Does your state have data security laws that your association must follow? Does your state regulate what businesses must do in the event of a security breach? Does your state have laws requiring you to properly dispose of personal information or implement a written data security program? It very well could.
Currently, 46 states, the District of Columbia, Puerto Rico, and the Virgin Islands have laws setting requirements that a business must follow if it experiences a security breach. Twenty-nine states have laws regarding how a business or government entity must maintain and properly dispose of personal information. And several of these state laws also require businesses that collect personal information to create and implement written data security programs.
Who knew? Apparently, not many members of NAR. In spring 2010, NAR’s government affairs department surveyed brokers and agents about their data security practices and discovered that 83 percent of members didn’t know whether data security or privacy laws existed in their state. Fewer than half of those surveyed said their business maintained a data security policy that addressed the protection or destruction of such information, commonly referred to as “personally identifiable information.”
The definition of personally identifiable information varies by state, but in general refers to an individual’s name in combination with any one or more of the following: (a) Social Security number; (b) driver’s license number or state identification card number; or (c) financial account number (or credit or debit card number). Some states also include medical information and health insurance information in the list; others exclude encrypted data from the definition.
Does your association collect members’ credit card numbers or bank account information for payment of educational courses or RPAC contributions? Does it maintain employees’ Social Security numbers or driver’s license numbers? If so, you may be subject to a state law regarding your use and protection of that information.
Also, note that many of the state laws apply to any entity maintaining personal information about a resident of its state—regardless of whether the entity is physically located there. For example, if your association is located in Vermont but you maintain personal information about Massachusetts residents, you are required to adhere to Massachusetts’ law regarding that personal information. Therefore, it is important to know not only your own state laws regarding data security and privacy, but also the laws of the states where your employees and members reside.
Acknowledging a need to increase awareness on this issue, NAR created the Data Security and Privacy Toolkit. This kit aims to educate real estate associations, brokers, agents, and multiple listing services about the need for data security and privacy, and assist them in complying with legal responsibilities. The kit is available for free on nar.realtor (REALTOR.org/technology/crt_secure/realtor_secure_resources), among other places.
Although there is no one-size-fits-all approach to security and compliance, NAR aims to provide associations with the tools necessary for developing a tailored program. NAR’s Data Security and Privacy Toolkit begins by explaining the importance of data security and privacy and providing references for researching state laws that may apply to your association regarding the collection, protection, and/or destruction of personally identifiable information.
Following five key principles set forth by the Federal Trade Commission for businesses to follow when creating a data security program, NAR’s toolkit advises that associations:
- Take stock. Know what personal information you collect as well as what you maintain in your hard-copy files and on your computer systems.
- Scale down. Keep only personal information that is necessary for a legitimate business purpose.
- Lock it. Protect the personal information you need to keep by taking proper physical and elec-tronic security measures.
- Pitch it. Create and follow a document retention policy so that you properly dispose of the personal information when it is no longer needed.
- Plan ahead. Create a plan to respond to security incidents and educate your staff on how to implement the plan.
The toolkit is full of detailed checklists and -model policies that will help your association implement these best practices for securing personally identifiable information. It also contains information regarding privacy policies, explains why they are effective, and discusses how to draft a policy that suits your association.
Although the security and privacy of personal information is currently regulated at the state level (or not at all, in a few states), it is likely that federal privacy legislation will be passed in the near future. Therefore, the old adage “there’s no time like the present” is probably a good way to think when it comes to making your association compliant in this area.
---Katherine Raynolds is an association counsel with the National Association of Realtors® in Chicago. She can be reached at 312-329-8372 or firstname.lastname@example.org.