In 2010, the National Association of Realtors (NAR) conducted a survey to investigate the data security practices of its members. The organization found that more than 80 percent of respondents didn’t know whether their state upheld data security or privacy laws. And “fewer than half” maintained data security protocol to protect their clients’ “personally identifiable information” (PII) – the kind of information that is affected by data security legislation.
These numbers are scary. Especially because Verizon’s recent Data Breach Investigations Report found that nearly 80 percent of data breach victims were “targets of opportunity” with “exploitable weaknesses,” such as unsophisticated or nonexistent security measures.
The term “cyber liability risk” refers to the possibility that your business’s electronic information may find its way into the hands of an unauthorized individual.
Real estate agents are particularly susceptible to data breaches – and not just because, like many small-business owners, they tend to underestimate their cyber liability risk. Below are some of the top cyber liability risks for real estate agents:
Risk 1: Cyber Crime
Real estate agents handle a variety of personally identifiable information on a daily basis, which puts them at risk for cyber crimes like hacking, phishing, and malware. The legal definition of PII varies from state to state, but it usually includes a person’s name and one or more of the following:
- Driver’s license / state identification card number. A real estate agent might record this information when working with new clients as a safety precaution. It’s also not uncommon to write down a client’s driver’s license number when accepting personal checks as payment.
- Social security number. Real estate agents might need this information from a client in order to complete a short-sale transaction or to conduct credit checks. Additionally, Social Security numbers are often found in closing statements and other mortgage documents.
- Bank account / credit / debit card number. Credit and debit card numbers are often used when clients make payments for appraisals, inspections, and other services. Bank account information might also be included in closing statements and other mortgage documents.
The fact is, real estate agents can’t do their jobs unless they collect personal information from their clients. It cannot be stressed enough that the type of data the real estate agents use is exactly the kind of information cyber criminals seek.
Real estate agents need to be particularly careful when storing – and disposing of – these records.
The Fair and Accurate Credit Transactions Act (FACTA) of 2003 details the proper (and legally required!) procedure for disposing of data-containing records, which includes shredding, incineration, and/or the use of software that can wipe information from a hard drive and prevent its restoration.
Risk 2: Data Loss from Stolen Devices
Historically speaking, the real estate industry has not been a target of cyber crime – at least not like the healthcare, retail, and financial services industries. But when it comes to small businesses, data breaches are becoming more commonplace across the board.
For their part, real estate agents in the digital age must rely on mobile devices and web apps to communicate with clients and maintain their schedules, contact database, listing contracts, financial documents, and other records.
Electronic devices like phones, tablets, and laptops can be physically stolen. And if PII isn’t encrypted, anonymized, and otherwise secured, information on those devices can also be stolen.
According to Cyber and Data Security Risks and the Real Estate Industry, a report published by the American International Group (AIG), “80 percent of data breaches reported in 2012 happened to organizations that did not rely on the Internet as a core piece of their business.” Meaning: data loss happened offline, because physical devices were stolen.
The AIG report goes on to explain that the 2010 study found that:
- 46 percent of lost laptops contained confidential data.
- Only 30 percent of those laptop systems were encrypted.
- Only 10 percent of those systems included anti-theft technologies.
Translation? It’s time to back up your data. Now.
Risk 3: Data Breaches
Because it’s often so simple and cost-effective, many small businesses in the real estate industry outsource their information storage and maintenance to third parties. When real estate firms do this, it’s easy to assume that the burden of data protection is no longer in their hands.
Unfortunately that’s rarely the case. In fact, using a third-party IT service can expose your real estate firm to additional cyber liability risks. According to the AIG report, 63 percent of incidents in 2013 were linked to “security deficiencies” in third-party IT…
- System administration.
Read on to learn how real estate agents can reduce their cyber liability risk and protect themselves from the costs of data breach.
Real Estate Agents: Manage Cyber Risk with Cyber Liability Insurance and Data Protection Protocols
There are two major ways real estate agents can manage cyber risk: Cyber Liability Insurance and data protection protocol.
Cyber Liability Insurance (sometimes called Cyber Risk Insurance) is a small business insurance policy that helps real estate agents pay for the high cost recovering from a data breach. Since it’s impossible to retrieve lost data, this policy works by helping your real estate firm pay for damage control measures: notifying clients, launching a PR campaign to restore your image, etc.
But Cyber Liability Insurance can’t prevent data breaches. To reduce your exposure, the NAR recommends that you and your employees implement this “five steps toward achieving data security” approach:
- “Take Stock.” Take inventory of the sensitive information they use, where it comes from, how it’s received and stored, and who has access to it.
- “Scale Down.” Determine whether it’s necessary to collect all the info you currently use. If you have information that you no longer need, the NAR recommends that you securely dispose of it. For info you need to keep, the NAR recommends developing a “document retention policy” that details the type of information you keep, how to secure it, how long to keep it, and how to properly dispose of it once it’s no longer of use.
- “Lock It.” Develop protocol for securing sensitive data with basic protections such as encryption, passwords, and firewalls (the NAR offers a guide for doing this).
- “Pitch It.” Once a protocol has been developed, it needs to be implemented and used throughout your firm. Before you do this, it might be a good idea to have it reviewed by legal counsel. Employees should be trained with the protocol and made aware of any changes. Your protection plan should be regularly reviewed in order to evaluate its effectiveness.
- “Plan Ahead.” In the event that your data protection protocol fails, have additional documentation in place that outlines post-breach procedures, such as notifying clients. It may also include templates of privacy policies and data-breach notification letters.
Not only is it good business for real estate agents to protect client data, it’s often the law. The NAR reported on the Data Security and Breach Notification Act of 2013 in June, noting that in most states, the new law would “require covered entities to take ‘reasonable measures’ to protect and secure data in electronic form containing “‘personal information.’”
And if, for example, a real estate business did not take these measures, then that business would be responsible for notifying clients of the data breach.