Five Steps Towards Achieving Data Security
In this digital economy, trust has taken on new dimensions that impact how real estate professionals collect, share, and most importantly, protect the information they use in their businesses. It is important, and in many states legally required, for brokers and agent to implement and maintain reasonable safeguards that protect the security, confidentiality, and integrity of personally identifiable information.
The National Association of REALTORS® recommends five steps toward achieving that goal:
- Take Stock
- Scale Down
- Lock It
- Pitch It
- Plan Ahead
Step One: Take Stock
Brokers and agents collect personal information for a variety of reasons such as:
- Social Security numbers for credit checks on renters or to complete a short sale transaction
- Bank account and Social Security numbers contained in mortgage documents and closing statements
- Personal checks given as earnest money
- Credit card information to make various payments for inspections or appraisals
- Drivers’ license numbers as a safety precaution when agents leave the office with new clients
The first step toward protecting personal information is finding out what type of information your business maintains. Write down the answers to the following questions:
- Who sends personal information to your business?
- How does your business receive personal information?
- What kind of information does your business collect?
- Where does your business keep the information you collect?
- Who has (or could have) access to the information?
Step Two: Scale Down
After you’ve taken stock to determine what personal information you collect, it’s time to consider whether or not you need to continue collecting it in the future.
Here's the rule:
- If you do not have a legitimate business need for the personally identifying information – then don’t collect it. If there is a legitimate business need for the information, then keep it only as long as it’s necessary. Once that business need is over, then properly dispose of it.
- If you must keep information for business reasons or to comply with the law, then develop and adhere to a document retention policy to identify what information must be kept, how to secure it, how long to keep it, and how to dispose of it securely when you no longer need it.
Step Three: Lock It
After you've taken stock and scaled down the amount of information you collect, you should take steps to ensure that the information is secured and protected from unauthorized access. Write down the answers to the following questions:
- What kind of physical security do you use to protect personal information?
- How are your paper records and files protected from unauthorized access?
- What kind of electronic security do you use to protect personal information?
- How are your computer and wireless networks protected from unauthorized access?
- Do you use encryption, password protection, or firewalls to protect personal information?
- How will you detect a breach of security?
- How do employees, independent contractors, and service providers know what their responsibilities are with regard to protecting your business’s personal information?
Step Four: Pitch It
After you've taken stock, scaled down, and taken steps to secure the personal information your business collects, it's time to implement a document retention policy. Adopting and following a document retention policy will likely reduce your risk of violating data security laws. NAR's Data Security and Privacy Toolkit provides guidance on how to create a documentation retention policy that is right for your business and describes more fully each of the following steps for creating the policy:
- Identify the sources and types of information your business maintains.
- Determine what policies, if any, are currently governing your document retention practices.
- Evaluate those existing policies.
- Draft a policy that includes time limits for retention of specific types of documents and assigns responsibilities to specific individuals.
- Have the policy reviewed by legal counsel.
- Distribute the policy and make sure it is being followed by employees and independent contractors.
- Plan to review the policy periodically to make sure it is still relevant.
Step 5: Plan Ahead
Most states have enacted laws that require a business to keep personal information secure and to notify individuals in the event that security is breached. It is advisable, and potentially legally required, for you to have a written data security program in place and a policy that addresses what to do in the event of a breach.
NAR's Data Security and Privacy Toolkit contains detailed information and sample policies that will help you implement a data security program that is tailored to your business.
The Toolkit includes:
- Checklist for implementing a data security program
- Model written data security program created by the Massachusetts Association of REALTORS®
- Checklist for responding to a data security breach
- Sample breach notification correspondence
- Sample privacy policies
Members can access the full Data Security and Privacy Toolkit here.