Skip to main content

View more from News & Articles or Primerus Weekly

By: Khizar A. Sheikh
Mandelbaum Salsburg
West Orange, New Jersey

We have all heard about the massive data breaches at Target, Home Depot, and more recently JP Morgan Chase. As these data breaches have grabbed the biggest headlines, the media has rightfully focused on the staggering effects on consumers and response costs for the companies. Risks associated with data security and data breaches only continue to grow, and impact a variety of industries worldwide. Cyber criminals have become more creative and their attacks increasingly destructive, targeting organizations of all sizes. These attacks can lead to costly lawsuits, as well as first party losses and expenses, and reputational harm.

But real estate?

It seems intuitive that the real estate industry should be immune from cyber risks; however, increasing reliance upon technology within the real estate sector and the fact that real estate firms are creating, using, storing and sharing more personal and sensitive information should change that view. Because cyber risks can exist in many forms -- from malicious cyber-attacks, to negligent employees, to unmanaged data sharing with vendors -- real estate professionals must take a serious look at their cyber risk exposures and how they are managed.

For example:

  • property managers, brokers/agents, title agents, developers, appraisers, multi-service real estate firms and others may have significant amounts of confidential third-party information, either in the form of personally identifiable information or confidential corporate information;
  • rental applications, credit reports, leases and rental agreements contain personal information of applicants and tenants — precisely the type of information targeted by cyber criminals;
  • Real estate investment trusts (REITs), a multi-trillion dollar industry, own, and in most cases, operate income-producing real estate. Some REITs also engage in financing real estate. Depending on the REIT structure (public versus private) and type of investor (individual, corporation, etc.) information is held electronically or in hard copy by these trusts and can include tax records, federal identification numbers, social security numbers, and other confidential information.

Consider these examples:

  • Just last month, in September 2014, Essex Property Trust Inc., a Palo Alto, California-based REIT, said that certain of its computer networks containing personal and proprietary information had been breached. Essex has ownership interests in 242 apartment communities with an additional 11 properties in various stages of development or in the initial leasing phase;
  • In June 2014, Fidelity National Financial, Inc., the parent company of the Fidelity National Title Group title companies that provide title insurance and real estate settlement services, informed customers that personal information, including social security numbers and driver's license numbers, may have been lost during a cyber incident;
  • In May 2014, Pennsylvania Real Estate Investment Trust disclosed that human resources information on employees and their dependents and beneficiaries had been accessed by an unknown third party that gained access to its third-party software system used to manage HR, payroll, and benefits;
  • In March 2012, the Massachusetts Attorney General fined a property management firm $15,000 after a company laptop containing unencrypted personal information was stolen. In addition to civil penalties the company was required to ensure that use of portable devices was limited, information stored on them was encrypted, and they were stored in a secure location. The company was also required to train employees on the policies and procedures for securing and maintaining the security of personal information;
  •  “We will keep your information secure.” That was the mantra on which Shawn Poole, the CEO of Employ Bridge, based his company’s reputation. But in March 2012, Employ Bridge faced liability after thousands of documents containing personal information were found in a recycling dumpster. The ensuing investigation revealed the documents were taken from the company’s office without its knowledge or permission after the landlord believed the lease had ended and had sent a cleaning crew to clean out the offices;
  • In December 2012, two people were imprisoned for running a massive identity theft ring in San Diego, California. Much of the personal information is believed to have come from stolen real estate files.

And the examples could continue.

The costs associated with a cyber-incident can be significant, depending on the type and volume of data is lost. According to the Ponemon Institute, a privacy research organization, the average expenditure to remediate data breaches for all size companies is more than $8 million. In 2011, data breaches cost U.S. businesses $194 per compromised record.

Why so expensive? To investigate and remediate a breach, forensic companies must often be hired to identify the source of a data breach. The cost of these investigations can be expensive. Expenses associated with notifying individuals whose confidential information may have been compromised can also be significant. Responding to breaches may also negatively impact productivity, drawing on crucial company resources in an attempt to respond quickly and effectively. Finally, network interruption could lead to loss of income and generate unnecessary additional expenses for real estate firms who rely on their network to conduct business. Combined, these amounts can reach hundreds of thousands or even millions of dollars, damaging the balance sheets of larger real estate firms and potentially crippling smaller real estate businesses.

A number of federal and state regulators have taken an interest in cyber issues. These include the Federal Trade Commission, the Securities and Exchange Commission, the Consumer Financial Protection Board, the Department of Homeland Security, and state Attorneys General, to name a few. Hitting this point home, last July, U.S. Treasury Secretary Jacob J. Lew issued strongly-worded remarks on the serious nature of cyber-incursions, in particular the frequency, intensity, and sophistication of malicious acts perpetrated by state and non-state actors. The Department of Homeland Security has even listed the commercial facilities sector as one of sixteen “critical” infrastructure sectors, the risk to which owners and operators must manage in an effort to guard the country against cyber-attacks.

The takeaway: all real estate firms that handle personal or sensitive data should ensure compliance with a myriad of state and federal cybersecurity laws regarding how to collect, store, and use this information.

As big of a concern, however, is the potential personal and corporate liability to individual officers and directors. If we look at a high-profile case such Target, several shareholder derivative lawsuits have been filed against the company, and the gist of which is that directors breached their fiduciary duties to their shareholders/investors by not doing enough oversight to ensure that controls were in place to guard the company against a data breach. The fall-out has been so intense that both the CEO and CIO lost their jobs.

Now, the data “of value” in the Target case is personal consumer information. But the liability risk for officers and directors extends to the protection of any commercially sensitive information, including confidential customer information, customer lists, trade secrets, competitive business information, etc., for which the directors may owe a fiduciary duty to owners, or a contractual duty to clients, to protect and to keep confidential (from both external attacks and internal/employee misappropriation/negligence).

If there is a data breach and material loss of sensitive information, investors may start asking whether officers and directors did enough to protect critical business information (both the company’s and the company’s clients).

If you are in the real estate sector, we can help you understand the risks and potential solutions to the specific risks to your company posed by the collection, storage, and use of personal and sensitive data. To start, we can help identify the right questions you should be asking internally, and start discussing the value of having the right processes and policies in place before an incident occurs to minimize the liability that a data breach could create for your company, its officers, and its Board.

For more information about Mandelbaum Salsburg, please visit the International Society of Primerus Law Firms.