I am very happy that my article, entitled "How Real Estate Lawyers Can Use Technology to Guard Against Security and Compliance Threats", has been published in the current issue of the American Bar Association's GPSolo magazine.

1. IB SOLO, SMALL FIRMAND GENERAL PRACTICE DIVISION A PUBLICATION OFTHE AMERICAN BAR ASSOCIATION
REAL PROPERTY LAW
NOU.Il~OSS'1
1M3 N'o'~lijl~V
Orotd
"ViSOd's'n
H011'IZIN'o'9ijO
lliOijdNON B69n990911 '08f8IH8 '133~lS >lWII
"How Real Estate Lawyers Can Use Technology to
Guard Against Security and Compliance Threats"
By: Ralph J. Schumann
President, Illinois Real Estate Lawyers Association
(www.irela.org)
Reprinted by permission.

2. How Real Estate Lawyers Can Use
Security and Compliance Threats
42
- GPSOLO I March/April 2016

3. GPSOLO I ambar.orgjgpsolomag 43
Technology to Guard Against
By Ralph J. Schumann
"May you live in interesting times."
- Traditional (likely apocryphal) Chinese curse
Intoday's interesting times, real estate practitioners
are witnessing some troubling trends:
• increasing prevalence of digital scams to sepa-
rate money from individuals and lenders, such
as wire instruction scams utilizing keystroke
analysis software and other malware;
• increasingly widespread and sophisticated
techniques used by thieves to steal money
from law firm trust and operating accounts;
• increasingly complex regulatory requirements
in the area of residential real estate transac-
tions involving mortgage financing; and
• increasing emphasis on the part of mortgage
lenders to have practitioners meet "best prac-
tices" and similar standards in their real estate
practices.
Given these trends, it is more important than ever
for real property law practitioners to familiarize them-
selves with and implement the latest technology to
protect themselves. In particular, practitioners must
ensure they are meeting their obligations as expressed
in the TRID (Truth in Lending Act/Real Estate Settle-
ment Procedures Act Integrated Disclosure) Rule,
American Land Title Association (ALTA) Best Prac-
"'"tice Number 3, and ABA Model Rule of Professional
o
~ Conduct 1.1: Competence, Comment [8].
-

4. TRID RULE
The Consumer Financial Protection Bu-
reau (CFPB), created by the Dodd-Frank
Act in the aftermath of the 2008 mort-
gage meltdown and the resulting reces-
sion, is charged with implementation and
enforcement of TRID. The CFPB also
refers to the program as "Know Before
You Owe." (New regulations imple-
mented by the CFPB went into effect
October 3, 2015.)
Most real estate practitioners are
aware that the new system involves new
forms and new procedures. The Truth
in Lending Act's (TILA) "Good Faith
Estimate" (GFE) and "HUD-1 Settle-
ment Statement" (named for the U.S.
Department of Housing and Urban De-
velopment) are being replaced in most
closed-end financing transactions by the
new "Loan Estimate" and "Closing Dis-
closure" forms. UnderTRID, the lender
is responsible for preparing and delivering
the Closing Disclosure to the borrower-
consumer and has 100 percent liability
for any violations of the new regulations.
imposed billions of dollars in fines and
penalties in connection with efforts to
protect consumers.
In the context of its enforcement of
TRID, the CFPB has stated that its view
of the Gramm-Leach-Bliley Act of 1999
(GLB), and later pronouncements by
the Federal Trade Commission (FTC)
regarding privacy safeguards, is that
real estate practitioners acting as title
agents are required to take appropriate
steps and utilize appropriate technol-
ogy to create an information security
program outlining procedures to pro-
tect consumer information. The CFPB's
third-party service provider bulletin is-
sued in 2012 reiterated prior regulations
and reinforced the message that lenders
are 100 percent liable for the actions
of their service providers. Real estate
practitioners involved as title agents in
mortgage financing transactions are cov-
ered service providers and are held to the
same standard.
In addition, don't forget that attor-
neys are required under the ABA Model
TRID represents a dramatic sea
change in residential real estate prac-
tice of the sort that has not been seen
for more than 40 years. Moreover, the
CFPB is a "new sheriff in town" with
formidable resources and enforcement
power. Under TRID, a single violation
of the regulations can result in a penalty
of $5,000 per day. If the violation is reck-
less, the penalty increases to $25,000 per
day, and a knowing violation triggers a
penalty of $1 million per day. Make no
mistake: This new sheriff has plenty of
weapons, and they are all loaded and
at the ready. The CFPB has already
44
-
Rules of Professional Conduct to pro-
tect clients' confidential information,
and that this may require implementing
reasonable measures to prevent the in-
advertent or unauthorized disclosure of
what has been referred to by the FTC as
NPI (non-public personal information;
see Rule 1.6: Confidentiality of Infor-
mation, Comment [18].) A lawyer is
required to take reasonable precautions
when transmitting a communication
containing confidential information to
prevent the information from coming
into the hands of unintended recipients.
PI includes Social Security
Numbers, birth dates, bank account
numbers, and other information that
can be used to personally identify a
consumer. The requirements apply to
lenders and other parties, and because
real estate practitioners often act as title
agents and third-party service providers
to lenders in the closing process, they,
too, must protect NPL
ALTA BEST PRACTICE NUMBER 3
The CFPB has not explicitly laid out for-
mal requirements for protecting NPI,
but in this regard the American Land
Title Association (ALTA) has promul-
gated its Title Insurance and Settle-
ment Company Best Practices (alta.orgl
bestpractices). Title companies and lend-
ers are increasingly requiring that attor-
neys acting as title agents in transactions
be third -party certified (or, in some cases,
self-certify) that they are in compliance
with ALIA Best Practices.
Given the robust enforcement pow-
ers of the CFPB, the prudent real estate
practitioner would be well served to be-
come familiar with ALTA Best Practices
in this r;gard.
ALTA defines NPI as "[p]ersonally
identifiable data such as information pro-
vided by a customer on a form or appli-
cation, information about a customer's
transactions, or any other information
about a customer which is otherwise
unavailable to the general public." Ac-
cording to ALTA Best Practices, NPI
includes first name or first initial and
last name coupled with any of the fol-
lowing: Social Security Number, driver's
license number, state-issued ID number,
credit card number, debit card number,
or other financial account numbers.
This definition is consistent with the
definition used by the FTC for GLB
compliance. All seven pillars of ALTA
Best Practices should be reviewed in
their entirety by real estate practitio-
ners, but perhaps the most significant
in the context of NPI is Best Practice
Number 3. (The full text can be found
in the sidebar on page 46.)
A complete analysis of digital security
requirements is beyond the scope of this
brief article, but certain basics should be
observed in order to comply with ALTA
Best Practices:
GPSOLO I March/April 2016

5. 1. Only allow authorized persons to
access your hardware and equip-
ment, including servers, com-
puters, laptops, tablets, mobile
devices, fax machines, copiers,
scanners, and printers.
2. Use strong passwords to access
network computers. Include
upper- and lowercase letters, num-
bers, symbols, and perhaps even
spaces in passwords.
3. Password-protect all computers in
your office. Require employees to
lock their computers when leaving.
4. Establish aprivate domain for your
business. You should have a web-
site and a business-specific e-rnail,
5. Do not allow staff to use any re-
movable media with any machines
on the network. Do not send NPI
bye-mail unless required to do so
by the e-rnail recipient. Old-school
sending ofNPI by facsimile trans-
mission may be more secure, as
long as the transmission goes to
a digital" e-fax" or similar digital
inbox-pages sent by fax that sit
unguarded on a recipient's regular
fax machine may lead to inadver-
tent disclosure of NPL (As an aside,
using a fax machine to send wire
instructions to a mortgage lender
or a buyer can be an improvement
over using e-mail; notably, the scam
artists who have been frequently
intercepting wire instructions and
then modifying them to send out
apparently bona fide "corrected"
instructions directing the wire to be
sent to the scam artist's controlled
bank account have so far not de-
voted much attention to "hacking"
fax transmissions.)
6. If you send NPI bye-mail, use
secure means. Subscribe to an e-
mail encryption service through
the e-rnail provider for your do-
main. Send any NPI only in a
password-protected document.
It is relatively easy to password
protect Microsoft Word, Adobe
PDF, and WordPerfect documents.
When sending the protected docu-
ment, be sure the text of the e-rnai]
"cover message" does not itself
contain the password or any NPI.
Some practitioners require that the
recipient call on the phone to get
the necessary access information.
Note that sending NPI by encrypted
e-rnail may not be a foolproof method
of protecting NPI - an encryptede-rnail,
once deciphered and read by a recipi-
ent, may sit on the recipient's computer
indefinitely in a download or other fold-
er and be subject to access by keystroke
analysis software or other malware re-
siding on the recipient's computer unbe-
knownst to the recipient.
result would be unfortunate.
I am honored to serve as president of
a statewide bar association of real estate
lawyers in Illinois (Illinois Real Estate
Lawyers Association; irela.org). We have
thousands of members. When we send
out e-mail notices of upcoming meetings,
bulletins, and case law updates to our
members, however, they go electroni-
cally to fewer than 1,200 of our members.
This is not because we have neglected
to request e-rnail addresses of all our
members; it is because fewer than 1,200
Additional information can be found
on ALTA's "Title Insurance and Settle-
ment Company Best Practices Resources
& Documents" website page (alta.orgl
bestpractices/documents.cfm).
have provided e-rnail addresses. Our
suspicion is that some of our folks are
having trouble giving up using their IBM
Selectric typewriters to prepare real es-
tate documents or are slow to embrace
technology and do not have computers
or use e-rnail. In this current environ-
ment, however, it may be necessary to
get a bit more "techy" or risk death, in
the professional sense. It may be time to
join the current century and amass com-
puting power and capabilities beyond
those of the venerable Commodore 64
machine of yore. Some practitioners may
already have passed a "tipping point" in
this regard.
There is no substitute today for devel-
oping the requisite technological exper-
tise to meet the current demands facing
real estate practitioners. TRID, ALTA
Best Practices, and, in many states, Rules
of Professional Conduct now require the
real estate practitioner to develop and
implement policies and procedures to
prevent inadvertent disclosure of cli-
ent confidential information, prevent
ABA MODEL RULE OF PROFESSIONAL
CONDUCT 1.1, COMMENT [8]
ABA Model Rule 1.1: Competence,
Comment [8], provides that attorneys
must not only keep abreast of changes
in the law and its practice but must also
keep abreast of "the benefits and risks
associated with relevant technology."
The revised Model Rule and Comment
have been adopted by at least 17 states.
Some commentators worry that the
"perfect storm" of compliance require-
ments currently faced by real estate
practitioners- TRID regulations, ALTA
Best Practices requirements, and require-
ments of ABA Model Rules such as Rule
1.1- may cause some practitioners who
are less technologically proficient to give
up the practice of residential real estate
in favor of other practice areas. Such a
45
-GPSOLO I ambar.org/gpsolomag

6. inadvertent interception of e-mailed
wire instructions resulting in significant
losses, and "stay current" with relevant
technology.
Does this mean the practitioner has
to be an "early adopter" and install the
latest operating system for a PC as soon
as it comes out? Does each Mac user
need to study to become an Apple "Ge-
nius"? No. Moreover, prudence often
dictates a more methodical approach,
but practitioners should at least be aware
of what current operating systems are
available for office computer equipment
and make appropriate decisions. (I am
thinking here of those "Luddite lawyers"
out there-those, for example, who still
cling tenaciously to their beloved Win-
dows XP Professional operating system
even though it is no longer supported by
Microsoft.) With new operating systems
may come" growing pains," but there are
also security improvements.
Staying abreast of "the benefits and
risks associated with relevant technol-
ogy" requires no less.
WE'RE FROM THE GOVERNMENT AND
WE'RE HERE TO HELP
The Federal Bureau of Investigation
(FBI) has provided some helpful guid-
ance recently. Going beyond standard
warnings not to use Hotmail, Comcast.
net, AOL, Yahoo, and similar non-secure
public domains (not only are they not
secure, most user agreements with these
sorts of public domains allow the opera-
tors to access and retrieve data from your
e-mails), the FBI offers some simple, but
effective, suggestions. Declaring Octo-
ber 2015 to be National Cyber Security
Awareness Month, the FBI provided sev-
eral pithy observations regarding how to
stay safe (tinyurl.com/qgemgwb). While
no single suggested defense will provide
complete protection these days, use of
multiple methods will cumulatively pro-
vide a fairly helpful defense. The FBI's
tips include some obvious suggestions
(keep your firewall turned on, install or
update your antivirus and anti-malware
software, and keep your operating sys-
tem up-to-date and install all security
improvements) along with several less
obvious suggestions, such as implement-
ing two-factor authentication.
GPSOLO I March/April 2016
Best Practice: Adopt and maintain a written privacy andinformation security
program to protect Non-public Personal Information as required by local, state
and federal law.
Purpose: Federal and state laws (including the Gramm-LeaclrBlileyAct) require title
companies to develop a written information security program that describes the proce-
dures they employ to protect Non-public Personal Information. The program must be
appropriate to the Company's sizeand complexity, the nature and scope of the Com-
pany's activities, and the sensitivity of the customer information the Company handles. A
Company evaluates and adjusts its program in light of relevant circumstances, including
changes in the Company's business oroperations, or the results of security testing and
monitoring.
Procedures to meet this best practice:
• Physical security of Non-public Personal Information.
t Restrict access to Non-public Personal Information to authorized employees
who have undergone Background Checks at hiring.
t Prohibit or control the use of removable media.
t Use only secure delivery methods when transmitting Non-public Personal
Information.
• Network security of Non-public Personal Information.
t Maintain and secure access to Company information technology.
t Develop guidelines for the appropriate use of Company information
technology.
t Ensure secure collection and transmission of Non-public Personal
Information.
• Disposal of Non-public Personal Information.
t Federal law requires companies that possess Non-public Personallnfor-
mation for a business purpose to dispose of such information properly
in a manner that protects against unauthorized access to or use of the
information.
• Establish a disaster management plan.
• Appropriate management and training of employees to help ensure compliance
with Company's information security program.
• Oversight of service providers to help ensure compliance with a Company's in-
formation security program.
t Companies should take reasonable steps to select and retain service pro-
viders that are capable of appropriately safeguarding Non-public Personal
Information.
• Audit and oversight procedures to help ensure compliance with Company's infor-
mation security program.
t Companies should review their privacy andinformation security procedures
to detect the potential for improper disclosure of confidential information.
• Notification of security breaches to customers and law enforcement.
t Companies should post the privacy and information security program on
their websites or provide program information directly to customers in an-
other useable form. When a breach is detected, the Company should have
a program to inform customers and lawenforcement as required bylaw.
From Title Insurance and Settlement Company Best Practices. All publications of the
American Land Title Association, including ALTABest Practices Resources and Docu-'
ments, are copyrighted and are reprinted herein by specific permission from:American
Land Title Association (ALTA),1800 M Street, Suite 300 South, Washington, DC 20036;
phone: 202/296-3671; e-mail: service@alta.org; web: http://www.alta.org.
46
-

7. TWO-FACTOR AUTHENTICATION
Two-factor authentication (TFA) cre-
ates an extra layer of security protection.
Google calls its version of TFA "2-Step
Verification," and in that context uses
it to help protect against unauthorized
access to Gmail and other Google ac-
counts from hackers by requiring the
entry of a special code when attempting
to access-upon an attempt to sign in
from a new computer, a code is sent via
text to a mobile phone, via voice call, or
via a mobile app. You can set the system
to require the code only the first time
you access the Google account on one of
your trusted computers, but the system
will be in place and will require entry of
the code when anyone else tries to access
the account from another computer.
DEFENSE IN DEPTH
The FBI encourages you to protect your
mobile devices (such as laptops, flash
drives, and smartphones) and be careful
accessing WiFi networks in public places
(the local coffee shop, airport, or hotel of-
fering a free WiFi hot spot may not be the
best place to access your online banking
system to check your account balance-
there are sniffers out there). If you will
be accessing a sensitive account, better to
use avirtual private network (VPN) con-
nection from a well-established personal
VPN provider. The encryption of your
data over a VPN connection provides an
additional layer of security for your com-
munications' making the data harder for
cyber-snoops to steal.
REDUNDANT BACKUP
Use multiple methods of backing up
your valuable data. Consider a cloud
environment (Carbonite, Google Drive,
Cubby, or Dropbox, with additional
security for professionals), and storing
hard copies of data at a different physi-
callocation than your office. Consider
using an additional external hard drive to
back up data on an established schedule
(once per week?) that is not left attached
to your office computer but is kept at
a different physical location. External
hard drives are not very expensive. A
data breach can be very expensive.
Beware of malware, including key-
stroke analysis software that can infect
GPSOLO I ambar.org/gpsolomag
your computer unbeknownst to you when
you visit Facebook, online shopping sites,
or use Yahoo, AOL, Hotmail, and other
unprotected domains. Also becoming
more problematic is ransomware, which
allows a bad person to access and "freeze"
your computer until you pay a substantial
"ransom" to get back access to your pre-
cious files and family photos. Backing up
data on an external hard drive attached to
your computer is not necessarily a fool-
proof solution because ransomware can
infect and "freeze" peripheral devices such
as external hard drives attached to your
computer. Turn off your computer when
it is not being used.
You may not be practicing with a
huge law firm with its own IT depart-
ment, so consider retaining an IT service
for additional assistance. Many with the
necessary expertise can 'be found that
charge affordable fees. Consider it a
necessary expense of doing business in
the current environment.
If you work as a title agent with a
title insurance company, it may be able
to provide additional assistance.
A PARTING THOUGHT: THE
E-CLOSINGS ARE COMING!
The requirements of technological fa-
miliarity and competence are with us
for the foreseeable future. In the con-
text of TRID, moreover, the benefits of
technology are seen by the CFPB as the
best solution to eliminating consumer
"pain points" typically experienced in
a real estate mortgage transaction. The
introduction of the new Loan Estimate
and Closing Disclosure forms represents
just the first step.
The CFPB recently conducted an
extensive analysis of the operation and
benefits of various" e-closing" platforms
and systems, .and they have declared
themselves to be "ardent believers in
the promise of technology." With e-
closing platforms, consumers are able
to view all documents associated with
their mortgage transaction on their lap-
top or tablet while sitting in the privacy
of their home at any time of day or night.
More importantly from'the perspective
of a practitioner tryin~to provide valu-
able legal representation to a borrower!
consumer, it is possible to press a single
electronic "button" on the screen and
digitally "sign" all of these documents,
from promissory note and mortgage to
W-9 forms, in one fell swoop.
Companies such as DocuSign are
marketing their services vigorously to
mortgage lenders, touting the speed
of processing to allow lenders to close
business faster to earn revenue sooner,
as well as the enhancement of client sat-
isfaction by allowing review of digital
versions of documents and fast and con-
venient "anytime, anywhere" signing on
any device. Many marketing pitches by
DocuSign and similar providers empha-
size the benefit to lenders of using digital
signing to streamline a process described
by many consumers as frustrating and
time-consuming: the finalizing of mort-
gage paperwork. Signing mortgage docu-
ments electronically, however, has more
serious consequences than just clicking
"ok" to accept a new version of an iTunes
user agreement. While lenders clearly
benefit from promoting digital signing,
is it better for the borrowing consumer?
Attorneys may wish to remind cli-
ents of the importance of obtaining legal
advice from an experienced practitioner
before committing to a financial obliga-
tion that may well be the largest in these
clients' lives. The whole purpose of
TRID's"Three-Day Rule" is to allow a
consumer three business days to review
the important numbers in the closing dis-
closure form and decide whether or not to
proceed. During that period, a consumer
can consult with his or her attorney, but
the attorney may not be able to do any-
thing about the client's ill-advised prior
digital signing of all mortgage documents
without benefit of any consultation.
Faster may not be better in all cases.
The growing pressure to agree to all
the terms and provisions of mortgage
documents by signing electronically on
a tablet or smartphone with the push of a
single button is not conducive to careful
evaluation of risks .•
,
·1
Ralph J, Schumann (rjs@schumannlaw.com)
is a sole practitioner in Schaumburg, Illinois,
with concentrations in real estate law, including
residential and commercial transactions, and
estate planning and litigation, He is president of
the Illinois RealEstate Lawyers Association,
47
-