Information Security: 4 Things You Need to Know

As operators of several businesses handling volumes of personal, non-public information – in both the virtual and physical environments – and, particularly since we have a fiscal responsibility to protect consumers’ non-public information, at we have felt it necessary to exercise extreme caution. Handling the paperwork and communications activities connecting with transferring a timeshare resort’s real estate title bears a heavy onus.

For many years we have provided clients with our expertise as a full-service title agency. In 2011, we created online, timeshare-specific software to enable resort operators to automate owner-to-owner transfers, handle estoppel requests (, escrow payments ( and produce sales documentation ( Each is available as a stand-alone module or all can be bundled under In all of these activities, the safeguarding of information is the warp and weft of our business. But, with bad actors working with all their might to find new ways to steal information, we recognize the importance of remaining vigilant.

Like us, your resort’s customer information is your lifeblood. Lose your owners’ confidence and you could very well find yourself out of business. Plus, privacy literally has become a Federal case. Two laws specifically address safeguarding privacy — the Gramm-Leach-Bliley Financial Services Modernization Act of 1999 and the Health Insurance Portability and Accountability Act (HIPAA). In addition, California, Connecticut, Florida, Montana, Nevada and Wyoming have enacted similar laws that safeguard consumer information.

While I’m not a lawyer and our company’s staff cannot provide legal advice, we can recommend a few tips to safeguard information:

  1. Identify and locate all Personal Information (PI), Personally Identifiable Information (PII) and Non-Public Personal Information (NPI) in your possession and/or control. Awareness of what information you have and where it’s stored is vital. Personal information, or PI, refers to information that, when standing alone, is not personal. This can include a name, email address, mailing address, phone number, fax number and any other information. But when a piece of personal information is combined with others, so that together they can be used to personally identify someone, that’s referred to as Personally Identifiable Information, or PII. Non-Public Personal Information – NPI – pertains to personal information coupled with any of the following: social security number, driver’s license number, state-issued ID number, debit or credit card number or any other financial account number.
  2. Now that you know what to look for and can spot where your resort may be vulnerable, you’re on your way. Now you can establish company policies, processes and procedures for collection, storage, protection and disposal of PI, PII and NPI. Once you know what you need to be tracking, the next step is to set up standard operating procedures. You may wish to hold a series of meetings with your staff to discuss how electronic data and paperwork is received; how it gets routed; who ‘touches’ it and how it is disposed of, filed or returned. After determining the various paths involved, you might decide to draw up a document in the form of an agreement for employees to sign, acknowledging their understanding of the rules and willingness to comply.
  3. Adopt a “clean desk“ policy. Secure all documents, portable devices and electronic media in a locked or secured desk, file cabinet. Force cell phones, tablets and other electronic media to auto-lock after being idle for a few seconds. NEVER leave PI, PII or NPI in a hotel room, conference room or any location that can be accessed by others. Remain vigilant. Not every team member on property should have access to this level of information. This includes housekeeping; have shredders conveniently located for the disposal of documents.
  4. It how customer information is shared with those outside your company. Vendors such as a mail house, financial institution or a collection company need to adhere to these practices, too. Don’t let a supplier’s sloppy practice impact your pristine reputation!

The bottom line is probably this: The less information you retain or store, the better. And the smaller the circle having access to that information you do need to collect, the better. Remember, they can’t steal what you don’t have!