Implementing a data privacy and security program safeguards you, your clients and your professional reputation.
By Donna Shryer
A recent study performed by security appliance vendor FireEye and its security-consulting wing, Mandiant, analyzed real-world data from more than 1,216 organizations in 63 countries across more than 20 industries. The results sent an alarming message: 97 percent of all businesses surveyed experienced a data breach in 2014.
We used to hear about data breaches once or twice a year; now its monthly, stresses Melanie Wyne, senior technology policy representative at the National Association of REALTORS®. No one is immune, and its only a matter of time before those in our industry experience breaches themselves.
For real estate associations, brokers, agents and multiple listing services, its time to get serious about data security, including how to collect, share, protect and dispose of confidential data.
Tools for Security
Currently, no federal laws regarding data privacy apply to real estate associations or brokerages, unless a brokerage has a mortgage business or other financial affiliate, in which case the business would need to comply with the GrammLeachBliley Act (GLBA), Wyne says. Most states, however, have laws that require a business to keep personal information secure and to notify individuals if security is breached. To review your states regulations, visit the National Conference of State Legislatures (NCSL), www.ncsl.org, and search for security breach legislation. In addition, the National Association of REALTORS® Board of Directors is drafting a Code of Excellence to raise member awareness on key issues such as data protection and technology proficiency.
As legal issues and NARs Code of Excellence develop, you can jump-start a data security program by downloading the National Association of REALTORS® 2011 Data Security and Privacy Toolkit (www.realtor.org, then search data security toolkit). The toolkit takes you through the paces to create a system ideally suited for your business, including best practices and multiple checklists. Wyne suggests beginning on page 6, where youll find an overview of the Federal Trade Commissions Five Key Principles to a Sound Data Security Program.
Heres a quick look at the five points and what they mean.
1. Take stock: Know what personal information you have on file.
The definition of personal information varies from state to state, although generally its contact information, financial information, Social Security numbers and any data that can identify an individual. In our industry, were constantly collecting client information some of it sensitive, some not. And then we store all this data on paper, desktop computers, laptops, mobile devices, flash drives and disks, Wyne explains. The point is that we cant treat all data equally. Once you understand what youre collecting, where youre storing it and who else youre sharing it with, you can begin building a data security program that protects sensitive data.
2. Scale down: Keep only what you need.
REALTORS® often collect information thats technically not necessary to do their job, which means additional precautions must be taken to protect sensitive data. Joy Carter, CRS, broker associate with Keller Williams Realty in Coral Springs/Parkland, Florida, offers an example. On the contract it asks for the buyers Social Security number.
I never let a buyer fill in personal information at that point.
I leave that to the closing agent. And as an extra precaution, we warn our buyers that they will be receiving a call from the closer. We tell them who that closer is and that it is okay to give this person sensitive information. If someone has an identity issue, I dont want any action traced back to our team as an inappropriate behavior or action.
3. Lock it. Protect the information you keep.
Digital data should be encrypted when in transit or in storage. Encryption means that electronic plain text is converted into another form, called ciphertext, which cannot be easily read by anyone except authorized parties. Too many agents save their client data using insecure platforms like Dropbox and Google Drive, on off-the-rack storage devices or within their email. This gives anyone access with a little effort, says Nobu Hata, NARs director of digital engagement. Instead, Hata advises investing time and money in compliant transaction-based platforms, such as DocuSign Transaction Rooms. As for non-technical solutions to protect sensitive digital and paper documents, Carter recommends locked doors, locked files, password-protected digital devices and hours of document shredding.
4. Pitch it. Properly dispose of what you no longer need.
Step 1 (Take stock) is the key to step 4. If you understand what you do have, then its easier to figure out what you dont need. And if you dont need it, dispose of it, Wyne says. Paper records should be shredded, and digital data as well as emails can simply be deleted, provided everything is encrypted. For unencrypted sensitive data, which you should not have to begin with, consider investing in a digital file shredder program that permanently deletes files beyond recovery.
5. Plan ahead. Create a plan to respond to security incidents.
Should you or your business suffer a data breach, you want a plan in place to address the situation. NARs 2011 Data Security and Privacy Toolkit provides model policies and disclosure statements. Creating a plan should include revisiting your states laws concerning data breaches.
Carter suggests a sixth, common-sense step: The baseline here is how I want my personal information to be treated. I wouldnt give anything less to my clients.
Check out the recording of the recent CRS webinar Data Security and Privacy in Real Estate.
