What do 85 of the top multiple listing services have in common with the Pentagon, Twitter, Facebook, LinkedIn, G-Mail, Microsoft, NASA and most financial institutions, colleges and newspapers?
They have all implemented data access security utilizing two-factor authentication. Why, you ask? Because this form of data security supports their initiatives to implement “best practices” or “take reasonable steps” to protect access to their user’s personal information from cyber-villains.
Everything these villains might want to know about someone is generally hosted somewhere in their user profile(s). Name, address, phone numbers, date of birth, email addresses, characteristics and interests, employment history, etc. are all personal profile staples. This data is considered ‘Personal Information’ and comprises everything a villain needs to know about someone to commit nefarious deeds and gain additional access to even more personal information.
Most people assume, or would like to believe, the companies they engage with can be entrusted with their personal information or ‘secret identity’. They expect their personal data to be treated as a valuable asset and want their value to extend beyond a customer list, marketing program or data mining effort.
All companies now have a legal responsibility to protect the personal information their subscribers have provided them. The US government mandates companies implement “reasonable and accepted best practices” to protect the personal information they collect.
To date, 46 states have enacted a Data Breach Notification Law. Under these laws, a breach is defined as a single unauthorized access to a database containing personal information. This means a single compromised user ID and password, whether willingly shared/borrowed or intentionally hacked, constitutes a breach. Reasonable steps must be taken to avoid such an occurrence. If a breach does occur, every individual with personal information stored within the breached database must be notified of the breach in writing. This is not only costly to implement, it can challenge the integrity of a company and have significant financial ramifications. Each state defines ‘Personal Information’ differently. (Please refer to this chart and consult an attorney in your area for more specific details.)
Within our industry, we may feel these rules don’t apply or that we’re immune to such obligations because listing data is plastered all over the Internet. But the fact remains, the responsibility of the MLS goes well beyond protecting subscriber’s personal information and the sanctioned public display of listing information. The MLS community must also consider:
- Subscription revenue loss associated with shared access
- Consumer (buyer/seller) data stored in the MLS system’s CRM and Client Gateway modules
- Listing data not intended for public consumption (e.g. sensitive showing instructions such as alarm/gate/CBS codes, kids home alone, or when the house is vacant)
- Compensation details
In many cases this is simply scratching the surface of what may be exposed. Introduce transaction management, online bill pay and document storage into the MLS services and exposure swells further.
The fact is, laws or not, the need for secured access is an obvious and necessary requirement to conduct business in today’s world. For businesses that ‘fly under the radar’ thinking they won’t get caught it’s more a question of when than if. The important thing to remember is you don’t have to be a superhero to mitigate your risk. Companies large and small are adopting best practices to protect access to their digital assets and those of their consumers and subscribers. So we ask again: Are you taking the proper measures to protect your digital assets and the people associated with them?
Share this post: