Trust is the key word used by the National Association of Realtors to describe the relationship between sellers, buyers, and the number of Real Estate professionals involved in any real estate transaction.  Real Estate Professionals must gather a variety of Personally Identifiable Information (PII) in order to perform their professional duties, and retain the data according to state requirements.

Property managers, brokers/agents, title agents, mortgage brokers, developers, and appraisers must comply with individual state notification requirements when data security is compromised.  The approximate cost of a data breach is $201 per record according to the most recent Ponemon study.

Real Estate professionals typically use portable computing devices to access their data, increasing their risk for a security breach.  The first, foremost, and most frequent cause of a security breach is the loss or theft of a personal computing device.  Phishing emails and other targeted attacks are secondary, but the frequency of these attacks is on the rise as organized criminal organizations have evaluated the Real Estate Industry as a desirable source of additional “inventory” for their sale of collected personal data.

The Payment Card Industry actively polices security breaches in order to mitigate fraudulent charges, therefore the retail sector is over-represented in breach loss data bases.  In real life and real time, the Real Estate Industry is a target for cyber criminals and must secure against targeted attacks as well as manage exposures related to paper files and personal computing devices.  Breach loss data includes the following examples:

 

  • A Real Estate management company notified an unknown number of individual housing applicants that their personal information, including names, Social Security numbers, driver’s license numbers, email addresses, and personal mailing addresses had been posted on an “unauthorized Web site”.  The property management firm retained a forensics expert to investigate the breach, sent out notification letters, and offered the affected individuals identity protection services.  At $201 per record, estimating 200 records, the approximate total cost of this breach was $40,200.
  • A rogue Real Estate broker created a false tax service company in order to access credit reports and then steal Social Security checks, file fraudulent tax returns, and pass counterfeit checks.  At the broker’s home, police found boxes of financial documents from her real estate practice including mortgage applications and HUD documents.  Estimating 2,500 records at a cost of $201 per record, the real estate agency may have spent as much as $502,500 to remove themselves from the claim and notify affected individuals.
  • A property manager’s unencrypted laptop was stolen, resulting in a $15,000 fine from the Massachusetts Attorney General.  In addition to civil penalties, the property management firm was required to limit the use of portable devices, encrypt information stored on them, and require storage in a secure location.  With the addition of defense costs and expenses incurred to educate property management staff to comply with the new procedures, estimated total costs for this incident are $102,000.
  •  A Real Estate Agency was sold to a larger firm, and in the process thousands of records dating back to 2005 were found in a dumpster.  Estimating 3,000 records, the approximate cost of this breach was $603,000.

 

While many Real Estate Professional Liability policies provide a sub-limited coverage part for defense of a security breach, the costs of notification, cyber extortion, and forensics are typically borne directly by the insured.  In addition, the limits provided are generally inadequate.  As a result, a lost laptop could easily send a smaller Real Estate firm into bankruptcy.

INSUREtrust.com, LLC is a nationwide wholesale insurance brokerage specializing in Cyber Liability Insurance and Data Security Risk Management.  Since 1997, INSUREtrust has focused on providing businesses with extended insurance coverages to mitigate security and privacy risks, as well as proactive strategies to minimize the frequency of loss.