The NAR Data Privacy and Security Toolkit (http://tinyurl.com/br4wo7o) has a very useful list of applicable state information security laws, but according to the National Association of Realtors’ “2012 Profile of International Home Buying Activity” international clients are becoming more commonplace, and five countries – Canada, China, Mexico, India, and the United Kingdom – accounted for 55% of international transactions. International clients may have expectations of data security and privacy based on the laws of their country, and some of those laws may apply to you. Following is a summary of the client expectations and laws from those five countries that you should be aware of.
CANADA has a federal privacy legislation, the “Personal Information Protection and Electronic Documents Act” or PIPEDA. Clients from British Columbia, Alberta and Quebec are covered under similar provincial statutes. Even if your business is located outside of Canada, these acts may apply to you (as per the recent case Lawson v. Accusearch). Expectations are as follows: You must have documents that explain your personal information practices to clients and an individual clearly defined with the responsibility of protecting client information and handling privacy questions and complaints. Any form – online or paper – where you collect personal information must disclose exactly how you are going to use that information and you (or any third parties to whom you send the information) must only use the information in those ways. Clients will expect that you have a process for keeping the information accurate and up to date, and that they can get access to the data easily to audit what information you are maintaining. Client information can only be kept as long as needed to fulfill the disclosed purpose (though state regulations may trump this requirement). You must have security safeguards in place around the information. If you delegate the information to a third party (i.e. software vendor), you must contract with them to protect the data in a like manner. This may seem like a lot of requirements, but there’s a LOT more to it. If you have Canadian clients, you might wish to review a PIPEDA self-assessment tool: http://www.priv.gc.ca/information/pub/ar-vr/pipeda_sa_tool_200807_e.pdf
CHINA does not have substantial national data security or privacy laws. Jiangsu Province passed a law in 2011 requiring that businesses only collect personal information with client consent, and they must explain how the information will be used. Realtors should follow that guideline as a bare minimum, even though neither China or any of its provinces has prosecuted businesses outside of their borders for privacy breaches.
MEXICO passed the Federal Law on the Protection of Personal Data Held by Private Parties (Ley federal de protección de datos personales en posesión de los particulares) in 2010. Like the Canadian act, it involves disclosure of the purposes for which client information will be used, the rights of access, correction, and objection, the requirement to take appropriate information security steps to protect the information, and to provide notification of any security breach. If you send client information to a third party, they must formally accept all of these privacy obligations, and you must have the explicit consent of your client to conduct the transfer. This law may apply to companies outside of Mexico. More information: http://www.diputados.gob.mx/LeyesBiblio/pdf/LFPDPPP.pdf (in Spanish)
INDIA has extensive new information security and privacy legislation requiring written consent to all uses of client information. If you collect and store private information (i.e. the bank account information on that copy of a check in your file) the requirements to protect the security of that information are extensive, and involve management and operational components, physical security, and technical measures. While no cross-border prosecution has yet taken place, you should be aware of possible client expectations and strive to meet them. More information: http://www.mit.gov.in/content/cyber-laws
UNITED KINGDOM has an extensive data protection act. Your responsibilities are to inform your clients of the specific uses to which their information will be put, to keep that information up to date, accurate, and secure and not keep the information for longer than is necessary. This act is not very specific about the steps you need to take against unauthorized or unlawful use or loss of the information, other than to say “Appropriate technical and organisational measures shall be taken”. You should be aware that the U.K. has unlimited financial penalties for breaches, plus possible jail time. More information: http://www.legislation.gov.uk/ukpga/1998/29/contents
If your company has international clients from these countries – or others – you should take care to meet their expectations of data security and privacy, consult an attorney to fully understand your obligations, and ensure that your business processes meet or exceed the requirements. Your reputation – and that of the real estate industry – is at stake.
For more information security resources, please visit
“The Real Estate Information Security Center” – http://www.callclareity.com/security/
About the author: Matt Cohen is Clareity Consulting’s Chief Technologist and leads its security assessment practice. Matt has spoken at many conferences, workshops, and leadership retreats around the country on security-related topics, and is a well-regarded real estate industry expert on real estate technology and information security. Clareity Consulting (www.callclareity.com) was founded in 1996 to provide management and information technology consulting to the real estate industry.