National headlines have borne bad tidings of one massive data breach after another in recent years. Judging from the news, it might seem that cybercriminals have their sights set exclusively on massive retail chains, international hotels, and health care giants. This is far from reality. In 2015, small to midsize businesses made up more than 60 percent of cyberattack victims nationwide. Why would cybercriminals bother with the little guys such as real estate brokerages or even REALTOR® associations?
Big-name breaches make good headlines, but smaller businesses make easy targets for online criminals. This is partly because many small-business owners believe they are “below the radar” for cybercrime and thus fail to implement safety measures to protect themselves from attack. Unfortunately, cybercriminals understand this misperception all too well and are taking active and lucrative advantage of it.
The repercussions of a cyberattack can be devastating. Beyond ruined transactions, long-term reputation damage, and lawsuits filed by angry clients or members, victimized businesses may also face government action, resulting in fines and other sanctions. Today, most states have enacted laws requiring businesses to take certain measures to safeguard sensitive data in their possession. Although it would be impossible to address every state law here, most states require businesses, including REALTOR® associations, to implement one or more of the following practices.
Maintain a data security policy (and follow it)
A data security policy (also known as a Written Information Security Program, or WISP) provides a road map for creating effective technical, administrative, and physical safeguards for the protection of sensitive or confidential information in a business’s possession, including personally identifiable information, or “PII.” The definition of PII varies from state to state, but usually consists of a person’s first name (or first initial) and last name with one or more other elements, such as a full date of birth, signature, Social Security number, or state-issued identification number. For guidance on creating and implementing a WISP, refer to the “NAR Data Privacy and Security Toolkit” on nar.realtor.
Maintain a document retention and destruction policy (and follow it)
A document retention and destruction policy sets appropriate time frames for retaining certain categories of documents and dictates the proper safeguarding and disposal of those documents. The NAR Data Privacy and Security Toolkit offers guidance on creating and implementing a document retention and destruction policy.
Notify affected parties of a security breach
Several states require businesses to notify any potentially affected party when it experiences a data breach that exposes, or could reasonably be assumed to have exposed, personally identifiable information. Most laws requiring such notification also require the breached business to take steps to remediate any injuries resulting from the breach.
Use tech to safeguard personally identifiable information
Some states, including California and Massachusetts, mandate that businesses take “reasonable” measures to safeguard such information in their possession. These measures may include implementing certain technology-based protections, such as maintaining appropriate firewalls and password controls.
It is ultimately up to each business, working with its counsel, to ensure that it is in compliance with all applicable laws concerning data protection. However, regardless of whether a business is required to implement the practices highlighted above, REALTOR® associations and brokerages should seriously consider adopting all these measures as an integral part of their core best practices.
Federal oversight on the horizon
Most cybersecurity laws applicable to the real estate industry, such as those above, are currently only state-mandated because Congress has yet to pass comprehensive cybersecurity legislation nationwide. Nonetheless, the Federal Trade Commission is homing in on lax cybersecurity business practices across the board and is taking action against companies under its authority to protect consumers from “unfair and deceptive business practices.” For example, in 2014 the FTC filed suit against Wyndham Worldwide Corp., alleging that the hospitality company did not take reasonable measures to protect hotel guests’ personally identifiable information. Although the case ultimately settled, the takeaway is this: Companies that fail to provide reasonable protections for their clients’ online data are exposing themselves to federal and state legal action.
Data security laws apply to your association
The National Association of REALTORS® continues to publish materials to help educate our industry about cybercrime and data protection (search “cybercrime” on nar.realtor). It is critical to remember that data security laws apply not only to our broker members, but to state and local REALTOR® associations as well. As such, beyond educating their members on cybersecurity best practices, associations themselves should implement appropriate security measures in house.
Note: Always work in collaboration with your local counsel in preparing and updating cybersecurity-related policies and programs. For guidance, visit the NAR Data Security Toolkit and the “Window to the Law - Cyber Scams and the Real Estate Professional,” both at nar.realtor.
Have You Overlooked Security on Your Smartphone?
Most AEs’ tablets and smartphones are for both work and personal use. Apps for accessing files on your office PC sit alongside games and fitness trackers. In fact, more sensitive data about you and your work (passwords, credit card numbers, contacts, messages, e-mail) is accessible from your mobile device than any other piece of technology you have.
Protect it by following these tips.
- Enable your device’s screen lock and change the PIN regularly. Add a more complex lock to your device with apps such as Google Authenticator, Authy, or LastPass Authenticator.
- Experts advise against saving passwords at individual sites, such as Amazon or Chase, because they can become saved deep in your phone’s memory. Instead, use an app designed specifically for saving passwords, such as Dashlane.
- Update all your apps regularly. Updates provide needed security patches.
- Know and regularly review your phone’s security and permission settings. Have you given Facebook permission to access your e-mail contacts?
- Use public Wi-Fi with caution. When you’re on a café’s public Wi-Fi, for example, the café has access to everything you transmit, from text messages to data.
- Only download apps from a known app store to avoid apps filled with dangerous pieces of malware that could steal your sensitive data.
Jessica Edgerton is an associate counsel at the National Association of REALTORS®. Contact her at 312-329-8373 or firstname.lastname@example.org.