I got a request to sign this contract in order to continue doing business with some of my signing companies. It sounds like they want to be able to access my personal information on customers and my procedures. It’s very invasive and I am not comfortable signing it. Did anyone else get this?
I was able to find a copy of the document with a Google search. I notice there are minimum requirements in section 1 and recommendations in section 2. I have problems with some of the minimum requirements.
1.1 b says data, including emails, stored on your device, must be encrypted. From what I can tell, recent desktop computers with Windows 10 or 11 HOME edition do not come with drive encryption. Laptops might, I’m not sure.
1.1c says data in transit must be protected “via the most current Pretty Good Privacy
(PGP) protocol available.” I know what that means. A volunteer organization I belong to has about 200 members and I estimate about 4 of them know what it means. I would be astounded if any of the signing service or title company employees we deal with would understand.
1.6 gives Fidelity a right to audit. That’s worrisome, because it isn’t clear just how much data they would be entitled to see.
1.2a is the usual old-fashoned requirements. When practical I endorse the guidance from the National Institute of Standards and Technology (NIST). A summary is available from Joe Dibley. An example of a pass phrase that would be strong and meet the NIST requirements, but not 1.2a, would be “Pink daffodils are tasty but grass smells bad”
1.2b says to never store your passwords in any format. But I have nearly 400 passwords and would be helpless without my password manager. NIST endorses password managers.
1.2c says to change your passwords every 180 days. No _______ way. NIST agrees. It also says to use a unique password for each device or account, which NIST and I strongly endorse.
4 Likes
Thanks, I understood that they have a right to audit which is worrisome to me also. I guess telling them I have a secure system isn’t good enough so they want to see for themselves. As a notary, we are supposed to maintain high security and allowing others to see our stuff doesn’t fit that bill. I appreciate your feedback. It was helpful.
Gerard,
Thanks for your research on this topic. The IRS/US Treasury has similar security requirements for Tax Professionals. We have to have a written security plan as to the how’s but not any of the nitty gritty details. Since all of my files are encrypted, and I refuse to turn over any passwords or PINs without a court order, good luck getting a look at my client or vendor data. I keep no protected data on my desk top or laptop.
I’m concerned that an audit might expose confidential trade information such as data from my other vendors or clients.
Thanks for taking the time to keep us informed.
Mark
2 Likes
Yes I put on 2 factor authentication and have separate business email - that’s all you need to do
1 Like
This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.