Why Real Estate Companies Need Better Data Protection
By Toby Butterfield and Jason Johnson May 10, 2021 2:41 pm
reprints
Given the large number of bricks-and-mortar issues which real estate companies must address daily, it’s unsurprising that issues associated with data privacy and cybersecurity often seem less urgent for many property owners. But recent changes in the law in California, Virginia, New York State and now New York City mean it no longer makes good business sense for real estate companies to delay becoming proactive in addressing privacy and cybersecurity issues.
Here are five issues that real estate professionals should know about to help deal with these threats:
NYC just passed a bill creating major new compliance issues for landlords and their vendors. The bill applies to everyone who owns or controls a residential dwelling in New York City that includes keyless entry systems to gain access to their buildings, or to individual units or other areas within them. The bill’s requirements are expected to come into effect no later than 60 days from June 1, 2021.
The requirements are extensive: limits on the type of data that may be collected from a wide variety of building-wide computer systems; occupants must consent to permitted collections of data; and requirements to provide a privacy policy and specified types of computer security. The law also strictly limits the permissible uses of data that it will still be legal to collect. And it provides occupants with a private right of action, including the right to recover damages and attorneys’ fees, for violations of its prohibition on the sale of data. Nearly all residential buildings must comply, or risk regulatory action or class action liability.
Data breaches go beyond headliners Target, Experian, and other companies in other industries.In fact, hacks and data breaches have affected real estate companies, large and small. Midwest Property Management, a company located in Edmonton, Alberta, suffered a large data breach in June 2020. Douglas Elliman suffered a serious data breach in April 2021. Long & Foster Companies, a real estate brokerage acquired by Berkshire Hathaway, suffered a major data breach a couple of years ago.
With COVID driving the move to a more virtual world, the amount of valuable financial data and other personal information that real estate companies gather has also substantially increased. Data breaches happen to real estate companies, not just to people in other industries, and real estate companies need to address this reality head-on.
Hacks and data breaches can result in more serious disruption to business. The damage usually goes beyond the embarrassment and direct costs from disclosure of personal and financial information. Ransomware attacks result in demands for large payments on short notice and often threaten destruction of all electronic records. While some of these attacks are bogus, others are real. The entire Philadelphia court system was shut down for several months in 2019 because of a ransomware attack that resulted in deletion of large volumes of court data, forcing the system to resort to manual paper-based record keeping for months.
Take control of your data before a hack or data breach, not afterwards. As lawyers, we frequently advise clients, including real estate companies, on how to limit their riskiest activities. We often start by advising stricter security measures from whichever vendors have the weakest security procedures. While more data security is always good, bad actors typically attack via the easiest route. As a result, experienced professionals can usually identify where to begin improving security first: where the least amount of cost and inconvenience should result in the greatest reduction of risk.
The risks to real estate businesses go beyond data breaches. If you provide a privacy policy that misdescribes the security procedures you and your vendors provide, class action lawyers and their clients’ claims against you could soon be a part of your daily experience. It surprises us how many companies, including some major real estate companies, do not have a publicly facing privacy policy at all. The rapidly evolving state laws and regulations in this area mean that the relevant question is no longer “how much will it cost us to get a good privacy policy,” but rather “how much will it cost us not to get a good privacy policy.”
Like preparing and filing your taxes, it never feels like a good day to start to address the risks that probably lurk in your computer systems. However, data breaches and class action lawsuits are not preceded by warning signs, “alerts” reminders or approaching calendar deadlines.The impending changes in New York City laws are a valuable prompt that will require many companies to address compliance generally.
Continuing to put it off is not a wise option for any company, particularly real estate companies, which often handle enormous volumes of personal and financial data.
Toby Butterfield is a partner in Moses & Singer LLP’s intellectual property and litigation practices, and Jason Johnson is a partner in the firm’s privacy & cybersecurity and intellectual property practices.
