The broker’s IT guy called it like he saw it: “We don’t need to worry about security on our public web site – we’ve got nothing worth protecting. None of those new laws apply to us.”
“Do you let people sign up to save searches with a username or email address and password?” we asked?
“Sure,” he replied.
And with that, we had to give him the bad news…
Last month, a Clareity staffer was one of many tens of thousands of people that received a notification informing them of a security breach at their long distance company. What had been illicitly accessed? Just the email address, username and password from their online account. While no ‘traditionally’ sensitive information, such as bank account or credit card information could be accessed using that information the company still had to go through an expensive breach notification process. Why? Because it was possible that the username or email address, in combination with the users’ passwords could have been used to access other sites online where sensitive information could be accessed, purchases made and so forth.
There’s a tangled web of state and provincial laws that describe how businesses must protect personal, sensitive and confidential data and what how they must notify people if their information is stolen. Every state now has such laws, at least to some extent. Canada has a law at the federal level (PIPEDA), the EU has a new bill being considered, and the US federal government has a number of bills under consideration.
The types of information covered by the laws can be surprising. California defines “personal information” to include “name, signature, social security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information.” The code further charges that “A business that owns or licenses personal information about a California resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.” You should take note that even if your state does not have such a wide-reaching law, if you have information from consumers in other states, you may be subject to laws from those states as well.
All existing laws require notification to those affected by a security breach. Twelve states allow people to pursue legal action against businesses that fail to protect their data – and twenty-seven states have civil or criminal penalties for failure to promptly notify people of a breach. Some of these state laws only apply if your business stores credit financial or health information (such as the employee information that most real estate businesses handle), but some apply even if disclosure of the information might cause a person mere “inconvenience”. For more information on each state law, visit the web site of The National Conference of State Legislatures: http://www.ncsl.org/programs/lis/cip/priv/breach07.htm
What does this mean for a real estate business in real terms? According to one 2006 study1, the total costs of a breach averaged $182 per lost customer record – and this can add up. Dealing with an information security breach cost one broker-friend of Clareity over $1.5 million dollars last year – and the damage to the reputation of the business could have been far more costly if it hadn’t been properly handled. According to a 2005 study2, 19% of consumers indicated they would terminate their relationship with a company that lost their data, and an additional 40% “considered terminating” the relationship.
Between its information security assessments, ongoing monitoring services and payment card industry (PCI) compliance services, Clareity has been working hard to help businesses take reasonable steps to avoid an information security breach – but our industry has a long way to go, and it’s up to each of you to take those first steps.
1 “2006 Annual Study: Cost of a Data Breach”, PGP Corporation and Vontu, Inc.
2 “National Consumer Survey on Data Security Breach Notification”, Ponemon Institute.
About the author: Matt Cohen is Clareity Consulting’s Chief Technologist and leads its security assessment practice. Matt has spoken at many conferences, workshops, and leadership retreats around the country on security-related topics, and is a well-regarded real estate industry expert on real estate technology and information security. Clareity Consulting (www.callclareity.com) was founded in 1996 to provide management and information technology consulting to the real estate industry.