Fight Back Against the Hack
sparkaffinity |
Federal and state laws require that real estate agents and brokers protect confidential information and be prepared to respond quickly to data breaches.
By Scott Reid
SPARK NATIONAL MEMBERSHIP DIRECTOR
No business or industry is immune to a cyber attack or a data breach. Ninety-five percent of the Fortune 500 companies in America—as well as numerous government agencies such as the Internal Revenue Service, the Central Intelligence Agency, the Defense Department, and even the White House—have been hacked or had data compromised.
Businesses of all sizes have fallen prey to cybercriminals, and the real estate industry is no exception. Real estate professionals are required to comply with state and federal data security laws, regulations, and standards that describe the ways in which data must be protected and define what constitutes a “data breach.”
For example, in California, a data breach encompasses any way that information is lost, stolen, or inadvertently disclosed, including laptop theft, lost USB memory sticks or portable drives, a lost mobile phone containing confidential client data, and an email containing confidential information that is inadvertently sent to the wrong person—as well as the theft or improper disposal of paper documents.
Take the First Step
Given the many ways in which business data can be compromised, protecting it can be a challenge. The first step is to acknowledge that your real estate business is at risk. Your clients and business partners—and state and federal regulators—all expect you to be able to safeguard confidential and private information.
Also, the Code of Ethics and Standards of Practice of the National Association of REALTORS® explicitly acknowledges the obligation of a REALTOR® to preserve the confidentiality of personal information provided by clients both during and after the termination of a business relationship.
Information security risks should be addressed in the same way that you address other business risks. Your business property is insured against damage, fire, and theft. Your confidential information should be similarly protected.
Have a Risk Assessment and Compliance Audit
Having an independent, third-party risk assessment can help you identify potential threats; see where you are out of compliance with federal, state, and industry requirements for information security; and
identify areas where you are most vulnerable. In addition, a third-party report can enable you to demonstrate to clients that you are taking steps to protect their data and defend your business against potential litigation or possible future regulatory fines and penalties.
Establish a Solid Cyber Security Foundation
Although a Risk Assessment and Compliance Audit may bring to light several areas that need improvement, addressing some cyber and data security basics can increase security immediately.
- Avoid wire transfer fraud. Never move money based on a simple email. Always voice-verify banking and wire instructions in transactions.
- Encrypt emails. At a minimum, emails containing sensitive or confidential information should be encrypted using your email provider’s encryption service.
- Never use public wi-fi. Use a virtual private network (VPN) app on both your phone and your laptop when using wi-fi to prevent criminals and hackers from watching what you are doing and stealing your data or passwords.
- Don’t click on suspicious emails. Email is the number-one spyware and malware deployed. Never click on the links in or the attachments to emails.
- Back up your data. In case your systems become infected or are held hostage, back up your files to the cloud.
- Change your passwords. Stolen or weak passwords allow cybercriminals direct access to your computer and online accounts. Having a complex, unique password for each application improves online security.
Evaluate Cyber and Data Breach Liability Insurance
Cyber insurance will not protect you against a cyber attack or data breach, but a good policy will enable you to survive one.
Look for an insurance that provides coverage for both cyber breaches and data breaches as well as broad coverage for first-party expenses, such as breach response, credit notifications, forensic analysis, public relations consultants, cyber extortion payments, business-interruption costs for loss of income, and restoration costs. In addition, the policy should also cover third-party expenses for violation of privacy laws, multimedia liability, regulatory fines, compensatory payments, and legal defense costs, as well as the costs of potential future lawsuits and settlements.
Also, be sure to find an insurance carrier that provides access to a Breach Response Call Center or other telephone support, that is staffed twenty-four hour a day, seven days a week, throughout the entire year and is available even if a breach is only suspected. This call center should provide you with access to breach response team(s) and legal counsel, as well as to other resources to develop a response plan and help you begin response and recovery activities.
Insurance cannot eliminate a data breach or be a replacement for data security, but it can provide a backstop of financial relief and access to support tools like the breach response call center. Having a separate insurance plan in place, specific to this exposure, is a critical component of your overall data breach preparedness.
The response costs associated with minimizing the damage of a data breach or cyber attack can be extensive and can even put a company out of business. Cyber and data breach liability insurance is affordable and helps mitigate the financial hardship of a cyber attack and data breach by offering coverage to help you pay for the costs of an event.
Scott Reid is the SPARK National Membership Director and has been an early leader in the emerging field of cyber and data breach preparedness and prevention. Reid works with many leading trade groups and business coalitions—as well as with federal agencies such as the Department of Homeland Security, the Federal Bureau of Investigation, the Federal Trade Commission, and the Small Business Administration—to address cybersecurity as a national security issue.
