Technology has dramatically increased the amount of consumer data collected and used by businesses. Several recent high profile data breaches, coupled with a high rate of identity theft crime has made data security and consumer privacy a hot issue for policymakers in Washington.
REALTORS® strongly support efforts to protect consumers' sensitive personal information. The REALTOR® code of Ethics and Standards of Practice explicitly acknowledge a REALTOR's® obligation to preserve the confidentiality of personal information provided by clients in the course of any agency or non-agency relationship—both during and after the termination of these business relationships. REALTORS® support for data protection measures is also bolstered by their day-to-day business activities where they see first hand the damage that identity theft can do to a family's ability to rent an apartment or buy a home. This resource will provide REALTORS® with current information on policy efforts underway in Washington to regulate data security and consumer privacy.
NAR aims to educate real estate associations, brokers, agents, and multiple listing services about the need for data security and privacy; and to assist them in complying with legal responsibilities. NAR offers a toolkit that provides information about state laws and pending federal regulations regarding data security and privacy protection that may aﬀect your business. In regards to compliance, the toolkit includes various checklists of issues to consider when drafting a security program tailored to your business’s needs. There is no one-size-ﬁts-all approach to security and compliance, but NAR aims to provide your real estate business with the tools necessary for developing a program that best suits your business.
What is the fundamental issue?
Public concern about the confidentiality of personal medical, financial and consumer data has put pressure on policy makers to increase regulation on the uses of this information. The recent popularity of marketers to use online advertising targeted to individual consumers has also concerned members of Congress. With the recent data breaches of large retailers, a number of privacy and data security bills have been introduced in Congress. Many of these measures will likely: apply privacy regulations to both online and offline data collection, storage and flow; require privacy notices and impose other information safeguards.
I am a real estate professional. What does this mean for my business?
Real estate professionals collect, store and share a great deal of consumer information. Often, the collected data is of a sensitive financial nature. The current proposals for comprehensive privacy legislation would require nearly all real estate professionals and REALTOR® Associations to comply with the new rules. NAR is working to ensure that any future privacy law takes into account the burden on small businesses and is narrowly tailored to reduce its impact on members.
Of note is the recent trend in email fraud targeting homebuyers who are approaching closing. Fraudulent emails appearing to come from a trusted source (agent, title company) instruct the buyer to wire funds to a fraudulent account. This scam further heightens the need for REALTORS® and their clients to pay attention to data security.
NAR recognizes the importance of protecting client data entrusted to them and supports common sense data privacy and security safeguards that are effective but do not unduly burden our members’ ability to efficiently run their businesses. Proposed regulations must be narrowly tailored to avoid burdening businesses, especially small businesses that lack the resources available to larger entities.
NAR Data Privacy & Security Principles
REALTORS® recognize that as data collection continues to become a valuable asset for building relationships with their clients, so does their responsibility to be trusted custodians of that data. Consumers are demanding increased transparency and control of how their data is used. For this reason, REALTORS® endorse the following Data Privacy and Security principles:
Collection of Personal Information Should be Transparent
REALTORS® should recognize and respect the privacy expectations of their clients. They are encouraged to develop and implement privacy and data security policies and to communicate those policies clearly to their clients.
Use, Collection and Retention of Personally Identifiable Information
REALTORS® should collect and use information about individuals only where the REALTOR® reasonably believes it would be useful (and allowed by law) to administering their business and to provide products, services and other opportunities to consumers. REALTORS® should maintain appropriate policies for the, reasonable retention and proper destruction of collected personally identifiable information.
REALTORS® should maintain reasonable security standards and procedures regarding access to client information.
Disclosure of Personally Identifiable Information to Third Parties
REALTORS® should not reveal personally identifiable data to unaffiliated third parties unless: 1) the information is provided to help complete a consumer initiated transaction 2) the consumer requests it; 3) the disclosure is required by/or allowed by law (i.e. investigation of fraudulent activity); or 4) the consumer has been informed about the possibility of such disclosure through a prior communication and is given the opportunity to decline (i.e. opt-out.)
Maintaining Consumer Privacy in Business Relationships with Third Parties
If a REALTOR® provides personally identifiable information to a third party on behalf of a consumer, the third party should adhere to privacy principles similar to the REALTOR® that provide for keeping such information confidential.
Single Federal Standard
NAR supports a single federal standard for data privacy and security laws in order to streamline and minimize the compliance burden.
NAR supports the approach taken by Senator Warner (D-VA) in his 2016 discussion draft. That draft bill:
- Covers all entities handling sensitive information – there are no exemptions for banks, telcos, third parties, etc.
- The scope of the bill is appropriate:
- A breach of security is the acquisition of data (not access or acquisition);
- Sensitive account/personal information are narrowly defined terms (not expansive);
- The trigger for notice is risk-based (requiring what is defined as financial harm).
- Has reasonable data security standards for non-banks;
- Has enforcement by banking regulators for banks, and by FTC for non-banks;
- Has equivalent enforcement by all banking regulators and the FTC, with requirement that the agencies coordinate on equivalent enforcement and penalties; and
- Gives all covered entities the benefit of solid preemption of state and common law.
Finally, NAR has developed an educational toolkit for members and has developed an online training course available through REALTOR® University. To view the toolkit visit: www.nar.realtor/law-and-ethics/nars-data-security-and-privacy-toolkit
Federal Technology Policy Committee
We've already done the research for you. References (formerly Field Guides) offer links to articles, eBooks, websites, statistics, and more to provide a comprehensive overview of perspectives. EBSCO articles (E) are available only to NAR members and require a password.
What does data privacy and security mean in today's world?
Data Security and Privacy Toolkit - This Toolkit provides information about state laws and pending federal regulations regarding data security and privacy protection that may affect your business.
Enhance Your Brand & Protect Your Clients with Data Privacy & Security - This Data Security and Privacy Course aims to educate real estate associations, brokers, agents, and multiple listing services about the need for data security and privacy; and to assist them in complying with legal responsibilities.
Video: Window to the Law: Creating a Cybersecurity Program – Learn about the steps to follow when implementing a cybersecurity plan from NAR Senior Counsel Finley Maxson.
Topic: Social Media - NAR topic page providing background information on concerns with various popular social media sites, and including tips and suggestions to protect privacy and identity.
3-Hour Safety Course for REALTOR® Associations - This course is an essential primer on how real estate professionals can limit risk to preserve safety and facilitate positive business outcomes.
Are You & Your Data an Easy Target?
Safety expert Andrew Wooten provides tips on how to keep you and your data safe while at the office. Topics covered in this free NAR webinar include workplace personal safety, how to keep your office from becoming exposed to risk, and how to create an office plan with safeguards.
Identity Theft: Protecting You & Your Clients
The second in the series of NAR's REALTOR® Safety Webinars led by industry expert Andrew Wooten, "Identity Theft: Protecting You and Your Clients," offered several suggestions and precautions you should take to keep your personal information and property secure, and what you should do if you are a victim of identity theft. The session also provides great information to can share with your clients, including brief instructions on how to keep your clients' information protected.
Social Media & Cyber Safety
In this session, safety expert Andrew Wooten, provides social media and cybersafety safety tips. Learn how today's criminals are using your social media information for illegal activities, and discover how you could be tracked through geotags.
Tools for REALTORS®
What are your legal obligations? Where can you find the latest information about the laws?
NAR Principles: REALTOR®-endorsed data privacy and security principles regarding personal information
Internet Security Best Practices: NAR’s Member Support three-part report recommending a number of security practices to help keep REALTORS® and their business safe online.
FTC Data Security Best Practices: Rules and guides for businesses of any size.
FTC: Privacy Initiatives: A comprehensive listing of compliance resources, including Data Security, from the FTC, categorized by line of work.
FTC: Avoid ID Theft: Detailed information to help consumers deter, detect, and defend against identity theft.
FTC Data Security Best Practices: Free resources to help businesses securely collect, keep, and dispose of sensitive personal information of customers or employees in their files.
Safety Program Reimbursement Grant: The goal of the NAR Safety Program Reimbursement Grant is to provide funding assistance to state and local REALTOR® Associations to help implement a Safety Program or feature for their members, and to encourage ongoing awareness of REALTOR® Safety.
Man to Man: You’re Just as at Risk (REALTOR® Magazine, July 2015)
Have an idea for a real estate topic? Send us your suggestions.
The inclusion of links on this page does not imply endorsement by the National Association of REALTORS®. NAR makes no representations about whether the content of any external sites which may be linked in this page complies with state or federal laws or regulations or with applicable NAR policies. These links are provided for your convenience only and you rely on them at your own risk.