Data Protection Checklist for Real Estate Enterprises

August 09, 2021

Why data protection? As the regulatory landscape for protecting data rapidly evolves and impacts industries like real estate, it’s an opportune time to reexamine how your enterprise will respond.

Data Protection for Real Estate

The critical importance of information is well-known within the real estate industry. There is, however, an often overlooked subset of information gathered and shared on a routine basis that poses a unique set of data security and privacy risks: namely personally identifiable information (“PII”).

PII is any piece of information that alone or together with other identifying information can be used to distinguish or trace someone’s identity. PII in real estate is accumulated while managing tenants, handling property guests, and selling properties, as well as servicing investors, employees, and contingent labor, such as contractors and handypersons. PII is also typically shared amongst employees, and with third-parties like lenders, lawyers, collection firms, and property managers, to name a few.

Real estate enterprises over time have amassed and traded substantial amounts of PII in both hard-copy and digital forms. As many as 25 U.S. states have laws that require data security practices for PII within the private sector, and 35 states, including the District of Columbia and Puerto Rico, have laws that require the proper disposal of personal information. Having either operations or a PII footprint in most states likely necessitates compliance requirements for real estate enterprises. Notable is the passing of the New York Stop Hacks and Improve Electronic Data Security (“SHIELD”) Act in March 2020, which has direct influence on the real estate industry in the Northeast.

Strengthening your security posture and staying aligned with regulatory responsibilities have many benefits, including reducing the likelihood of a loss or compromise event, maintaining an admired industry reputation, and nearly eliminating possible financial penalties.

The purpose of this checklist is to help real estate enterprises better align with the modern legislative landscape surrounding PII and remain good stewards of the personal information they accumulate and use.

Safeguarding PII

Safeguarding PII is a hallmark data protection activity that is built on establishing good data governance practices. Taking a top-down approach to data protection and then building technical competency once governance is established is critical for long-term success.

Enterprise-wide Data Security

High-level governance activities that are applicable across the spectrum of real estate industry participants:

Assign ownership for the protection of your systems and data to an information security officer, IT team or third-party specialist.

Establish enterprise-wide data security policies that factor your unique data footprint and approved sharing habits.

Assign a data privacy officer to oversee your enterprise-wide data protection strategies; good options are in legal and investor relations roles.

Assemble a schedule of privacy laws and regulations that affect how your enterprise must handle data and PII.

Document and continuously update your data footprint, inclusive of electronic and physical data and records.

Create a uniform privacy policy that establishes how you will collect, store, protect and use PII to comply with applicable privacy laws.

Technical Safeguards for PII 

Four essential concepts to strengthen proper governance:

 

Collecting PII

 

Using PII

Identify all types of PII your enterprise needs, stores and uses, and only collect what is needed.

Implement and enforce principles of least privilege when granting access to PII data within your enterprise.

Identify where PII exists and know who this data set is shared with. Consider data in use, data at rest and data in transit.

Provide protection awareness training to employees and contingent labor based on sound principles for securely using and storing PII.

 

 

Storing PII

 

Disposing PII

Classify PII in terms of sensitivity and establish an acceptable use policy.

Purge old PII. Diligently delete or destroy any PII no longer needed.

Ensure that PII is encrypted, both at rest and before it is shared electronically.

Create standard procedures for removing employee access to PII when no longer required.

NY SHIELD Act 

The SHIELD Act expands New York State's prior data breach notification laws and adds several new security safeguarding requirements. Any real estate enterprise doing business with or collecting information from a New York resident is affected, creating liabilities and penalties for not installing proper safeguards to protect the PII. Penalties can range from $5,000 to a cap of $250,000 per security incident.

Although smaller enterprises defined in the SHIELD Act by size and revenue are not required to implement the entirety of safeguarding requirements, they must still implement basic controls. For enterprises with at least 50 employees, $3 million in gross annual revenue over a three-year period, or have more than $5 million in assets, the entirety of the SHIELD Act’s requirements must be translated into meaningful security initiatives by way of a robust cybersecurity program.

PII Requirements 

Safeguards detailed within the SHEILD Act are grouped into administrative, technical and physical categories. Below are meaningful data protection questions real estate enterprises can use to gauge their current level of alignment:

 

Administrative Safeguards

 

Technical Safeguards

Have you appointed a person or team to be responsible for your enterprises’ security program?

Have you installed Security Incident Event Management and Endpoint Detection and Response tools following the risk assessment? 

Do you conduct regular risk assessments to evaluate all internal, external and evolving risks?

Do you perform regular monitoring and testing of key security controls, systems and procedures?

Do you routinely address and remediate the risks identified in the risk assessment?

 

 

 

Is regular security awareness training provided to all employees?

Do you perform security due diligence when engaging new vendors?

 

 

Physical Safeguards

Have you installed controls like biometric door locks and closed-circuit surveillance cameras?

Do you apply physical security controls on data media in collection, transportation and during destruction?

Do you keep physical data files no longer than the required retention period?

Get in touch with our team to address any questions you may have related to data protection.