The Dangers of Data Breach
By Jeanne McGlynn Delgado and Amy Jo Beranek, NMHC
Since 2005, data breaches have more than tripled as advances in technology have made the collection and sharing of information easier and more efficient. In 2011 alone, there were 558 reported U.S. data breaches resulting in the disclosure of personal information for more than 126 million people. As instances of data breach have skyrocketed, so have the costs; the Privacy Rights Clearing House estimates that data breach last year cost companies roughly $7.2 million per incident.
Nightmare scenarios look similar to Sony’s massive breach of its online video game network in 2011. That single breach led to the theft of names, addresses and credit card information of more than 100 million users and cost the company more than $171 million in damages. These frightening statistics led to 2011 being dubbed the “Year of the Data Breach.” However, increasingly smaller business operators are finding themselves facing similar issues, albeit on a more limited scale, as hackers and unscrupulous employees exploit weaknesses in their data and privacy systems.
Apartment owners and managers are particularly vulnerable to data breaches and the ensuing liabilities. They collect, use and maintain heaps of personal information through both renter and employee application processes, as well as other operational functions. Personal information typically includes the subject’s name, address, social security number and driver’s license number, as well as additional information found in leases, financial records, insurance records and other documentation.
The apartment industry has not only shifted from storing these records as hard paper copies to web-based, digital documents, but the technology they are utilizing to do so is also changing. For example, more companies are providing leasing and other on-site staff with tablet computers. When combined with the benefits of mobile applications and cloud computing, tablets are not only trendy and appealing but also an efficient business tool that enhances productivity. However, the portability of a tablet, laptop or smartphone, also increases the chances of a device—and its contents—being lost or stolen.
Third-party payment processing systems represent another example of technology changes. They enable residents to pay their rent online, reducing a management company’s administrative costs while adding convenience for residents. However, they are also a potential additional point of exposure for information theft, that is unless protective measures are in place.
Social media also poses some threats for data breach. Property managers use social media as a recruiting tool for prospective residents and employees, as well as a means of building a sense of community for current residents. In doing so, they also create a public platform for hackers to access when trying to steal data through malware. Moreover, the fact that employees are using company computers and devices to access their personal social media accounts places employers at greater risk of a hacker’s malware being downloaded.
The increased reliance on technology and its always-advancing nature has led many to think of data breaches strictly in terms of external cyber attacks. Yet human error and negligence remain the largest cause of breached data. A simple blunder like forgetting to lock a file cabinet or leaving a thumb drive on a desk can be all it takes to put personal information into the wrong hands. That is why having a quality data-security program in place to both prevent data theft and identify steps to address potential data breaches is critical.
To date, at least 46 states and the District of Columbia have state data breach laws mandating certain security and disclosure requirements. The 112th Congress is currently addressing at least 20 pieces of legislation related to these threats. Despite bipartisan agreement that privacy legislation is needed, there is a lack of consensus over the specifics of such a bill—the scope of personally identifiable information, the definition of a breach, the timeframe for notifying the consumer about a breach, among other considerations—causing the proposals to stall.
NMHC/NAA continue to follow the various proposals to ensure any measure that advances includes reasonable protections and disclosure requirements and does not impose overly burdensome compliance obligations on apartment firms.
Breach Bills in the Works
While there are a number of privacy and cybersecurity proposals circulating in Congress, the following appear to be gaining the most traction. Though different in scope, the first two bills create a national standard for data privacy protection and data breach notification. A third bipartisan proposal focuses on protecting the nation’s critical infrastructure and offers a potential platform for future data privacy and breach notification amendments.
The “SAFE Data Act” (H.R. 2577) introduced by Representative Mary Bono Mack (R-Calif.)
The “Personal Data Privacy and Security Act” (S. 1151) introduced by Senator Patrick Leahy (D-Vt.)
The “Cybersecurity Act of 2012” (S. 2105) introduced by Senator Joe Lieberman (I-Ct.)
Jeanne McGlynn Delgado is the National Multi Housing Council’s vice president of business operations and risk management policy. Amy Jo Beranek is a legislative analyst with NMHC.