Last year some big-name companies and organizations got hit by data breaches. LinkedIn comes first to mind. According to news reports, its system was breached and millions of account passwords were potentially compromised. eHarmony, the University of Nebraska, Yahoo! and many others were also in the news because of data breaches.
Congress has been looking at data security and privacy for years, and the Federal Trade Commission has done a lot of work on the issues, studying them and creating best practices for protecting against violations. But as of right now, for the most part, data security and privacy are issues mainly addressed at the state level, and virtually all states have some laws on the books.
Unfortunately, a survey NAR conducted in 2010 found that real estate brokers and sales associates are neither well-informed about these laws nor have in place anything close to a rigorous system for protecting against security breaches, or protecting customers’ privacy. (Security involves protecting sensitive information like bank account numbers from breach; privacy involves letting consumers know what you do with the information you collect and potentially giving them a chance to opt out.)
Of course, data security unpreparedness isn’t an issue unique to real estate. Surveys show most small and medium-sized businesses, regardless of industry, are equally in the dark about what to do.
Looking ahead to 2013, there’s a good chance Congress will look at data security and privacy issues anew and maybe even consider legislation that would create federal requirements that would have to be met by any businesses that collect names, numbers, and financial information.
Regardless of what lawmkers in Washington do, it’s clear that having measures in place is vital to your business. The good news is, you don’t have to start from scratch. NAR leaders in 2010 adopted a set of data security and privacy best practices, and in 2011 the association followed up with a toolkit, called the Data Security and Privacy Toolkit, that gives you a running start for taking action.
First, the toolkit introduces you to the types of information you collect that require protection. This is information like bank account numbers, Social Security Numbers, and credit card information—the kind of information you have when you hold onto clients’ good-faith offer checks and things like that.
Second, it lists what the most applicable law is in each state, so if you’re in, say, Arizona, you can look up the law—Ariz. Rev. Stat. § 44-7501—and bring it up on your computer. That way you’ll know what you need to do at a minimum to meet your state law.
And lastly, it shares the best practices that the Federal Trade Commission has developed for putting in place good safety procedures. Under the guidelines, you’re to 1) take stock of the data you collect, both digitally and in hard copy, 2) scale down so that you only collect and hold on to what you need, 3) lock it up, whether it’s digital data or hard-copy files, 4) pitch it—appropriately— if it’s unneeded information (“appropriately” is key, because disposal is a big way data thieves get information if you’re not careful), and 5) plan ahead so that you’re prepared in the event of a breach. That means know when to notify customers of a problem, what to say, and where to send them for more information.
Data security and privacy protection are matters that take you away from your primary business, but as the high-profile breaches in just the last year show, if you ignore these things for too long, bad consequences could be the result. The toolkit NAR prepared last year at a minimum should help you get started, and that’s not a bad thing if Congress acts to make security and privacy protection federal matters.