From Target and Home Depot to Sony and the IRS, it seems that we can’t go a few months without headlines detailing the latest troublesome data breach. Cyber attacks aimed at stealing sensitive personal information have reached devastating new heights of sophistication and severity. Real estate companies are at particular risk, especially when you consider the information stored on behalf of renters, vendors, consultants and buyers. Even the government is being hacked; massive data breaches have recently been reported by two federal government agencies: the Internal Revenue Service and the Office of Personnel Management. The breaches have compromised personal information for more than 100,000 taxpayers and four million federal government employees. They are just the latest in a series of cyber attacks to grab the headlines, as any organization that exposes sensitive information to the Internet is at risk of a data breach—including property owners, management firms and others in the multifamily industry.
News of a cyber attack targeting the computer networks of Essex Property Trust, an apartment investor and manager business in Palo Alto, California, brings the damage caused by these modern-day hacker-pirates closer to home. Essex is respected as a sophisticated, publicly traded operator with 33,560 apartments in the Western United States, and was most recently ranked 47th among the nation’s largest landlords, according to the National Multifamily Housing Council. At the time that the breach was disclosed, Essex publicly stated that it did not have any evidence that information belonging to the company had been used improperly, but that the impacted data systems were being fully analyzed by independent forensic computer experts retained by the organization.
“Our team is working around-the-clock to fully assess the situation and determine whether any personal information could be at risk,” commented Michael Schall, Essex’s president and CEO, in a statement released after the data breach was discovered. “Protecting the personal information of our tenants and employees—and maintaining their trust—is of critical importance to Essex. Unfortunately, cyber-criminals are finding new ways to infiltrate data systems every day, leaving companies increasingly vulnerable to these kinds of events.”
Indeed, the attack on Essex clearly shows that businesses throughout the real estate industry are at risk of falling prey to this pernicious crime, especially landlords holding private personal information such as banking, social security and driver’s license numbers, information which is commonly obtained through a rental process. The liability, reputation and business interruption costs following the theft of residents’ personal records can be crippling.
Even if a real estate company survives an attack and settles all civil claims, it can face years of harsh penalties for running afoul of the Federal Trade Commission Act or the FTC’s Safeguard Rule or Disposal Rule. States also have consumer protection and privacy rules, as illustrated by a case involving a property management firm in Massachusetts. That incident involved the theft of a company-issued laptop from an employee’s car. At the time that it was stolen, the computer contained unencrypted personal data for more than 600 consumers. Though the property manager did not find evidence that this compromised information had been used for any unauthorized purposes, the firm was still fined $15,000 in civil penalties by the Massachusetts Attorney General.
“It is incredibly important that businesses ensure that laptops and other technology have the necessary encryption to protect consumers from identity theft,” commented Attorney General Martha Coakley in a statement announcing that the fine had been issued. “We will continue to make sure that companies understand their responsibilities under the data privacy laws and are held accountable when they do not adhere to them,” Attorney General Coakley added.
Unless your customers’ personal information is scratched into ledgers with a quill and ink or maintained on a non-networked computer (an avenue taken by many companies), you should clearly understand the extent of your legal responsibility to safeguard a resident’s personal information.
For example, because of a landlord’s need to screen prospective residents for their employment and creditworthiness, applicants are asked for personal information. The FTC says, “Any business or individual that uses a consumer report for a business purpose is subject to the requirements of the Disposal Rule.” This requires businesses to “take appropriate measures to dispose of sensitive information.”
Additionally, under the FTC’s definitions in its Safeguard Rule, this can place property management companies in the category of “financial institutions,” making them subject to rigorous standards and serious penalties.
The Safeguard Rule came as a result of the Gramm-Leach-Bliley Act. It requires financial institutions to have measures in place to keep customer information secure. Having disclaimers against guaranteed protection of customers’ information is not a defense. And a company will do itself harm if it claims it’s doing its utmost to protect personal information when, in fact, it fails to follow its rhetoric with implementation.
Successful FTC enforcement actions against companies have been increasing, topping 50 in 2014, according to EPIC, an electronic privacy advocate. Most companies challenging the FTC rules end up settling prior to trial.
In addition to the detrimental impact that a cyber attack can have on a company that has been successfully targeted, this type of data breach can also have broad-reaching implications for the multifamily industry as a whole. If customers’ stolen information is used in identity theft rings, their credit may be negatively impacted for months to come. In turn, these low credit scores have the potential to cause complications in multifamily markets across the country, as any potential condo buyer who has fallen victim to identity theft is most likely going to encounter issues when applying for loans. Such issues can hamper the sales process and may even cause the entire transaction to fall through.
At a recent forum on data breach risk management by the National Multifamily Housing Council (NMHC), expert panelists agreed that small- and large-scale breaches will continue on a regular basis. One panelist, who estimated that losses can range from $5 to $400 per each personal record that is lost, said that the organizations that pay the greatest cost are the ones “who deny a breach has happened” or that they are doing their own investigations. These companies get raked over by the media and suffer other lingering problems.
“There are a lot of ways to prevent and control a loss, including eliminating risk, making the right data breach prevention IT investments, employee training, budgeting for loss and insurance policies,” stated NMHC panelist Tyler Goff of Equity Residential, which owns 160,000 apartments. “A law firm and a breach coach can help an organization develop and incidence response plan,” he said.
Preventing a loss, and eliminating oneself as a target starts from the beginning, and includes such considerations as holding sensitive materials in a separate non-networked database, having employee controls for sensitive information, disallowing the transmittal of sensitive information over electronic communications, creating an employee manual that details the use, possession and protection of sensitive information.
Among the recommendations one can take include the following:
- Spam systems that read outgoing emails, preventing key information from leaving an organization;
- Web filtering can be used to scan the webpage itself for malicious content;
- Mobile device management to enforce mobile passwords and remotely wipe them;
- Encryption for laptops every computer in the organization; and
- Network threat detection that continuously scans for issues.
Companies would be wise to fully embrace the FTC’s prescriptions to protect personal information. It’s not just primary personal information that must be safeguarded. Theft of salary, benefits and contract details can turn a company inside out. Firms should scrutinize their outside payroll service, IT and cloud-based services that supposedly secure documents. They should also create a disaster recovery plan, in the case that an incident affecting data does occur. Firms should contemplate all types of information sent over and through electronic communications, including contracts, due diligence documents, and other materials that might create information that would be of benefit to potential third-party criminals.
Experts agree there’s no way of guaranteeing your security measures won’t be breached by a determined hacker. But, if a company implements responsible safeguard measures and features them in marketing and customer documents, they stand much improved chances of avoiding nuisance suits and government action while rightly enjoying increased customer confidence in their products and services.
Morgan Stewart is a partner with Manly, Stewart & Finaldi, an Irvine, Calif.-based law firm that specializes in real estate. He devotes his practice to advising national multifamily and commercial real estate clients on legal issues including construction litigation, insurance bad faith, general corporate formation issues, contract negotiation and development, and personal injury. As an emerging leader in the industry, Stewart’s reputation for detailed and thorough counsel has allowed his clients to focus on their core business, while avoiding costly and unnecessary legal action.