1. Policy Statement
Chicago Title Insurance Company (referred to as “CTIC”) is committed to protecting Personal Information. CTIC has established its Privacy Program as set forth in the Privacy Program Plan to govern the collection, use, storage, and disposal of Personal Information, as defined herein. This Privacy Policy is at the core of the Privacy Program Plan.
While CTIC protects personal information as a matter of principle, we must also be cognizant of the significant financial impact a breach of privacy can have on CTIC. In addition to the risk of loss in reputation and clients’ loyalty, violations of privacy laws also incur potentially high fines.
This Policy is designed to:
• define Privacy Incident, Personal Information, Public Personal Information, and Sensitive Personal Information; and
• establish standards to provide written notice of CTIC’s privacy practices to customers at the time the customer relationship is established.
2. Scope
This Policy applies to all CTIC employees, contractors, volunteers, and any third parties who have access to Personal Information under the control of CTIC, whether direct control or through a third-party service provider. This Policy applies to all Personal Information collected, maintained, transmitted, stored, or otherwise used by CTIC in the conduct of its business.
This Policy does not apply to information about companies or organizations, unless they are solely owned by an individual where information about the company is effectively personal information about the owner. Additionally, you should be aware of CTIC’s publicly-disclosed policies and representations regarding Personal Information in CTIC’s Privacy Statement, which is available, among other places, on the CTIC website.
3. Definitions
Personal Information is any data or information about, or that can reasonably be related to, an identifiable person, both customers and employees. Depending on the context, some personal information may be made public such as business contact information and business-related personal information. As a result, it is important to define both (1) what is Personal Information, and (2) into which category Personal Information falls. For the purpose of handling, storage, disposal and use, Personal Information is classified into a general category and a specific sub-category of “Sensitive” Personal Information.
Key terms used in this Policy are defined as follows:
“Personal Information” is any information relating to an identified or identifiable person protected by consumer protection, privacy, or data security laws and regulations, confidentiality agreements, or industry standards. Personal Information includes name; alias; unique personal identifier; address; SSN or SIN; government ID number, passport number, driver’s license number, employee ID number, or other similar identification number; date of birth; characteristics of a protected class; education information; income; financial account information; health information; geolocation; online account user name and password; IP address; email address; internet or network activity, including, but not limited to browsing history, search history, and information related to interacting with websites, applications, or advertisements; or any information provided by an individual in connection with providing a product or service to that individual or in the course of the individual’s employment or application for employment, unless that information is otherwise publicly available. Personal Information may also be known or referred to as “non-public personal information,” “NPI,” “personally identifiable information,” or “PII.” Personal information does not include publicly available information which is lawfully made available to the general public from federal, state, or local government records.
“Sensitive Personal Information” is Personal Information about which individuals have a higher expectation of privacy because of the harm its unauthorized use or disclosure may cause. Sensitive Personal Information includes: (i) social security number, (ii) financial account number, credit or debit card number, or financial account password, personal identification number, or other access code (iii) driver’s license number or non-driver government ID number, (iv) student, military, or tribal ID number (v) individual taxpayer ID number, (vi) passport or visa number, (vii) date of birth, (viii) the maiden name of the individual’s mother, (ix) a birth or marriage certificate, (x) an individual’s digitized or electronic signature, or private key that is unique to an individual and used to authenticate or sign an electronic record, (xi) shared secrets or security tokens that are known to be used for data authentication, (xii) biometric data, or (xiii) health or medical information, including health insurance information or information relating to payment for the provision of health care to an individual. A username, unique identifier, or email address, in combination with (i) any security code, access code, or password, (ii) security question and answer, or (iii) other numbers or information that would permit access to an individual’s online account or financial resources, is also Sensitive Personal Information, whether with a person’s name or other identifier, or in isolation.
“Privacy Incident” is any loss or unauthorized access or disclosure of Personal Information (as defined above) maintained by CTIC in either electronic or physical formats, whether intentional or inadvertent. A Privacy Incident can also be known or referred to as an information security incident or a data breach or breach of security safeguards.
Examples:
Electronic Privacy Incident – A Privacy Incident involving electronic Personal Information can include, but is not limited to:
• computer virus infection,
• hacker break-in,
• business email compromise,
• improper disclosure of electronic confidential information to others,
• misdirected email, or
• a lost, misplaced or stolen external media device, laptop, or mobile phone.
Physical Privacy Incident – A Privacy Incident involving physical Personal Information can include:
• a lost or misplaced briefcase or file folder,
• a lost package by a mail carrier or delivery service,
• improperly destroyed documents by a disposal vendor, or
• an office or storage facility break-in.
These examples are not all-inclusive, representing a limited number of potential Privacy Incidents. If any loss or unauthorized access or disclosure of Personal Information is suspected, it should be considered a Privacy Incident.
4. Authority and Precedence
If there is any conflict between this Policy and any other policy that applies to CTIC, the terms of this Policy control. Other policies may be applicable in addition to this Policy, so long as the protections provided by the other policies are at least as, or more restrictive than, the protections set forth in this Policy.
5. Responsibilities
The CTIC Corporate Compliance Department is responsible for the implementation and monitoring the effectiveness of this Policy.
6. Permitted Access/Correction to Personal Information
CTIC’s Privacy Statement allows individuals to request, in writing, access and update or correct their own Personal Information in CTIC’s possession. Upon receiving such a request from an individual, you must contact the Privacy Officer at 1-877-526-3232 and you must contact the Canada Corporate Compliance Department at privacy@fnf.ca and assist with the request if asked to do so by the Corporate Compliance Department. If the Corporate Compliance Department does not permit an individual to access or correct their Personal Information, the Corporate Compliance Department will inform the individual directly of the reasons for the refusal and document those reasons.
Quebec Law 25 (formerly known as Bill 64) provides that:
• upon request, CTIC must communicate to Quebec residents, in a structured and commonly used technological format, computerized personal information CTIC has collected from them;
• this communication may also be made to a person or organization authorized to collect the information, at the request of the applicant;
• if the applicant is handicapped, reasonable accommodation must be provided on request to
enable the person to exercise the right of access provided;
• CTIC may request a reasonable fee for the transcription, reproduction or transmission of the data; and
• CTIC must transfer the data within 30 days of a request.
The California Consumer Privacy Act (CCPA) is a comprehensive privacy law that provides California residents with rights related to the collection and use of their personal information even if located outside of either California or the United States. Please refer to the California Privacy Policy found here: https://fnf.com/pages/californiaprivacy.aspx.
For a description of the individual rights response process, see the CTIC Privacy Statement. If you have any questions regarding access requests, contact:
Privacy Officer
Chicago Title Insurance Company
100- 55 Superior Boulevard
Mississauga, ON
L5T 2X9
1.877.526.3232
7. Contact
For more information on this Policy or any related policy and/or practice, contact the Chicago Title Insurance Company Corporate Compliance Department at privacy@fnf.ca.
8. Statement of Confidentiality
The information contained in or supplied with this document, in its entirety, is the confidential and proprietary information of Fidelity National Financial, Inc., its affiliates and/or subsidiaries (collectively, “FNF”), and it may not be copied by or disclosed to any person or entity (other than to the intended recipients), without the prior written consent of FNF.
