Cybersecurity’s Role in Big Data

Big data on market trends doesn’t necessarily have a negative impact on the real estate industry unless the information compiled is invalid and used to wrongly advise clients/investors, Morgan Stewart, an attorney with Manly, Stewart & Finaldi, tells Real Estate Forum. But data collected on clients or consumers, however, is a whole other story. “Real estate brokers, property managers, mortgage brokers or any other industry entity that collects information on individuals or businesses are legally responsible for protection of information collected.”

Stewart says security breaches of sensitive information can not only damage a company’s reputation and the confidence of its clients and employees, but it can also be costly. “Both state and federal agencies hold businesses that collect consumer information accountable for protecting that information, and noncompliance subjects a business to heavy fines. Therefore, you should clearly understand the extent of your legal responsibility to safeguard a tenant’s personal information. The Federal Trade Commission Act, for example, requires businesses to protect and properly dispose of information they collect.”

The result of the Gramm-Leach-Bliley Act, the FTC’s Safeguard Rule requires financial institutions, as well as business that provides financial services or products—even tax preparers, real estate appraisers and property managers—to have measures in place to keep customer information secure, Stewart elaborates. “Failure to comply with this rule carries civil penalties of up to $10,000 per violation for officers and directors personally liable, and up to $100,000 per violation for a business. Having disclaimers against guaranteed protection of customer information is not a defense.”

Additionally, the FTC’s Disposal Rule applies to any business or individual that uses a consumer report for a business purpose. “This rule requires businesses to take appropriate measures to dispose of sensitive information,” says Stewart. “Noncompliance results in a $50,000 fine. For example, if a landlord throws a consumer’s credit report in an unsecured dumpster or a business computer containing a consumer’s credit report, social-security number or other identification, credit card or banking information is stolen, the landlord can be fined.”

Under both FTC rules and state consumer protection and privacy laws, fines can be levied regardless of whether the compromised information results in an unauthorized use, Stewart points out. “So, unless your customers’ personal information is scratched into ledgers with quill and ink or maintained on a non-networked computer—an avenue taken by many companies—it is critical to shred paper documents and ensure business laptops and other technology have encryption software that protects consumers from identity or financial theft.”

There are various areas of vulnerability with big data in the real estate industry, according to Jorge Rey, director of information security and compliance for CPA firm Kaufman Rossin. “In some areas (e.g., multifamily investments), property managers may obtain sensitive information—such as financial accounts, credit reports and governmentissued documents—from their tenants or potential tenants. Property managers may store and/or maintain information that could be targeted by cybercriminals (e.g., driver license, bank accounts, address or credit reports). Currently, cybersecurity is a concern in the commercial real estate industry, but is generally not being prioritized as a high risk in the way that some other industries, such as financial services and healthcare, have been managing that risk. As such, commercial real estate companies that have not considered cybersecurity risk as a top priority may find themselves ill prepared to detect or prevent data security incidents. As the sophistication of cyber criminals continues to increase, the companies within the industry should respond accordingly and consider ways to bolster their defense against cyber threats.”

Cybersecurity is critical for any and all transactions involving the transfer of financial and confidential, proprietary information (as well as other types of information, which may not play a role in a CRE transaction), Michelle Schaap, a member of Chiesa Shahinian and Giantomasi’s media and technology, construction and corporate and security practices, tells Forum. “In some cases, a firm’s acquisition, sale or lease of property may be part of a larger transaction—which could have positive or negative connotations for parties beyond the real estate component. While the ultimate deal closing may be of public record (by the recording of a deed or lease), keeping this information confidential until the time of the closing may be critical to either or both parties to the transaction—and is likely a requirement in the deal documents.”

For example, if a firm is planning to close its operations in a specific location, advanced notice of the pending sale of the offices may create issues for that company, Schaap says. “If a company is expanding into a new market, it may want to keep this information confidential until it is prepared to announce the move publicly. And if the real estate deal is part of larger transaction, e.g. the sale of a company, confidentiality prior to the closing may be paramount.”

Were either side of the transaction or its advisors to experience a cybersecurity “event,” the use of this confidential information by a third party could materially adversely impact either or both parties to the transaction in a variety of ways—including its stock (if it is publicly traded), its customer relationships and its employee relationships, where an office closing had not yet been announced, Schaap points out. “A breach may also reflect a broader security issue which could impact a larger overriding transaction, such as a merger.”

Further, where payment instructions are transmitted electronically, cybersecurity is paramount, Schaap adds. “There have been several cases involving the loss of closing proceeds due to false wiring instructions after the original electronic transmission of correct wiring instructions. Using insecure means to transmit or confirm wiring instructions opens the door to a bad actor accessing credentials or information and then sending new instructions that seem to be authentic. Too often, people accept such changed information without verifying the source by telephone, thus allowing millions of dollars to be stolen through reliance upon misinformation.”

Schaap adds, if the real estate transaction is, in fact, part of a larger transaction, and one of the parties has a security breach, it would likely need to be disclosed to the other party, which could significantly impact the deal terms and purchase price.

Jorge Rey, CISA, CISM, is a Cybersecurity & Compliance Principal at Kaufman Rossin, one of the Top 100 CPA and advisory firms in the U.S.