2015 Data Storage: Know the Law

The definition of sensitive client information varies depending upon location, but in general, the threshold is low. Are your data storage and destruction plans legal?

May 1, 2015

Across the country — and increasingly, around the world — there’s a patchwork of local laws dealing with data security. You may not think you have an unprotected database of sensitive client data, but something as simple as the login information for your public-facing website could get you into trouble.

“Some members [of the National Association of REALTORS®] may not realize that they actually do collect personally identifiable information in many circumstances — for example, personal checks and credit card information,” NAR General Counsel Katie Johnson says. “In California, personally identifiable information can be as simple as an e-mail address.”

Definitions of personally-identifiable information, often known as PII in the data security industry, vary from state to state. Johnson says the first step for real estate pros who want to get a handle on data storage is to understand what’s considered sensitive information and to be sure whether you’re collecting it.

In Massachusetts, for example, collecting PII entails simply obtaining a person’s first and last name combined with their Social Security number, state ID number, or financial account number (even if you don’t have the access code to the account). Theoretically, a copy of a driver’s license — which many brokers require agents to collect for safety reasons before showings — could be defined as sensitive data under such circumstances. 

Matt Cohen, chief technologist at real estate consulting company Clareity Consulting, notes that in California, even a simple database of customer login information counts as PII — and it could be dangerous in the wrong hands.

“The hacking of a simple real estate website can cause trouble, because a breach of one leads to a breach of another,” he says. “If you have a public IDX website where clients sign up to save listings with their e-mail and password … what percentage [of those clients] use the same password for their bank account?”

Of course, all businesses need to operate in compliance with data security laws in their jurisdictions, but they also must make sure they follow the rules in each client’s state of residence. The National Conference of State Legislatures keeps a log of all the state laws regarding data disposal, identity theft, and security breach notification requirements. Your local real estate association should be able to help point you in the right direction as well.

NAR has long advocated for a national data security law so that real estate practitioners would only have to worry about compliance with one law, rather than the patchwork that exists today.

“The Association believes that one national standard will help to reduce compliance burden for small businesses,” NAR President Chris Polychron wrote in a letter to Congress this January. “Any new federal data security law must be narrowly tailored to minimize the regulatory burden such a law could place on vulnerable independent contractors and small businesses.”

NAR is closely watching a pair of bills that would create a national standard for data security as they move through both houses. In the interim, the association offers a Data Security Toolkit to help members formulate their data storage plan, document retention and destruction policies, and more.

“That’s where NAR is and can be a good resource,” says Johnson. She notes that most members can handle the task on their own, though they should ask their lawyer to look it over before implementation. “Drafting a document retention policy is not fun. You just have to do it.”

How to Store Sensitive Data

Once you know what kinds of sensitive information you’re collecting, you need to make a plan for how to keep it secure. Most states require businesses to take “reasonable” steps to ensure such data be kept private. If you’re still printing off hard copies, that means restricting access to areas where such data is kept through locks and a detailed understanding of who has each copy of a key.

If you’re keeping data electronically (whether on a hard drive, server, or in the cloud), a virtual “key” is required to restrict access to the computer, server, or data storage platform it’s stored on. You should also make reasonable efforts to store documents in an unalterable format for legal reasons. If documents are requested by a legal entity and are presented in, say, a regular Word document, there’s no proving they haven’t been changed since their original use.

However, these precautions may not always be enough. The safest way to ensure that documents stored electronically are not visible to others is by encrypting it. Encryption can take many forms, but basically it is the practice of transforming data in a way that its meaning cannot be understood without the use of a confidential process or key. Learn how to encrypt data and the differing levels of protection it offers in the “Defining Security” section of this product guide.

“You probably don’t need to encrypt every single e-mail,” Johnson says. “But you need to make sure you’ve taken reasonable steps to protect personally identifiable information.”

Cohen agrees and notes that encryption is especially important when an agent or brokerage trusts an outside company to store documents.

“PII has to be encrypted,” Cohen says. “The only secure cloud document storage requires that the brokerage itself manage its own encryption key. … That ensures that [the storage] company or anyone that hacks that company doesn’t have the key.”

Getting Rid of It

The first step to assessing your document security situation is to find out what you don’t need to collect. If you don’t request sensitive data in the first place, you’ll never have to figure out how to store it. But let’s go back to that example of the copy of the driver’s license. If you decide you don’t need to keep that kind of information, but your state defines it as sensitive or personally identifiable data, you need a plan for how to destroy it.

The laws regarding data disposal are a little less patchwork in nature than those about data security and privacy. The Federal Trade Commission, the nation’s consumer protection agency, enforces what’s known as “the disposal rule,” and anyone who uses a consumer report for a business purpose is subject to the requirements. Basically, the rule covers credit reports and scores, as well as data about a person’s employment background, financial history, past insurance claims, residential history, or medical information. Businesses and individuals who gather this data have to take “reasonable” measures to ensure that data isn’t used in an unauthorized manner. Such documents — both in digital and physical form — have to be destroyed in such a way as to render them unable to be understood or reconstructed. Still, your business may be subject to local laws regarding the disposal of such data.

It may feel daunting to implement legal contingencies for data security, but Johnson says there’s an easy place for all members, no matter what size their business, to begin: “Know what you have and collect. And then know how you’re collecting it and storing it.”

Meg White

Meg White is the former managing editor of REALTOR® Magazine.