Data Security Heats Up: Are You Ready?
Last year a Massachusetts real estate brokerage
and property management company was hit with a
$15,000 civil penalty by the state. The reason? The
laptop of one of its employees, containing unen-crypted data on hundreds of the company’s customers, was stolen from the employee’s car. Although
there was no indication that data was used for any
unauthorized purpose, state law requires businesses
to encrypt personal information when it’s on a laptop or mobile device. As a result of the breach, the
state required the company to train its employees on
personal information would again be stored unnecessarily on laptops or mobile devices; and encrypt
any personal data that must be kept on a laptop or
other mobile device.
Data security and privacy protection laws vary
by state, but with concerns over data breaches heating up across the country, the number of penalties
like this one is likely to rise. Whether you’re a
brokerage owner or a salesperson, have
you done enough to keep from landing on the wrong side of a data
breach charge? Based on a 2010
N;;;;;;; A;;;;;;;;;; ;;
R;;;;;;;® survey, the answer
is probably not. The report
showed that 52 percent of brokers didn’t have a data security
and 58 percent of sales associates had no idea whether or not
their broker had a policy.
Almost 85 percent of respondents didn’t know
what their state required
them to do in the event of
a data breach.
Data security and
privacy issues could well
move to the front burner
on Capitol Hill this year.
Several bills were introduced during the last legislative session, including
The Commercial Privacy
Bill of Rights Act, which
ates had no idea whether or not
Melanie Wyne is NAR senior
policy representative on
She can be reached at
would set minimum standards for disclosing what
data you collect and for what purposes. Another, the
Data Security and Breach Notification Act, focuses
on the data protection side on behalf of consumers.
There’s no need to wait for lawmakers to pass new
measures. Using the NAR Data Security and Privacy Toolkit, you can create your own security and
privacy system. The kit will help you draft a program
that follows best practices while meeting the needs
of your business. Access it on REALTOR.org by
searching for “data security toolkit” (login required).
Know the Laws. The toolkit contains a list of
laws by state that require notification of security
breaches involving personal information. More than
half the states also have laws on how to properly dispose of data in order to protect an individual’s privacy. Those are listed as well.
be posted on your Web site. Among other things, the
use as a template. But you shouldn’t rely exclusively
on that; you’ll want to bring in an attorney or other
expert to help you tailor your policy in accordance
with your state laws and specific business situation.
Take Inventory and Purge. Take time to
conduct an inventory of what you’re collecting and
why you’re collecting it. Then pare down your data
needs to a minimum, and aim to keep what you’ve
collected for the shortest span of time necessary. If
you obtain a client’s bank account number in the
course of a transaction, delete the number from your
records once the transaction is closed and you no
longer have an essential business reason to hang onto
it. The fewer pieces of sensitive data you possess, the
Visit the FTC Web site. Check your policies against a set of best practices from the Federal
Trade Commission (www.; c.gov/infosecurity). These
include the need to create clear, written security
policies and lock up what you collect (both digitally,
using firewalls and passcodes, and physically, within
filing cabinets). By following the FTC’s recommendations, you’ll have your system covered. W