There was a time, not long ago, when issues such as cybersecurity and data security were not uttered in the same sentence as multifamily housing. However, topics that once seemed the sole concern of financial institutions, perhaps just five years past, are now climbing toward the top of the list of apartment owners’ concerns. That’s due in no small part to the rapid increase in attacks and data breaches.
What’s more, after years of trying to craft cohesive legislation on a federal data standard, the U.S. Congress has revealed the makings of a data privacy bill that would override most state laws. The legislation, crafted for industry in general, would contain many provisions that would have a notable impact on the multifamily sector.
For apartment building owners and managers, cybersecurity risks are akin to those of a banking institution, as they are not only handling the personal information of employees but that of the residents as well. An individual’s most important and valuable details—social security number, employer information, emergency contact information, phone number, salary—are in one place for the taking by a semi-crafty hacker. Of course, the multifamily industry is not alone.
“When collecting and transferring sensitive information that would be used in the resident screening process, these are all considerations—with that volume of electronic data—where housing providers just need to be aware of their responsibilities, and not just their responsibilities but how the responsibilities break down, say, between them and any service providers that they’re working with that are also touching that data,” said Nicole Upano, assistant vice president for housing, policy & regulatory affairs with the National Apartment Association.
According to Audit Analytics’ Trends in Cyber Security Breach Disclosures report, cybersecurity breaches increased by 118 percent year-over-year in 2021, with ransomware attacks up 44 percent. However, the figure accounts only for data compiled through filings with the Securities and Exchange Commission, so it represents a fraction of the actual total.
The problem, as expected, is a global one. Risk management software firm KonBriefing’s website features a list of cyberattacks around the globe, and recent months have brought an attack on a non-profit housing association in Austria, one on several housing associations in the Netherlands, and more recently, an attack on the U.K.’s largest housing association, which still has a note on its website informing visitors of IT issues due to a “cybersecurity incident.”
The National Multifamily Housing Council and other industry entities have long been aware of the ramifications of these challenges and welcomed progress on federal data security legislation; although, progress, in this case, is relative.
READ ALSO: The Future of Senior Housing Proptech
On June 3, 2022, ranking members of the Senate Committee on Commerce, Science and Transportation and the House Committee on Energy and Commerce released a discussion draft of a comprehensive data privacy bill, the American Data Privacy and Protection Act. The lawmakers openly conceded that the national data privacy and data security framework was years in the making, but the effort, though merely draft legislation, is quite a feat as it marks the first comprehensive privacy proposal to obtain bipartisan, bicameral backing.
The draft covers a great deal of ground, including granting broad protections for Americans against the discriminatory use of their data, and requiring covered entities to minimize on the front end, individuals’ data they need to collect, process and transfer so that the use is limited to what is reasonably necessary, proportionate and limited for specific products and services. The National Multifamily Housing Council and the National Apartment Association assert that while the effort has many good points, there remain issues that need to be addressed to safeguard the industry, and organizations expressed their views in a letter to the ranking committee members applauding the House’s progress on the legislation. One issue of concern is the notification process in the event of a security breach.
As it stands, the ADPPA discussion draft contains consumer notification process provisions that require covered entities to convey changes to privacy policies to individuals. NMHC and NAA are asking that any service provider be required to notify their customer and the apartment firm first of any privacy change, violation or security breach.
“We want to make sure that we have a clear delineation between who’s responsible when there is a breach and if it is a third party that is ultimately responsible that they have to notify their client first, which would be the housing provider, before they make any notifications because it’s ultimately the housing provider’s reputational risk when there’s a breach,” Upano noted. “The housing provider should make that call of how to go about communicating that to residents or applicants, and for this bill, it appears to also cover employees.”
LISTEN TO: How Proptech Can Help Put the S and G in ESG
Another issue in the draft that is highly relevant to the multifamily industry is the consumer’s right to access, correct, delete and export covered data. While NMHC and NAA did not request any safeguards concerning this provision in their letter aside from a reasonable timeframe to respond to consumer requests, they are pointing out to their members that consumers’ control over their data will have a direct impact on the multifamily housing industry.
“This would give consumers the right to consent with respect to the collection, the processing and the transfer of the sensitive covered information. So, as we’re processing, collecting, utilizing all this data from applicants, residents, and employees of different types, these are all certainly important for the industry to understand,” Upano added. “There are just a lot more rules or standards that they have to incorporate into their current processes. So having a federal standard, we’re certainly very supportive of and we think it would be a great thing for the industry to help navigate the operational consequences of this patchwork of state laws that’s currently in place.”
Run for coverage
With the rapidly increasing spread of cybersecurity infringements and data security breaches, comes the growing need for liability protection. Cyber insurance is a relatively new product, with the first cyber laws that required notification having emerged in the early 2000s. However, the monetary damages that accompany such infringements as ransomware can be debilitating for a business and a multifamily property owner or apartment company is no exception.
“Perpetrators have discovered that they can do very well in ransomware. It used to be a $10,000 ransomware issue, now it’s more likely a seven-figure one. And carriers have had to try and adjust and deal with that, which they’ve done by sometimes increasing retentions, your deductible, sometimes putting sub-limits on the coverage, and sometimes putting other requirements in the policy or excluding the coverage altogether depending on the industry,” Thomas Bentz Jr., a partner practicing insurance law with Holland & Knight, explained.
Premiums for cyber insurance have increased substantially over the last three years, as ransomware activity grows more rampant and more expensive for the insurance industry, which is still trying to determine how to price this coverage appropriately. And then there is the matter of silent cyber issues, a crossover problem that contradicts the traditional insurance concept of one-policy response to one issue.
The premise is not so cut-and-dried when it comes to cyber-related incidents. Bentz points to a client whose system hacking caused the accidental triggering of a fire suppression system, resulting in several hundred thousand dollars’ worth of damage. The hacking was a breach under the cyber policy, which covered the data loss, but not the property damage. The general liability policy acknowledged that there was property damage, but because it was caused by a data breach, refused to cover the damage.
“With cyber it gets really complicated really fast because there’s so much crossover or potential crossover for these other policies, you end up with these policies kind of pointing fingers back and forth and really trying to figure out where does this loss really belong,” said Bentz.
Even if an apartment owner is sufficiently covered for cybercrimes, the policy is of little use if the people in charge don’t know how to use it. Unlike property crimes, cybercrimes must be resolved in a short timeframe, usually within hours. Handling the fallout requires special knowledge and, as Upano remarked, “the potential for litigation is pretty high when there’s this patchwork of state laws.”
Bentz noted that, now more than ever, it is of vital importance to select the best underwriter, which may not necessarily be the most cost-effective option. When the problem arises, the option for a lawyer will be very important and whether your coverage pays a maximum of $200/hour for a lawyer, if you’ll pay co-insurance for that lawyer, or if you’ll have sufficient options for representation is all critical—or if anyone in the office knows who the carrier is or where the policy is located.
“You really need to have this set up and ready to go so that when you have the issue, you’re not trying to figure it all out. And you have to make sure that everybody’s on the same page. There’s a lot of disconnect in my experience between the C-suite executives, IT and then risk management group as to who you want to hire, what works, what’s okay, what’s not okay,” Bentz said. “Probably the biggest problem that we’ve seen in the last couple of years—risk managers are losing their jobs or CFOs are losing their jobs because he or she didn’t coordinate this.”
For now, any real change is in the hands of the government. There was a subcommittee markup of the ADPPA discussion draft on June 23. “Someday, the federal government will pass something, when that will be, what that will be is always really difficult to tell,” Bentz said on the heels of a chuckle at the notion. “Maybe we’ll get there.”