Why Real Estate Companies Need Better Data Protection
Given the large number of bricks-and-mortar issues which real estate companies must address daily, it’s unsurprising that issues associated with data privacy and cybersecurity often seem less urgent for many property owners. But recent changes in the law in California, Virginia, New York State and now New York City mean it no longer makes good business sense for real estate companies to delay becoming proactive in addressing privacy and cybersecurity issues.
Here are five issues that real estate professionals should know about to help deal with these threats:
NYC just passed a bill creating major new compliance issues for landlords and their vendors. The bill applies to everyone who owns or controls a residential dwelling in New York City that includes keyless entry systems to gain access to their buildings, or to individual units or other areas within them. The bill’s requirements are expected to come into effect no later than 60 days from June 1, 2021.
Data breaches go beyond headliners Target, Experian, and other companies in other industries.In fact, hacks and data breaches have affected real estate companies, large and small. Midwest Property Management, a company located in Edmonton, Alberta, suffered a large data breach in June 2020. Douglas Elliman suffered a serious data breach in April 2021. Long & Foster Companies, a real estate brokerage acquired by Berkshire Hathaway, suffered a major data breach a couple of years ago.
With COVID driving the move to a more virtual world, the amount of valuable financial data and other personal information that real estate companies gather has also substantially increased. Data breaches happen to real estate companies, not just to people in other industries, and real estate companies need to address this reality head-on.
Hacks and data breaches can result in more serious disruption to business. The damage usually goes beyond the embarrassment and direct costs from disclosure of personal and financial information. Ransomware attacks result in demands for large payments on short notice and often threaten destruction of all electronic records. While some of these attacks are bogus, others are real. The entire Philadelphia court system was shut down for several months in 2019 because of a ransomware attack that resulted in deletion of large volumes of court data, forcing the system to resort to manual paper-based record keeping for months.
Take control of your data before a hack or data breach, not afterwards. As lawyers, we frequently advise clients, including real estate companies, on how to limit their riskiest activities. We often start by advising stricter security measures from whichever vendors have the weakest security procedures. While more data security is always good, bad actors typically attack via the easiest route. As a result, experienced professionals can usually identify where to begin improving security first: where the least amount of cost and inconvenience should result in the greatest reduction of risk.
Like preparing and filing your taxes, it never feels like a good day to start to address the risks that probably lurk in your computer systems. However, data breaches and class action lawsuits are not preceded by warning signs, “alerts” reminders or approaching calendar deadlines.The impending changes in New York City laws are a valuable prompt that will require many companies to address compliance generally.
Continuing to put it off is not a wise option for any company, particularly real estate companies, which often handle enormous volumes of personal and financial data.
Toby Butterfield is a partner in Moses & Singer LLP’s intellectual property and litigation practices, and Jason Johnson is a partner in the firm’s privacy & cybersecurity and intellectual property practices.