Addressing Cyber Security

New tools and laws combat the threat.

The growing threat to companies in the multifamily industry from cyber-attacks is serious enough that the National Apartment Association staged a webinar in 2012 entitled “The New Cyber Reality for the Multifamily Rental Housing Industry: Threats, Responsibilities and Risk Management Strategies.”

In this special tech report, Multi-Housing News interviews two of the leading participants on that panel to discuss the types of threats the industry faces, legislative developments currently underway, and what measures companies can undertake now to ensure they are prepared in the event of such attacks.

Multifamily cyber security issues are no more serious than those of other industries. The question is whether the industry is addressing the concerns, says Brian Finch, Global Security Practice partner at Washington, D.C.’s Dickstein Shapiro LLP—a firm internationally recognized for its work with clients from start-ups to Fortune 500 companies. “It’s not that the industry has unique vulnerabilities,” he says.

“But if it’s not aware of and addressing those vulnerabilities, the industry is more at risk than others.”

Because the apartment industry deals with “Personally identifiable information,” also known as PII, it needs to be cognizant of the 46 different state data-breach notification laws, as well as a variety of federal statutes and regulations that deal with PII and the security of that information, reports Scott Godes, counsel in the insurance coverage practice at Dickstein Shapiro.

Personally identifiable information may include social security numbers, credit card numbers, health information and other information, depending on various states’ definitions of PII, Godes explains.

Third-party vulnerability, which can result in social security or credit card numbers being obtained by hackers, can expose companies to potential lawsuits or other liability. “Class-action lawsuits are the favored method of proceeding by plaintiff lawyers focusing on privacy and data risk litigation,” according to Godes.

Another concern is first-party risk, in which a cyber-attack results in a company’s electronics being unavailable for business operations. If a company’s network is attacked and becomes unavailable for business operations, costs will be incurred while the business is unable to function.

Current legislative

Late in 2012, competing legislation moving through Congress was sidetracked by concerns about whether or not the country would plunge over the fiscal cliff. The legislation is likely to be reintroduced in this year of 2013. “It’s something a number of senators and congressmen want to push forward,” Finch says. “That legislation could force industries like the multifamily industry to better secure their IT systems, including laptops, mobile devices, and generally anything through which access could be gained to a critical function or PII.”

In a case sure to interest multifamily and several other industries, the Federal Trade Commission (FTC) recently brought action against a major hotel chain. The case concerned the theft of data and improper use of credit cards. “The hotel chain responded by saying, ‘We have a policy in place,’” Godes says.

“The FTC represented to the chain that if it was taking steps to address security and privacy, the chain wasn’t doing enough, [and stated], ‘We’re bringing action against you for false and misleading claims.’

“This is an indication that the government is being more aggressive in the context of privacy or alleged breaches of data security. Where it may have appeared there was low risk about potential liability or actions that have to be defended, the landscape is continuing to change. Even if it turns out the FTC didn’t have the authority to take the action, or that the action is not meritorious, the major hotel chain is still having to spend a lot of money to defend itself.”

It’s also worth noting, Godes says, that the incoming president of the organization called the National Association of Attorneys General (NAAG), Maryland’s second-term attorney general Douglas F. Gansler, is asserting that his platform as president will be focusing on data security and privacy questions, an initiative he terms “Privacy in the Digital Age.”

Risk mitigation tools

Risk mitigation tools are important components of enterprise risk management, Godes says, and an essential part of companies’ day-to-day operations to mitigate against significant risk.

When it comes to risk mitigation, he urges companies to review the state of their insurance policies to determine potential coverage for a cyber-risk or data breach.

“There are more carriers writing insurance marketed for cyber security risk, but a good, thorough analysis should include an analysis of their other policies, such as first-party property insurance, crime insurance policies and general liability insurance policies to see if there is overlapping coverage,” Godes says. He urges property managers to implement a two-pronged approach involving talking to their insurance broker and an attorney who focuses on insurance coverage and can advise on the language of the policy being offered.

The best risk management strategy is for companies to adopt organized plans and to combat threats to PII and attacks on critical systems, Finch says.

“If it does not have an organized plan addressing how to detect an attack, how to respond, who to notify under applicable disclosure requirements and a plan to bring in outside resources to conduct a forensic analysis, a company can really find itself in trouble,” he says. “Without a plan, a company finds itself scrambling to try to figure out how to respond, and wasting valuable time.”
Reviewing its insurance policy in advance of a threat or incident, as opposed to after an incident takes place, will leave a company better situated to understand its coverage and the value of its asset, Godes says. “Understanding the value of your asset and how it can come into play is critical,” he adds.

Five years out

How will the environment change in, say, five years? According to Godes, predicting the threat is going to be eliminated in a half decade would be a mistake. “The trend is attacks are increasing, and increasingly sophisticated,” he says. “We continue to see legislation evolving on the state and federal level that suggests privacy and data security remain top concerns of lawmakers.”