Property managers, real estate brokers, and developers are facing a new and growing threat to their businesses: loss of valuable electronic information provided by tenants, prospective purchasers, and even their own employees. The pace of regulatory and enforcement paradigms is changing rapidly; in April 2019, the New York State Department of Financial Services (“DFS”) announced that its new Consumer Protection and Financial Enforcement division will combine with its Financial Frauds and Consumer Protection division. Amongst other matters, the new division will have a “…particular focus on the review and response to cybersecurity events…” according to the acting DFS Superintendent.
Property managers and real estate brokers receive a tremendous amount of personal and consumer information. This data must be received, stored, transmitted, and monitored by full-time employees as well as by a network of independent contractors with only limited supervision and varying levels of technology awareness. Digital information is easier to lose or misdirect than paper, and criminals are increasingly targeting the real estate industry because of the valuable data that can be gleaned and sold on the Dark Web at a great cost to clients and a firm’s reputation.
Real estate applications and leases are a veritable treasure trove of information criminals can use to create false identities, fraudulent bank and credit card accounts, and even false tax returns to steal consumer tax refunds from the IRS. The attractiveness of this data is one reason why, in 2018, the real estate industry ranked second in frequency of cyber attacks, ahead of pharmaceutical, engineering, and manufacturing. In 2017, the FBI estimated losses to the real estate industry from cyber attacks at approximately one billion dollars.
Yet, the risks of losing personal and financial information go beyond criminal activity. Failure to implement strong workplace policies and training on the threats posed by lack of encryption of financial information, use of public WiFi to transmit driver’s license and Social Security numbers, and lack of testing of the security of office servers can also result in business reputation losses and costly legal proceedings.
Legal exposure can include law suits, Attorney General investigations and penalty proceedings under the New York General Business and Technology Laws, costly notices to clients, and even license revocation or suspension under New York’s Real Estate Law. Business risks abound as well. Millennials, citizens of Europe, and citizens of other areas with strong privacy and cybersecurity laws are increasingly asking co-op and condo boards, property managers, and brokers about how they will secure vital financial information. An unsatisfactory answer may well result in the tenant or prospective purchaser deciding to move or invest elsewhere.
A strong cybersecurity and privacy program, framed by legal advice about the governing regulations, can reduce cyber risks and enhance reputation as a forward-thinking, concerned manager, broker, or developer. Being a market leader in technology and security can turn your legal compliance initiative into a significant marketing advantage.
If you have questions about how to harden your cyber defenses and turn those defenses into a business advantage, please contact Kenneth N. Rashbaum and Steven Ebert.