Top cyber security risks for real estate agents
Realtors deal with plenty of data that hackers would like to get their hands on, such as customer bank accounts, Social Security numbers, and other important private information. Acquiring personally identifiable information (PII) can be a lucrative operation for scammers and prove to be very costly for any business that fails to protect customer data.
Getting hacked could result in a loss of reputation, lawsuits from angry customers, government fines, and even a temporary or permanent shutdown of your business.
A 2022 report by IBM Security put the average cost of a data breach at an all-time high of $4.35 million, with 83% of organizations studied having experienced more than one data breach.
The most common type of data breach was stolen or compromised credentials, which is responsible for 19 percent of data breaches, according to the report. These breaches took an average of 243 days to identify and another 84 days to contain. Phishing was the second most common cause, at 16 percent.
How do cyberattacks happen?
Human error continues to be a leading cause of data breaches. Verizon’s 2022 Data Breach Investigations Report stated 82% of breaches were caused by “the human element,” such as stolen credentials, phishing scams, and employees that failed to follow cybersecurity measures. Hackers exploiting a network’s vulnerabilities is another key factor.
Real estate agents are particularly susceptible to data breaches because of the information they handle as a part of real estate transactions. Many agents are small businesses that may lack the resources to adequately protect themselves.
It is critical for realtors to understand what top cyber risks look like, when they occur, and how to best avoid them.
Why are real estate professionals a target for cybercrimes?
Real estate agents handle a variety of personal information daily, which puts them at risk for cybercrimes like hacking, phishing, and malware. The legal definition of PII varies from state to state, usually in accordance with their respective data breach notification laws, but it typically includes a person’s name or first initial and one or more of the following pieces of information:
- Driver’s license / state identification card number. A real estate agent might record this information when working with new clients as a safety precaution. It’s also common to write down a client’s driver’s license number when accepting personal checks as payment.
- Social security number. Real estate agents might need this information from a client in order to complete a short-sale transaction or to conduct credit checks. Additionally, social security numbers are often found in closing statements and other mortgage documents.
- Bank account / credit / debit card number. Credit and debit card numbers are often used when clients make payments for appraisals, inspections, and other services. Bank account information might also be included in closing statements and other mortgage documents.
The fact is that real estate agents can’t do their jobs unless they collect personal information from their clients. It cannot be stressed enough that the type of data the real estate agents use is exactly the kind of information that cybercriminals want.
Real estate professionals need to be particularly careful when storing or disposing of these records.
The Fair and Accurate Credit Transactions Act (FACTA) of 2003 details the proper (and legally required) procedure for disposing of data-containing records, which includes shredding, incineration, and/or the use of software that can wipe information from a hard drive and prevent its restoration.
What cybercrime risks do small businesses need to watch out for?
Failure to properly secure or dispose of confidential information can put a real estate business at risk of data theft through both physical and digital methods, including:
Data loss from stolen devices
Historically speaking, the real estate sector has not been a target of cybercrime in the past in the same way that healthcare, retail, and financial services industries have been targets. When it comes to small businesses, data breaches are becoming more commonplace across the board.
For their part, real estate industry professionals must now rely on mobile devices and web apps to communicate with clients and maintain their contact database, schedules, listing contracts, financial documents, and other records.
Electronic devices like phones, tablets, and laptops can be physically stolen. If PII isn’t encrypted, anonymized, or otherwise secured, information on those devices can also be compromised.
Because it’s often so simple and cost-effective, many real estate companies outsource their information storage and maintenance to third party service providers. Even a reputable storage provider could be at risk of cyberhacking, so it’s important to make sure you do business with a company that takes security seriously.
A phishing attack happens when cyber criminals use email links, text messages, and fraudulent social media posts to trick someone into clicking on a link or downloading an attachment that lets them access your computer systems and data.
Hackers might use this information to steal your identity as well as the identities of your clients and employees. Phishing also leaves you vulnerable to a ransomware attack.
Once hackers have compromised your network or computer, either through a cyberattack or phishing email scam, they could install software that lets them take over your entire system. They might use this to lock up your computers and demand a ransom to unlock them. They could also threaten to delete all your data or release it to the Internet unless you pay.
How can real estate businesses manage the risk of cyberattacks?
There are two major ways real estate agents can manage cyber risk: cyber liability insurance for real estate businesses and data protection protocols.
Cyber liability insurance (sometimes called cyber risk insurance) is a small business insurance policy that helps real estate agents pay for the excessive cost recovering from a data breach. Since it may be impossible to retrieve lost data, cyber insurance helps your real estate firm pay for damage control measures, such as notifying clients, launching a PR campaign to restore your image, etc.
To reduce your exposure and avoid a cyberattack, the National Association of Realtors (NAR) recommends that you and your employees develop an information security program, as outlined in its Data Security & Privacy Toolkit [PDF].
Specifically, they recommend implementing the following measures in your program:
Perform a supply chain inventory of the sensitive information your business uses, where it comes from, how it’s received and stored, and which stakeholders have access to it.
Determine whether it’s necessary to collect all the info you currently use. If you have information that you no longer need, the NAR recommends that you securely dispose of it.
For info that you need to keep, the NAR recommends developing a “document retention policy” that details the type of information to keep, how to secure it, how long to keep it, and how to properly dispose of it once it’s no longer of use. For example, you could delete any banking or credit card information from customers once it’s no longer needed.
Develop a protocol for securing sensitive data with basic protections, such as encryption, passwords, and firewalls (the NAR offers a guide for doing this).
Any paper documents containing PII should be kept in a locked room or filing cabinet, with access limited to those who actually need this information.
To help bolster electronic security, real estate businesses should:
- Identify the computers and servers where PII is stored, and every means of accessing it.
- Assess the vulnerability of these systems to commonly known attacks.
- Encrypt sensitive information that you send to third parties over networks.
- Install cybersecurity programs (antivirus, anti-spyware, and anti-malware) and keep them updated. Consider using a firewall to protect your systems.
- Scan your computers and network on a regular basis for viruses, spyware, and malware.
- Require passwords that are frequently updated and consider using a password manager.
- Use two-step authentication for all access to your network, such as through a cell phone app or text; or use biometric data, such as a thumbprint.
Dispose of it
Establish protocols for document retention and the proper disposal of personal information so it cannot be read or reconstructed.
The Federal Trade Commission (FTC) mandates the proper disposal of PII. The FTC’s Disposal Rule requires disposal practices to protect the unauthorized access of personal data. Paper records should be shredded or pulverized, while digital records could be permanently deleted by using wipe utility programs. Simply hitting the “delete” key is not enough.
You may wish to have your attorney examine your disposal policy, to make sure your procedures follow the data breach notification laws in your state. Have your employees fully trained on your security policies and review these protocols periodically to make sure they’re being followed. Consider refreshing employee knowledge with regular awareness training as well.
In the event that your data protection protocols fail, have additional documentation in place that outlines post-breach procedures and an incident response plan, such as notifying clients, and make sure your plan will fully comply with state and federal laws. Your plan may also include templates of privacy policies and data-breach notification letters.
Compare cyber liability quotes from trusted carriers with Insureon
Complete Insureon’s easy online application today to compare real estate business insurance quotes from top-rated U.S. carriers. You can also consult with an insurance agent on your business insurance needs. Once you find the right types of coverage for your small business, you can begin coverage in less than 24 hours.