Overview of GLBA in the Title Industry

The Gramm-Leach-Bliley Act (GLBA), also known as the Financial Services Modernization Act, is a federal law that regulates how financial institutions handle the private information of individuals. Within the context of the complete Title Insurance exam guide, it is crucial to understand that title insurance companies and their agents are classified as "financial institutions." This classification subjects them to strict oversight regarding the collection, storage, and sharing of consumer data.

The primary goal of GLBA is to ensure that consumers are informed about a company's information-sharing practices and to give them the opportunity to opt out of certain types of sharing. For title professionals, this means implementing rigorous data security protocols and providing specific disclosures during the escrow and closing process. Failure to comply can result in significant federal penalties and loss of licensure.

Defining Non-Public Personal Information (NPI)

At the heart of GLBA is the protection of Non-Public Personal Information (NPI). This is defined as any personally identifiable financial information that a consumer provides to a financial institution that is not otherwise publicly available. In a title transaction, NPI is collected through loan applications, title orders, and closing documents.

Examples of NPI include:

  • Social Security Numbers (SSNs)
  • Bank account numbers and routing information
  • Credit scores and history
  • Income and debt information
  • Information obtained from a consumer report

It is important to distinguish NPI from public record information. Data found in recorded deeds, mortgages, or tax assessments at the county recorder's office is considered public and is generally not protected under GLBA privacy rules. However, the combination of public data with private financial data often elevates the entire file to NPI status.

Public Information vs. Non-Public Personal Information (NPI)

FeaturePublic InformationNon-Public Personal Information (NPI)
SourceCounty records, tax rollsLoan apps, private files
AccessibilityGeneral public accessRestricted to parties in transaction
ExamplesLegal description, Sales priceSSN, Driver's License, Credit Score
GLBA ProtectionNot protectedStrictly protected

The Privacy Rule: Notices and Opt-Outs

The Privacy Rule requires title agencies to provide clear and conspicuous notices to consumers about their privacy policies. These notices must explain what information is collected, how it is used, and with whom it is shared. There are two categories of individuals defined under this rule:

  • Consumers: Individuals who obtain a financial product or service (like a one-time title search) but do not establish a continuing relationship.
  • Customers: Individuals who have a continuing relationship with the institution (such as a long-term escrow arrangement or an active insurance policy).

Title companies must provide an Initial Privacy Notice at the time the relationship is established. If the company intends to share NPI with non-affiliated third parties (other than for essential transaction processing), they must also provide an Opt-Out Notice, giving the consumer a reasonable opportunity to say "no" to that sharing.

โ„น๏ธ

Exam Tip: Affiliate Sharing

On the practice Title Insurance questions, remember that GLBA generally allows companies to share information with their own affiliates without providing an opt-out, provided the privacy notice discloses this practice.

The Safeguards Rule: Protecting the Data

While the Privacy Rule focuses on disclosure, the Safeguards Rule focuses on security. Title companies must develop, implement, and maintain a comprehensive written information security program. This program must be scaled to the size and complexity of the agency and must include:

  • Administrative Safeguards: Designating an employee to coordinate the security program and training staff on NPI handling.
  • Technical Safeguards: Using encryption for emails containing NPI and maintaining secure firewalls and password protocols.
  • Physical Safeguards: Locking file cabinets, shredding documents, and securing the office perimeter to prevent unauthorized access to paper files.

Title agents must also perform due diligence on their service providers (such as software vendors or mobile notaries) to ensure they are also capable of maintaining appropriate safeguards for the NPI they handle.

Core Pillars of GLBA Compliance

๐Ÿ“„
Notice & Disclosure
Privacy Rule
๐Ÿ”’
Data Security
Safeguards Rule
๐Ÿ›ก๏ธ
Anti-Fraud
Pretexting Rule

The Pretexting Rule

The third pillar of GLBA is the Pretexting Rule, which prohibits obtaining customer information under false pretenses. In the title industry, this often manifests as "social engineering" or phishing. Title agents are trained to verify the identity of any person requesting information about a file. This prevents unauthorized individuals from calling the title office and pretending to be the buyer, seller, or lender to gain access to NPI or to divert closing funds.

Frequently Asked Questions

A consumer is someone who uses a service once (like a title search only), while a customer has an ongoing relationship with the company. Customers must receive an initial notice and usually an annual notice, whereas consumers only need a notice if the company shares their NPI with non-affiliated third parties.
Yes. Under the Safeguards Rule, every financial institution, including title agencies, must have a written information security program (WISP) that details how they protect NPI.
No. Legal descriptions, tax IDs, and recorded deed information are matters of public record and are not protected under the GLBA privacy requirements.
Violations can result in civil penalties against the institution and individual officers. In cases of intentional fraud or identity theft, criminal penalties including fines and imprisonment may also apply.