Cybersecurity Risks for . . . Real Estate Professionals? You better believe it.
Business Law Articles
View more from News & Articles or Primerus Weekly
By: Khizar A. Sheikh
Mandelbaum Salsburg
West Orange, New Jersey
We have all heard about the massive data breaches at Target, Home Depot, and more recently JP Morgan Chase. As these data breaches have grabbed the biggest headlines, the media has rightfully focused on the staggering effects on consumers and response costs for the companies. Risks associated with data security and data breaches only continue to grow, and impact a variety of industries worldwide. Cyber criminals have become more creative and their attacks increasingly destructive, targeting organizations of all sizes. These attacks can lead to costly lawsuits, as well as first party losses and expenses, and reputational harm.
But real estate?
It seems intuitive that the real estate industry should be immune from cyber risks; however, increasing reliance upon technology within the real estate sector and the fact that real estate firms are creating, using, storing and sharing more personal and sensitive information should change that view. Because cyber risks can exist in many forms -- from malicious cyber-attacks, to negligent employees, to unmanaged data sharing with vendors -- real estate professionals must take a serious look at their cyber risk exposures and how they are managed.
For example:
Consider these examples:
And the examples could continue.
The costs associated with a cyber-incident can be significant, depending on the type and volume of data is lost. According to the Ponemon Institute, a privacy research organization, the average expenditure to remediate data breaches for all size companies is more than $8 million. In 2011, data breaches cost U.S. businesses $194 per compromised record.
Why so expensive? To investigate and remediate a breach, forensic companies must often be hired to identify the source of a data breach. The cost of these investigations can be expensive. Expenses associated with notifying individuals whose confidential information may have been compromised can also be significant. Responding to breaches may also negatively impact productivity, drawing on crucial company resources in an attempt to respond quickly and effectively. Finally, network interruption could lead to loss of income and generate unnecessary additional expenses for real estate firms who rely on their network to conduct business. Combined, these amounts can reach hundreds of thousands or even millions of dollars, damaging the balance sheets of larger real estate firms and potentially crippling smaller real estate businesses.
A number of federal and state regulators have taken an interest in cyber issues. These include the Federal Trade Commission, the Securities and Exchange Commission, the Consumer Financial Protection Board, the Department of Homeland Security, and state Attorneys General, to name a few. Hitting this point home, last July, U.S. Treasury Secretary Jacob J. Lew issued strongly-worded remarks on the serious nature of cyber-incursions, in particular the frequency, intensity, and sophistication of malicious acts perpetrated by state and non-state actors. The Department of Homeland Security has even listed the commercial facilities sector as one of sixteen “critical” infrastructure sectors, the risk to which owners and operators must manage in an effort to guard the country against cyber-attacks.
The takeaway: all real estate firms that handle personal or sensitive data should ensure compliance with a myriad of state and federal cybersecurity laws regarding how to collect, store, and use this information.
As big of a concern, however, is the potential personal and corporate liability to individual officers and directors. If we look at a high-profile case such Target, several shareholder derivative lawsuits have been filed against the company, and the gist of which is that directors breached their fiduciary duties to their shareholders/investors by not doing enough oversight to ensure that controls were in place to guard the company against a data breach. The fall-out has been so intense that both the CEO and CIO lost their jobs.
Now, the data “of value” in the Target case is personal consumer information. But the liability risk for officers and directors extends to the protection of any commercially sensitive information, including confidential customer information, customer lists, trade secrets, competitive business information, etc., for which the directors may owe a fiduciary duty to owners, or a contractual duty to clients, to protect and to keep confidential (from both external attacks and internal/employee misappropriation/negligence).
If there is a data breach and material loss of sensitive information, investors may start asking whether officers and directors did enough to protect critical business information (both the company’s and the company’s clients).
If you are in the real estate sector, we can help you understand the risks and potential solutions to the specific risks to your company posed by the collection, storage, and use of personal and sensitive data. To start, we can help identify the right questions you should be asking internally, and start discussing the value of having the right processes and policies in place before an incident occurs to minimize the liability that a data breach could create for your company, its officers, and its Board.
For more information about Mandelbaum Salsburg, please visit the International Society of Primerus Law Firms.