Data security laws coming to a state near you

July 27, 2005

Real estate industry learns how to thwart potential public relations disasters

By Jessica Swesey
Inman News

SAN FRANCISCO – Coming to a state near you: privacy laws. Data breaches at major information houses this year have put consumer data protection high on everyone's radar, and the real estate industry is watching closely.

"Ninety-eight percent of Americans are concerned about data protection," said Darity Wesley today during a real estate IT security workshop as part of Real Estate Connect 2005. Wesley is an attorney who has focused on privacy issues and now works as chief privacy guru at Privacy Solutions, where she helps companies create and enforce policies to protect sensitive customer information.

Wesley noted the national attention that's surrounded major data breaches around the country this year at ChoicePoint and other companies. "It's going to be one of us in the not-too-distant future," she said. "And when it happens you're going to have to notify people."

Real estate companies house all sorts of sensitive consumer data, from intricate financial information to what hours people selling their houses are away from home to allow for showings to prospective buyers.

Sixteen states have already passed some form of information protection law that requires companies to notify customers when their data has been lost or stolen, Wesley said. They are Arkansas, Connecticut, Delaware, Florida, Georgia, Illinois, Indiana, Louisiana, Maine, Minnesota, Montana, Nevada, North Dakota, Tennessee, Texas and Washington.

New York, New Jersey and North Carolina have information protection laws awaiting their governors' signatures. And an additional 14 states have introduced similar bills. They are Alaska, Arizona, Maryland, Massachusetts, Michigan, Missouri, Ohio, Oregon, Pennsylvania, Rhode Island, South Carolina, Virginia, West Virginia and Wisconsin.

Real estate companies should be looking into creating and implementing information protection policies within their organizations if they haven't already, and Wesley said that a good starting point is to look at your state's notification law. "Look at what your state has passed and start basing your policy on that," she said.

According to Wesley, some basic elements of a company's information protection policy should define: who in the company can have access to sensitive information; how sensitive information is to be stored and transmitted (i.e., is it encrypted, archived or unencoded?); which systems store sensitive information; what levels of sensitive information can be printed on physically insecure printers; and how sensitive information is to be removed from systems and storage devices.

Policies also should define what constitutes sensitive information and provide guidelines for gauging the "sensitivity" levels of that information, Wesley said.

"Failure to establish proper IT policies and procedures creates a void," Wesley said. The company is left with no framework for handling sensitive data and potential breaches.

Some audience members asked for advice on good methods to convey to their clients the value of security measures. Wesley replied that education is key and said that she often uses examples of identity theft to get the message across because people can relate to that on a personal level.

Education should not be restricted to clients and business partners, though. Wesley stressed the importance of educating management from the top down.

Matt Cohen, chief technologist for Clareity Consulting, which sponsored the security workshop, also said that it's important for high-level management to be educated on security issues because they are the ones who will have to push for it from their technology vendors. Cohen said he talks with software vendors all the time that provide systems for real estate companies and they say they aren't working on data protection features because no one is asking for it.

The bottom line, Wesley concluded, is that when real estate companies understand and implement IT policies and procedures, it provides a shield from possible public relations disasters and from potential liability, "both of which are critical to a continuation of your business and trust from consumers."

Copyright 2005 Inman News

Contact ALTA at 202-296-3671 or