Cyber Attacks Are on the Rise

Reduce your risk of becoming the next headline.

The recent spate of high-profile data breaches sharply underscores the fact that no business, regardless of size or specialty, is immune from the threat of a cyber attack. Hackers are becoming more sophisticated and the risk of an attack is no longer a question of if—but when. Victims have included large retailers, banks, hospitals, educational institutions, government agencies, and now, for the first time, an apartment REIT.

Essex Property Trust Inc.’s recent disclosure that its computer networks were compromised by a cybersecurity attack should be a reminder to the industry that apartment owners and managers collect, use and maintain vast amounts of highly sensitive, personal data. Whether in paper or digital formats, the data that is collected from renters and employees, and through operational functions, can be a treasure trove to a cyber criminal. Personal information typically includes residents’ names, addresses, social security numbers and driver’s license numbers, as well as additional information found in rental applications, leases, financial statements and insurance records.

The consequences of unauthorized or illegal access to and use of this data can affect businesses both legally and financially, causing lasting reputational harm to a company’s long-cultivated brand in an instant. All businesses need to make data security awareness a continuing priority by taking steps to have a security and response program in place.

There are numerous private and public resources available to help companies develop a program. The Federal Trade Commission’s Protecting Personal Information, A Guide for Business is a good starting point. Building on their key principles for data security we offer the following suggestions to help you develop a plan:

1. Appoint a data breach planning and response team. Secure C Suite buy-in from the start. This will ensure appropriate attention and necessary resources are allocated to assist in both plan development and, in the event of a breach, a response. Consider including IT professionals, a privacy attorney, a breach notification partner, a forensic partner, a data breach resolution vendor and other appropriate professionals.

2. Assess vulnerabilities. Know what personally identifiable information (PII) you collect and who has access to it. Inventory your equipment such as computers, laptops, mobile devices, copiers and others. Threats can come in the form of sophisticated system hackers, as well as from stolen laptops. Specifically, businesses need to conduct regular cyber risk assessments that include vulnerability and penetration testing and update malware and threat protection software regularly.

3. Scale down stored data. Keep only the information you need for only as long as you need it. If you must keep information for business or compliance reasons, develop a written records retention policy. When you no longer need it, dispose of it according to federal and state laws.

4. Secure physical and electronic data. Companies must remain vigilant to protect records and files maintained the “old fashioned” way by storing them in a safe location and limiting access to them. This is true for off-site storage areas as well. As for electronic storage, make sure to encrypt sensitive information you are sending to third parties over public networks. Web applications such as those used to give visitors access to your company website can be especially vulnerable. Hackers can insert malicious commands that can transfer sensitive information from your site to theirs.

5. Protect against attacks via third-party vendors. Intrusions often occur through third-party vendors that are given “trusted” access to areas of a business. Perform due diligence when hiring third-party vendors, ensuring that they have strict data security measures in place. Consult with legal counsel for ways to ensure maximum protection.

6. Consider purchasing a cyber insurance policy. Despite the comprehensiveness of a data security plan, companies are still vulnerable to a breach. Consider insurance coverage as part of your preparedness plan. These polices can offer coverage for additional risks and costs, such as expenses incurred to determine the extent of the breach, data breach notification costs, forensic costs, court costs and civil penalties, credit monitoring costs and expenses related to public relations efforts.

7. Educate employees on security risks. Employees should be reminded to lock computers, file cabinets and offices when away from their workspaces. Staff should pay close attention to their mobile devices and laptops to avoid theft or loss. Teach them about the dangers of “spear phishing” (i.e., emails that make a communication look legitimate but contain malware) and “phone phishing” (i.e., unknown callers claiming to need account numbers). In addition, create a culture of security through regular training.

However, even with the best prevention program in place, data breaches can happen. In the event of a breach, it is essential to act quickly to minimize the impact on both the company and the consumer. Any response plan should, at the minimum, include the following steps:

■ Initiate an in-depth investigation with a forensic team. Evaluate the scale of the breach, who discovered it, the type of breach, what was stolen and how, and all other relevant details about the event;

■ If possible, fix the issues that caused the breach, assess other gaps and secure operations;

■ If necessary, notify law enforcement. Consult legal counsel regarding state and federal breach notification requirements and other consumer protection considerations;

■ Notify the insurer, if insured, as soon as possible;

■ If it is necessary to make a public statement, craft a message and identify a spokesperson; and

■ Set up a resident hotline for questions and assistance.

Each company is unique, and plans should be targeted to your specific needs. This information is intended to increase your awareness about the need for a plan and to help you chart out your own course of protection. Additional educational resources related to data breach, privacy and identity theft are available on NMHC’s website at: www.nmhc.org/Data-Breach.

Jeanne McGlynn Delgado is vice president of business operations and risk management policy at the National Multifamily Housing
Council (NMHC) in Washington, D.C. She can be reached at
jdelgado@nmhc.org.