Your business has been victimized by cybercrime, and your clients’ sensitive data has been stolen. In the weeks following the breach, you have hired an IT consultant, paid thousands of dollars to an online reputation manager and spent dozens of hours on the phone with your insurance agent. And now, when you’re finally catching your breath, a process server shows up at your door informing you that you’re being sued by your clients for exposing their data.
It might not seem fair, but the devastation caused by cybercrime continues long after a hacker has skulked away with his or her ill-gotten gains. What follows are some tips for reducing your business’ risk of cyber-crime victimization in the first place, and for minimizing the prospect of legal headaches in the event that you do experience a breach.
Vet Your IT Vendors
Do your homework before contracting with any third-party IT vendors. Once they come on board, their cyber security practices could have a direct effect on the security of your business. Before onboarding an outside vendor, consider these best practices:
- Do your due diligence on the company. What’s their online reputation regarding cybersecurity? Have they experienced any breaches? If so, how did they handle them?
- Review all third-party contracts, preferably with your counsel, and negotiate when possible to ensure that the vendor:
- provides appropriate security warranties;
- indemnifies you for any harm you may suffer because of their bad practices; and
- doesn’t try to impose unreasonable limitations of liability.
Know Your State Law
Every state has laws that require businesses to take certain data security measures. You’re subject to these laws, and you need to understand them. As a starting point, look up your state’s definition of “personally identifiable information” or “PII,” and determine your obligations regarding the storage, transmittal, and destruction of PII in your possession and control.
You should also find out what policies your business may be required to implement pursuant to state law. For example, many states require businesses to maintain a Data Security Policy, a Document Retention and Destruction Policy, and a Breach Notification Policy. Refer to the National Association of REALTORS®’ newly updated Data Security and Privacy Toolkit for more guidance.
Consider Cyber Insurance
Cyber insurance can add a layer of protection against the devastation of cybercrime. Review your current policies to determine what coverage you may currently have for cybercrime events, then talk to your insurance provider about whether additional coverage may be of benefit. In addition to cyber insurance, ask your agent about social engineering endorsements and crime riders, as each of these products offers a different kind of coverage. Understand that there are vast differences in the various cyber insurance products currently available on the market, and make sure to tailor your coverage to the particular vulnerabilities faced by your business.
Warn Your Clients About Cybercrime
Email-based wire fraud continues to be a major threat to real estate transactions. Be sure to warn your clients in writing about the possibility of wire and other cyber-based fraud. This not only helps put your clients on notice about wire fraud; it could also help you in the event of a lawsuit following a successful wire-fraud incident.
Implement Reasonable Security Practices
The best way to avoid the legal nightmare that follows a data breach is to avoid a data breach. Period. For a handy checklist of security practices for real estate professionals published by the National Association of REALTORS®, please visit: www.nar.realtor/law-and-ethics/cybersecurity-checklist-best-practices-for-real-estate-professionals.
Jessica Edgerton is associate counsel for the National Association of REALTORS®.
This column is brought to you by the NAR Real Estate Services group.
For more information, please visit www.nar.realtor.
For the latest real estate news and trends, bookmark RISMedia.com.