Data Security is the Law

Make sure your brokerage is following state laws when it comes to keeping clients’ sensitive information safe.

August 11, 2015

Most cybercrime experts say it isn’t “if” your data will be breached, it’s “when.” And real estate brokers must understand that securing data isn’t just good business practice — it’s the law.

Today, 47 states have data security and private protection laws on the books to safeguard consumers and businesses when breaches occur (Washington, D.C., Guam, Puerto Rico, and the Virgin Islands also have laws).

Melanie Wyne, senior technology policy representative at the National Association of REALTORS®, says these state laws typically explain what constitutes a breach, how businesses or organizations should notify their clients when a breach happens, and whether there are any exemptions to the law. These laws also describe what kinds of personal information must be secured, such as social security numbers, driver’s license numbers, and financial account information.

Wyne says the laws may vary but that there is one common denominator: “What’s true for all the state laws is that they require having encryption on any personal data.”

According to the Electronic Privacy Information Center, Massachusetts’ data breach notification law is one of the most comprehensive in the country. It establishes minimum standards that any person, agency, or entity that owns or licenses personal information on Massachusetts’ residents must meet and requires the implementation of “a comprehensive information security program.” Some of the other requirements include security training for employees, secure storage, protocols for strong user authentication, prevention of terminated employees from accessing records containing personal information, and annual reviews of the scope of security measures.

Other states such as California and Florida require businesses and other entities that own or license personal information to “take reasonable measures” to protect this information. Wyne says there is a third level of protection offered by other states that “really only covers what you need to do to notify consumers when a breach is discovered.”

To this day, there is no federal “Consumer Privacy Bill of Rights” to protect Americans from data breaches and mishandling of their personal information. NAR has been trying to help to enact one for years. “We thought we were getting close,” Wyne says. “But because of the legal landscape, we haven’t been able to yet.”

Unfortunately, many business owners aren’t aware that there are state laws that apply to data security, Wyne says, and they don’t know they have liability if it a breach happens.

Wyne suggests that if you do collect sensitive information, it should be password-protected, with all the security firewalls in place, and that you always shred outdated physical documents.

Being safe rather than sorry is the best route since brokers are susceptible to lawsuits if a breach does occur, says Jessica Edgerton, NAR associate counsel. “You need to do everything you can to protect your client and their information,” she says.

Your state’s attorney general can bring a suit against you or your company for actual damages or civil penalties up to $10,000, Wyne says. It also will cost you to notify all those affected by a breach, not to mention the damage it can do to your reputation — and no one can put a price on that.

BtoB Logo
Broker-to-Broker is an information network that provides insights and tools with business value through timely articles, videos, Q&As, and sales meeting tips for brokerage owners and managers. Get more Broker-to-Broker content here.


Lee Nelson

Lee Nelson is a freelance journalist from Illinois. She writes for several state REALTOR® association magazines along with and She has written for Yahoo! Homes,, and TheMortgageReports. Contact Lee at