From Social Security numbers to credit card information, as the amount of data a brokerage generates and collects increases, so does the organizational risk of data breaches.
The consulting firm Accenture recently released a study titled, “How Global Organizations Approach the Challenge for Protecting Personal Data.” This study points out that the biggest causes of lost personal information are internal. In fact, one of the most common reasons for compromised data security is a lack of adequate policies and training programs.
The Federal Trade Commission (FTC) suggests five key principles for a sound data security program:
Take Stock: Know what personal information you have in your files and on your computers or mobile devices.
Scale Down: Keep only what you need for your business.
Lock It: Ensure that you have adequate date security protection in place.
Pitch It: Properly dispose of the data you no longer need.
Plan Ahead: Create a plan to respond to security incidents.
In November 2010, the NAR Board of Directors approved the following data privacy principles that it recommends its members follow:
Collection of Personal Information Should Be Transparent
REALTORS® are encouraged to develop and implement privacy and data security policies and to communicate those policies clearly to their clients.
Use, Collection and Retention
REALTORS® should collect and use information about individuals only where the REALTOR® reasonably believes it would be useful (and allowed by law) to administering their business and to provide products, services and other opportunities to consumers. REALTORS® should maintain appropriate policies for the reasonable retention and proper destruction of collected personal information.
REALTORS® should maintain reasonable security standards and procedures regarding access to client information.
Disclosure of Personal Information to Third Parties
REALTORS® should not reveal personal information to unaffiliated third parties unless 1) the information is provided to help complete a consumer-initiated transaction; 2) the consumer requests it; 3) the disclosure is required by/or allowed by law; or 4) the consumer has been informed about the possibility of such disclosure through a prior communication and is given the opportunity to decline (i.e. opt-out.)
Maintaining Consumer Privacy in Business Relationships with Third Parties
If a REALTOR® provides personal information to a third party on behalf of a consumer, the third party should adhere to privacy principles similar to the REALTOR®.
Throughout 2013, NAR will be inserting privacy content in all NAR-managed designations and will work with privately managed designations to include privacy content. A data privacy course is under development and will be available to NAR members online in the near future.
The NAR legal department developed a toolkit that contains guidance, checklists and samples to help you conduct a data inventory and create a privacy, data retention or data breach policy. The toolkit can be found at www.realtor.org/topics/data-privacy-and-security under the “Related Resources” section.
This column is brought to you by the NAR Real Estate Services group.
Melanie Wyne is the senior policy representative for National Association of REALTORS®.