Window to the Law: Creating an Effective Data Security Plan

Window to the Law: Creating an Effective Data Security Plan - Transcript

Welcome! I am Maame Nyamekye, Staff Attorney at the National Association of REALTORS®. 2021 marked an unprecedented increase in cyber-attacks and malicious cyber activity. The FBI’s Internet Crime Report for 2021 reported 847,376 complaints with potential losses exceeding $6.9 billion. Unfortunately, the real estate sector was not excluded from the malicious cyber activities. A data security breach could potentially hurt your business financially, lead to a lawsuit, and tarnish your business’ reputation.

In this episode, I will share how your business can minimize the risk of a potential data security breach by creating a solid data security plan. To begin, every business should be aware of applicable laws. Although there is no comprehensive federal data security law that applies to real estate brokerages, at least 35 states have enacted laws addressing the proper disposal of personal data. All 50 states have laws that require a business to provide notice of security breaches involving personal information. 

Next, the FTC published a list of five key principles for a sound data security plan. Those principles are: 

1. Take Stock.  Take inventory of the information that your brokerage handles.  You want to examine what information is being collected, where it’s being stored, why it’s being collected and who has access to it.  Taking this step will enable you to identify risks and how to address them through your data security plan. 
2. Scale Down. A thorough inventory check will help your business assess what information it should continue to collect and retain. Be sure to have in place a solid document retention policy that covers what information should be retained and for how long according to legal requirements and your business’ needs.
3. Lock It.  Besides knowing what information your business needs, you must implement appropriate technology and physical safety measures to protect sensitive information and prevent unauthorized access to it.
4. Pitch It.  Remember, at least 35 states have laws addressing the proper disposal of personal information. Therefore, personal information must be properly disposed of so it cannot be read or reconstructed. Simply deleting files from the computer with a keyboard or mouse command usually isn’t sufficient. 
5. Plan Ahead.  Have a written data security plan that addresses how to handle a breach. Remember, to be familiar with applicable state laws which includes notifying potentially affected parties when a breach has occurred. Note that your business may be subject to multiple states’ laws if it collects personal information from residents of multiple states.

Always remember that the best data security plan is worthless if the people charged with implementing the plan are asleep at the wheel.   Educate and train your team members about data security to ensure they know how to identify suspicious activity and to follow your data security plan. Your staff may be the most important line of defense against cybercrime.

Check out NAR’s Data Security and Privacy Toolkit to learn more. Thank you for watching this episode of Window to the Law.