In 2012 a Massachusetts real estate brokerage and property management company was hit with a $15,000 civil penalty by the state. The reason? The laptop of one of its employees, containing unencrypted data on hundreds of the company's customers, was stolen from the employee's car.
photo credit: kerolic via photopin cc
Although there was no indication that data was used for any unauthorized purpose, state law requires businesses to encrypt personal information when it’s on a laptop or mobile device. As a result of the breach, the state required the company to train its employees on its data security and privacy policy; ensure that no personal information would again be stored unnecessarily on laptops or mobile devices; and encrypt any personal data that must be kept on a laptop or other mobile device.
Data security and privacy protection laws vary by state, but with concerns over data breaches heating up across the country, the number of penalties like this one is likely to rise. Whether you’re a brokerage owner or a salesperson, have you done enough to keep from landing on the wrong side of a data breach charge? Based on a 2010 National Association of Realtors' survey, the answer is probably not. The report showed that 52 percent of brokers didn't have a data security and privacy policy in place, and 58 percent of sales associates had no idea whether or not their broker had a policy. Almost 85 percent of respondents didn’t know what their state required them to do in the event of a data breach.
Data security and privacy issues could well move to the front burner on Capitol Hill this year. Several bills were introduced during the last legislative session, including The Commercial Privacy Bill of Rights Act, which would set minimum standards for disclosing what data you collect and for what purposes. Another, the Data Security and Breach Notification Act, focuses on the data protection side on behalf of consumers.
There’s no need to wait for lawmakers to pass new measures. Using the NAR Data Security and Privacy Toolkit, you can create your own security and privacy system. The kit will help you draft a program that follows best practices while meeting the needs of your business.
Know the Laws
The toolkit contains a list of laws by state that require notification of security breaches involving personal information. More than half the states also have laws on how to properly dispose of data in order to protect an individual’s privacy. Those are listed as well.
Post Your Policies
Your privacy policy should be posted on your Web site. Among other things, the toolkit includes a model privacy policy that you can use as a template. But you shouldn’t rely exclusively on that; you'll want to bring in an attorney or other expert to help you tailor your policy in accordance with your state laws and specific business situation.
Take Inventory and Purge
Take time to conduct an inventory of what you're collecting and why you’re collecting it. Then pare down your data needs to a minimum, and aim to keep what you've collected for the shortest span of time necessary. If you obtain a client's bank account number in the course of a transaction, delete the number from your records once the transaction is closed and you no longer have an essential business reason to hang onto it. The fewer pieces of sensitive data you possess, the better.
Visit the FTC Web site
Check your policies against a set of best practices from the Federal Trade Commission. These include the need to create clear, written security policies and lock up what you collect (both digitally, using firewalls and passcodes, and physically, within filing cabinets). By following the FTC's recommendations, you’ll have your system covered.