risk profile
  • Educate and train your workforce (Nearly 40% of all breaches occur from an employee)
  • Secure your work flows
  • Ensure compliance of all service providers (i.e. off-site storage facilities, the cloud, etc.)
  • Implement a sound document destruction policy


Mr. Gulotta also presented his recommendations for Administrative Security Critical Controls, Physical Security Critical Controls, and National Security Critical Controls.  He advised that not only should you implement these policies, but you should inform lenders that you understand the pressure they are under from legislators and demonstrate that you have taken it seriously.  He suggests putting together a manual of policies and procedures and providing it to lenders before they request it, as lenders have identified security as their number one concern.  Mr. Gulotta’s detailed recommendations for closing attorneys representing lenders include the following:

A.  Administrative Security Critical Controls

  1. Staff Training – Have your staff sign an acknowledgement of your policies andprocedures before beginning work.  Conduct background checks of your employees.
  2. Create a Manual of Policies and Procedures
  3. Privacy Notice – Ensure any privacy notice posted on your website is accurate.Make sure the website designer has not posted something you are not living up to.
  4. Have a Shred-All Policy
  5. Implement Vendor Non-Disclosure Agreements
  6. Have a Clean Desk, Clean Office, and Clean Screen Policy – The desks at your office should be empty at the beginning and end of the day.  Any file not currently being worked on should be in a locked filing cabinet.  Only the files that someone is currently working on should be out.  If someone leaves their desk, they need to ensure any file they are working on is closed.  Privacy screens should be used on all monitors and should time out after one minute of activity.  Copy areas should be kept clean.  Employees should be trained on the use of any mobile devices.


B.  Physical Security Critical Controls

  1. Entryway Security & Sign-In Log – Have strong locks where the keys cannot be copied. Only personnel who need keys should have them.  Visitors should sign a log and you should check their identification.
  2. Clean Desk Policy
  3. Locked Filing Cabinets
  4. Security Cameras
  5. Privacy Screens
  6. Locked Offices – Offices of management or those dealing with critical documents should be locked.
  7. Shredding of Paper and Digital Media
  8. Locks on Computers – especially those near an entryway.


C.   Network Security Critical Controls

  1. Password Protection – Passwords should be a minimum of nine characters long and should use a combination of upper and lowercase letters, numbers, and special characters. A rule should be established that passwords must be changed every two to three months.
  2. Computer Screen Timed Lockout
  3. Use Various Brands of Firewalls
  4. Port Lockdowns – All USB Ports should be disabled except for those of one or two gatekeeper employees. These employees should scan any USB stick before anything is downloaded.
  5. Network Printers/Scanners – These devices are usually leased. Ensure your IT person sets these devices up to have their data deleted on a daily basis.  At the end of the lease term have a technician remove the disk and have a document destruction company destroy it and give you a receipt.
  6. Restrictive Access to Programs, Files, Etc. – Server Room should be a separate room with limited access. Employees should not be able to disable security software.
  7. Updates and Patches – Many breaches occur in between the date you receive an update or patch and the date you put it in place. Immediately incorporate updates and patches.
  8. Email Encryption – Sending an unencrypted email with NPPI is like sending a postcard with someone’s personal information on it. Call the party you are sending the secure email to and offer to walk them through it if needed.

If you are a closing attorney who represents lenders and you have not implemented or at least considered these policies, now is the time to get started.

The information in this blog was largely derived from the webinar entitled “Best Practices Boot Camp” first presented by the North Carolina Closing Attorney Best Practices Task Force on January 28, 2015.  See http://www.ncclosingattorneybestpractices.org/resources.html.