Home » Community » Groups » Alternative Business Models

Is Real Estate the Next Big Target?

Posted in Alternative Business Models By , Monday, July 28, 2008.

IDENTITY THEFT AND THE STEALING OF CONFIDENTIAL DATA

“Identity theft is one of the fastest-growing crimes in the nation - especially in the suburbs,” says Congresswoman Melissa Bean. The FTC receives over 250,000 reports of identity theft every year and USA Today reported that in 2007 an estimated 260 million records were stolen - that amounts to 8 records stolen every second of every day.

In real estate this is also a growing concern. Here are three possible vulnerable areas of our industry that I see:

1. Many real estate brokerages and professionals DO NOT make it a priority to protect the personal information they obtain.

2. Many MLSs and Realtor® Associations DO NOT have an effective Identity Theft Protection Plan in place.

3. Many consumers who have significant equity in their homes DO NOT realize that they are exposed targets for Identity Theft.

HOMEOWNERS

According to a recent report from the Identity Theft Assistance Center, a nonprofit industry group, home equity lines are a favorite target because they are almost as easy to open as a credit card account. Perpetrators pose as homeowners to establish home equity credit accounts online, send a fax to the bank requesting a wire transfer of funds to a different account, then receive a call from the bank to verify the request, and the money is wired out. Fairly easy. Therefore, homeowners that have significant equity are advised to frequently check their credit reports.

ASSOCIATIONS

A man walks into a REALTOR® Association, past the busy receptionist and plugs his laptop into a network jack – minutes later he’s taken the membership database and all the software he wants. Yes, this really happened. Security has become a major concern and breaches at an MLS or REALTOR Association can happen on multiple levels (the front door, any windows, the back door, etc.) - at any time says Matt Cohen, VP at Clareity Security. The first step in protecting data is to have a security assessment performed and to perform regular ongoing checks.

REAL ESTATE PROFESSIONALS

As real estate professionals many of us deal with confidential data every day. Additionally, much of that information is now being published somewhere on a website and thus we have opened a gateway to a server or maybe into the company’s database itself. Most real estate brokerages and agents do not have sophisticated systems or encryption programs. So what do you do? A good checklist that I have seen identifies all of the areas where agents touch or are allowed access to a customer’s information. Once a list is established, systems and controls can be established to protect the data at each of those places.

SOME RECOMMENDED PRACTICES

My 2008 edition of the annual Swanepoel Trends REPORT lists a simple seven point plan real estate professionals can use as a guideline. Here is a synopsis of it:

1. Only hold the personal data you need. Nonessential data can be a liability rather than an asset. Do you really need customers' Social Security numbers and credit card numbers forever? Avoid gathering nonessential personal data, archive it after use rather than storing it in readily accessible customer master files, and discard or archive data for inactive accounts.

2. Keep personal data secure. Store all data securely and preferably in encrypted form. Avoid storing personal data on laptops and mobile devices. Limit access to only those who need it. Have a full audit trail of who accesses each record. Restrict large-scale downloads and monitor employees for unusual access volume or timing.

3. Do what you say you'll do. Only promise employees and customers a level of personal data security that you can deliver. Whatever you promise, ensure you adhere to it.

4. Make security a priority with your employees. Background checks are essential on all employees who will have access to personal information. This will not guarantee that you will be protected from employee theft - studies show that employees who commit white-collar crime tend to be first-time offenders - but it will help protect you from predatory employees.

5. Don't forget your vendors. If you use vendors to process or store personal data, ensure that their data security measures at least equal yours. Require those vendors to sign nondisclosure agreements to protect that data. Insist on periodic security audits and vulnerability assessments to make sure your data is being securely handled.

6. Test your plan. Once you've put in place appropriate measures, have internal auditors or independent data security experts test them periodically, looking for holes. It’s better for you to find them before someone else does.

7. Plan for the worst. No matter how good your information security system is, there is always the potential for a breach. If a worst-case scenario occurs, be ready to deal with it quickly. Have a written response plan in place to deal with data recovery, customer notification, public relations, and legal issues.

COMMENTARY

Identity theft is real. Don’t ignore it.

Do you have any examples of Identity Theft in the real estate industry that you can share with us or any system or vendor that has helped you in addressing and solving these types of challenges?

You must login or register to post a comment.

 
Submitted by on July 28, 2008 - 9:51am.

I think this is such a huge issue that agents need to not only "secure" the data as you say above. But also realize that a whole sales process could be wasted if they do not get the prospect involved very very early on. I just uploaded a podcast on the subject last night in fact.
http://www.houseblogger.com/houseblogger/2008/07/fico-scores.html

Additionally, by understanding what is available to the agent, the agent can use the education as a way to gain competitive advantage.

 
Submitted by Brian Bell on July 28, 2008 - 11:58am.

Security is my forte. Having spent many of my professional I.T. years in security consulting and healthcare I cannot express what an important topic this is.
The issue of security goes far beyond the realm of protecting your client’s data.
What about YOUR data? Is it safe? Is it protected? We will get into your data and the MLS shortly… But first……..
(As any good engineer, I am not going to post my secrets to a public forum but I will offer my opinion and always feel free to contact me via email.)
There are so many aspects of protecting your data and your client’s data that it is too complex a subject to get into on a short post. The standards are there. Do not use system default passwords, disable guest accounts, use complexity rules to password protect your laptop and any PC where any information is stored, use a good firewall (The SPI (Stateful Packet Inspection) firewall that came with your $49 Linksys router and the default Windows does NOT count… Sorry.. However by all means, USE THEM FOR A FIRST LINE OF DEFENSE), Never store passwords and never store any type of financial information on a laptop. Those free Napster and Limewire (P2P or Peer to Peer) software programs for the quick free music? Delete and destroy them.. It does not matter how good or careful you are… Someone will always be better. Antivirus… Anti-Spyware… Use them both. Keep your program AND definition files up to date daily. Run a scan daily.. . Windows Updates.. Set your computer to look for them and install them daily. Do not share your information with unfamiliar web sites. SET UP ENCRYPTION on your wireless router and if you are a business, use encryption, mac address filtering and do not broadcast your SSID.These are just some things that should become a daily part of your life in order to keep your identity safe.
So let’s get back to YOUR data… What is it that I am referring to?
Let’s look at your MLS for a minute. How are you paying your dues? If it is not cash, chances are that not only is that information being transmitted over the internet or other means of electronic transfer, but is also being stored on a computer or server somewhere.
In the case of a business, those Linksys, DLink, etc.. “home-type” routers with built in firewall are not acceptable means of protection at all. Let me emphasize the words AT ALL……
Being an operating business entity exposes you to risks and liabilities a bit further that the average broker. With the electronic collection of any type of information, a business falls into the necessity to become PCI or Payment Card Industry, compliant. (See the PCI Industry page at https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml )
There is a good chance that there are several MLS operators that have little to NO protection thus exposing YOUR data to the entire world. For that matter, there are many business entities NOT related to Real Estate that are doing the same. Your personal data is exposed, and you ARE at risk.
We cannot change many things, but as a member of an MLS, you DO have a voice.
An MLS that processes payments in an electronic form should be using a commercial firewall WITH IPS or Intrusion Prevention System. That firewall and IPS should be checked for updates weekly.
Your policies for network protection are mandatory but they are not enough.
As long as a business is doing everything that can in a reasonable manner to protect your data, you should be fine. If you are a small MLS and cannot afford equipment such as a Cisco ASA or PIX, or Secure Computing’s “Sidewinder”, there ARE other alternative and feasible solutions. SonicWall has a service for small businesses that will suffice as well. There are many other brands and services, but Cisco and Sidewinder are protecting your data at your banks and through the government. Trend Micro, Symantec, etc.. all have their own solutions, but I am a diehard Cisco and Sidewinder fan. They work and they work well.
Firewall, IPS, Encrypted and filtered Wireless, Password Complexity and time rules, Access, IT and Network Policies Antivirus, Anti Spyware, and Operating System updates are no longer an option for anyone of us, especially not at the business-level. They are now an integral and necessary part of our every day lives.
That is my bottom line without running into a two hour lecture. As long as you and your MLS are doing what they can to protect your data, that is all that you can do and in the long run, educating yourself and going the extra mile to put precautionary measures in place is what will be your identity salvation.

Brian Bell
Chief Technology Officer
Wilmington Regional Association of REALTORS®, Inc
Wilmington Multiple Listing Service
REALTORS® Commercial Alliance of Southeastern North Carolina
and....
2008 Vice Chair - RESO/RETS Education Workgroup

 
Submitted by on July 28, 2008 - 4:04pm.

Great comments Brian. Thanks for your meaningful contribution and detailed insights.
Stefan

 
Submitted by Erin Tallant on July 29, 2008 - 5:56pm.

Thanks for the enlightening information!

 
Submitted by Jim Marks on July 29, 2008 - 6:01pm.

Simply WOW

 
Submitted by Debbie Ferrari on July 29, 2008 - 6:59pm.

Hi All:

Speaking of data security...what about storing and disposing of HARD COPIES of client files?

Most agents, if they are like me, have a garage or storage place with banker boxes of my home sale transactions from years past. I keep MY set, even though my realty office keeps and stores their master set for each transaction, because what if they LOSE their set and some law suit or worse arises later?

While these transaction files of mine are under lock and key---likely only a big bolt cutter away from being stolen---at least they are not in a heavily public traffic location.

I have been putting off disposing of my 15 banker boxes of files because I am too lazy to go shred all of them and am reluctant to pay a firm to do it for me (and who says that FIRM can be trusted?)

I was thinking of disguising the banker boxes each in its own black, bio-degradeable trash bag, drive them to our local trash dump, unload them just in front of the bulldozer that pushes trash into a hole in the ground, and watch the bags being covered over....THEN I would feel that they've been protected from prying eyes.

It seems to me that this is a pretty airtight way to dispose of old files...in a landfill where they will oxidize back to a fibrous soil in a few years.

If you give me some good ideas about this, I will post them on my web site at www.DebbieFerrari.com and on my blog at http://blog.DebbieFerrari.com as a service to not just Realtors, but to the home buyers of Orange County, CA properties who are starting again---thank God---to visit my site as they sense incredible home ownership bargains to be had in our area right now.

Yes, yes, I know I should just sit down and feed all the files into a shredder...and I will for the next batch.... And yes, we now get a CD of each transaction, but, everyone, please share with me your approach to dealing with HARD COPIES of accumulated & outdated client transaction materials.

Thanks so much,

Debbie Ferrari,
For South Orange County, CA
http://www.debbieferrari.com
E-mail: Debbie@DebbieFerrari.com
TOLL FREE: 888-547-2942
Cell: 949-463-4111
Play my video: http://www.debbieferrari.com/deb.html

 
Submitted by Pasadena Real Estate Agent on July 29, 2008 - 7:20pm.

I have not heard this topic in a long time and I think that is one of the most important in our field as so much personal information is exchanged. (Debbie quick questions do you like to speed :)in the Ferrari?)
Regards,
The Manzo Team
RE/MAX Tri-City

Remax Pasadena

626 296-2900

Pasadena Real Estate | Pasadena Realtors |

 
Submitted by on July 29, 2008 - 9:04pm.

Debbie-
When I really want to be sure I use my fireplace. It makes a mess but you know its gone.
Tim

 
Submitted by Brian Bell on July 30, 2008 - 6:28am.

Good morning fellow old paper document destroyers of the world....
Going through trash (yes even at the landfill…..) is one of the primary ways identities are stolen.
If you have paper records, it would seem reasonable that if the information got out in any manner you could indeed be liable.
I think “green is the way to go”, but before those papers get tossed, shred them with a “cross-cut” shredder available from and office supply store.
Alternatively you can hire a company to come on site and shred your paper documents and certify in writing that the “said documents” were destroyed.
Cross-Cut shredding is the only way outside of burning to securely destroy documents…

Brian Bell
Chief Technology Officer
Wilmington Regional Association of REALTORS®, Inc
Wilmington Multiple Listing Service
REALTORS® Commercial Alliance of Southeastern North Carolina
and....
2008 Vice Chair - RESO/RETS Education Workgroup

 
Submitted by Jed Lane on July 30, 2008 - 8:50am.

We have liability on this issue. Shred any document that can be used in ID theft. Obvuiously not everyting needs to be shredded but any identifier peices like copies of earnest money checks, Firpta forms, bank statements etc.
Just a point, I've been told by legal counsel that agents should not maintain their own file. It is the brokers responsibility and does you, the agent no good to have a seperate file.

Jed Lane GRI
Broker, Sales Manager
Star Real Estate Brokerage
http://www.FogCityGuide.com
415.425.9810

 
Submitted by Pasadena Real Estate Agent on July 30, 2008 - 10:23am.

Tip if you don't have a shredder wet them and they will be harder to read or separate.
Regards,
The Manzo Team
RE/MAX Tri-City

Remax Pasadena

626 296-2900

Pasadena Real Estate | Pasadena Realtors |

 
Submitted by on July 31, 2008 - 1:58pm.

Friends, in today’s business document shredding has become essential.

There are two main options: on site or off site. On site is often considered the safest but using a trusted oof site shredding company is also a great solution.

There are many professional shredding services and you can do a Google search for “Document Shredding Services” or “Certified Document Destruction” and you will find many options.

When choosing a shredding company make sure they are trustworthy. One place to start is to see if they are a member of the National Association for Information Destruction (NAID).

Stay safe.

 
Submitted by on July 31, 2008 - 2:09pm.

Our Hawaii MLS companies have been very good with requiring and enforcing data protection for our real estate website. And if they're doing it with our company, I'm sure they're doing it with everybody else.

Also, as Stefan suggested, we only store data we will actually use. This does take some extra work when we decide we want to add another field to our database. We actually have to go back and download all the data again (or request from our MLS if it is an ftp feed), but I think it's worth the extra security.

--
Justin Britt
Head-Web-Head
Hawaii Life Real Estate Services, LLC
Kauai real estate | Real Estate Marketing

Advertise with Inman