Data Security And The REIT Industry

| May 6, 2015

There have been many reported data breaches in the retail industry, but that isn’t the only industry facing cyber attacks. The Real Estate Investment Trust (REIT) industry is also a vulnerable target for cyber criminals. Due to the nature of the nature of security breaches, event eh REIT’s should put in place as much security as possible.

REIT Data Security

REIT Data Security

REIT State Laws

The definitions differ of personal information which the REITs possess comes in different forms from each of the various state laws. While each of the states statutes differ, each of them also provides a different definition of what personal information actually is. As an example in Georgia, personal information is made up of information that if accidently comprised could result in the possibility of data theft. Typically, this would include an individuals name, while also including another sensitive piece of information, like a bank account number, social security number, or another corresponding financial account number.

REIT Data Storage

Many REIT’s collect and store personal information from individuals. In the context of apartment REITs, there is a large amount of information provided by the tenant. In addition to contact information and names, lessors may require dates of birth, social security numbers, previous addresses, etc. Lessors can also maintain a tenant’s bank account, or credit card information if rent or any other fees are paid online. REITs that are made up of shopping centers often retain information from guarantors of the leases. In any lease transaction that involves an individual, it will be possible to see where the personal information may be shared, and then ultimately stored.

The obligations that are imposed on a business or individual that is in possession of personal information varies from state to state. With the majority of states, state statutes don’t create affirmative duties to protect the personal information of others. Instead, many of the state’s laws imposes an obligation that requires timely and adequate notice of any data breaches involving personal information. Recent history reflects that when the personal information of individuals is compromised, it will bring legal action for the alleged damages. The banks and credit card companies involved have also brought a large amount of recent litigation action seeking to recover the costs that are associated with repairing compromised accounts.

REIT Data Obligations

In President Obama’s recent address in the State of the Union, he published new proposals for federal laws. There are limited exception aimed at specific non real estate industries. There is not at the moment any overarching federal statute that establishes the specific protocols that have to be used with data for businesses that maintain personal information. The federal agencies have inserted themselves into the picture with the Federal Communications Commision, and the Federal Trade Commision who will both use their authority to investigate data security breaches.

The US Securities Exchange Commission has made note that under the federal securities laws, organizations might be required to reveal data security and the potential liabilities in their financial statements that they reveal to the public. This would apply when the risks meet the level of material information. According to the SEC Commissioner Luis A. Aguilar, there has to be little doubt that cyber risk vulnerabilities must also be considered as part of an organizations boards overall risk management. Any REIT must asses the risk not only from the loss of personal information regarding individuals, but also from investors that could argue the value of their investment has been undermined.

REIT Reality Of Security Breaches

In today’s data equipped world, the idea of perfect data security is a difficult proposition. While cyber attacks receive the greatest amount of publicity, there are many data breaches resulting from everyday circumstances. This can come in the form of a lost or stolen laptop containing encrypted information, or the possibility that older machines you might give to organizations as part of a reuse donation not being wiped clean, and the data being recoverable.

REIT Data Safety Measures

All REITs should consider beyond the implementation of adequate security measure, and apply these measures in advance. Briefing employees through communications channels can go a long way into avoiding any potential catastrophe. You can alert employees through meetings, email communications, and posters about the risks of poor data security and the inevitable consequences. Having a plan and proactive measures in place goes a long way to limiting any potential liability in your organization. These issues can also be addressed by hiring individuals and adopting training sessions from professionals that already understand the REIT industry, and the risks associated to unintended exposure.

REITs can find themselves in possession of consume data that is intended to remain private, and its this information that must be protected in the same way as credit card point of sale information. A cyber breach that exposed personal information could easily expose a REIT to litigations actions from not only the individuals, but from the banks, and credit card companies, and the investors in the REIT itself. Proper planning and understanding of these data security practises is essential in the digital century.



About the Author: