Protect Their Privacy

With federal legislation in the works, now's the time to revisit your company's policy for dealing with sensitive customer data.

October 1, 2010

Having a policy in place for dealing with the sensitive personal information you collect from customers is more than just smart business. In most states, it’s the law, and soon, there may be a federal baseline requirement in place.

So if you don’t have a corporate policy regarding customer data—or haven’t revisited your policy in a while—now’s the time to take action.

In a survey conducted earlier this year by the NATIONAL ASSOCIATION OF REALTORS®, a quarter of REALTORS® said they collect Social Security numbers and 12 percent said they collect financial account numbers from customers.

Yet more than half of all brokers said they had no privacy policy in place, and almost 60 percent of sales associates said they didn’t know whether their brokerage had a policy.

More than 80 percent of practitioners weren’t sure whether their state had consumer privacy laws—even though nearly every state does.

State laws typically cover specific types of data, such as personal health or financial information, and spell out what businesses must do in the event of a security breach. (To see what’s in effect in your state, visit the National Conference of State Legislatures Web site.)

Hot Topic on the National Level

On top of those state laws, Congress and several regulatory bodies—including the Federal Trade Commission, Federal Communications Commission, and the U.S. Commerce Department—are working on new rules that will give consumers more control.

In the House, Rep. Bobby Rush (D-Ill.) has introduced the Best Practices Act, H.R. 5777, which establishes consumer privacy rights and sets forth obligations for companies that collect sensitive data. If the bill passes, businesses that collect names, postal and e-mail addresses, phone numbers, Social Security numbers, and information that’s classified as a “unique persistent identifier” (for example, your computer’s unique address) must include a notice that explains what information is collected, what it’s used for, and who sees it. Also, businesses must allow consumers to opt out.

Information that’s deemed sensitive—such as personal financial and health information—will be off-limits to you unless you get permission from your customer. Financial account information falls into this sensitive category.

How Can I Prepare?

The federal legislation is expected to move forward in 2011. But whether or not a new law results, privacy measures are likely to come out of the regulatory agencies. In the meantime, there are some common-sense steps you can take to get your policies in better shape.

The Federal Trade Commission says a sound data security plan is based on these five principles:

1. Take stock.

What types of customer information are in your paper files and on your computer? You probably have bank statements and forms with clients’ Social Security and driver’s license numbers. Understand how this information moves into, through, and out of your business.

2. Scale down.

If you don’t have a legitimate business reason to have sensitive information in your files or on your computer, don’t keep it.

3. Lock it.

Be aware of physical security, electronic security, and the practices of your vendors. Decide which information should be password-protected and who can access it.

4. Pitch it.

Dispose of what you no longer need, but do so in a secure way. Documents containing personal information should be destroyed.

5. Plan ahead.

Create a plan for responding to security incidents. How will you notify people? What agency will you notify? What other actions will you take?

The best time to start crafting a data security plan is the present. For more FTC resources on strengthening your policy, visit

senior policy representative

Melanie Wyne is a senior policy representative for the National Association of Realtors®. She can be reached at