Cybersecurity and data privacy have not traditionally been high on the list of concerns for commercial real estate firms. Key developments in CRE, advances in technology, and a continuing proliferation of cyber threats, however, are changing that. Data breaches like those experienced by Essex Property Trust and Fidelity National Financial confirm that the CRE sector is not immune from the dangers posed by cyber criminals seeking to steal personally identifiable information (“PII”). And as CRE firms increase their use of internet-connected technologies in building systems, they must contend with “cyber-physical” risk – risk of property damage or bodily injury that is created by cybersecurity threats to those building systems.
These risks can lead to potentially enormous legal and financial exposure for CRE firms: according to the 2016 version of an oft-quoted annual study conducted by the Ponemon Institute LLC and sponsored by IBM, the average total cost of a data breach for companies in the United States is currently $7.01 million. That total cost can include investigation and remediation costs, legal expenditures and regulatory fines, among others.
Total elimination of this legal and financial exposure arising from cybersecurity and data privacy risk is impossible. But by taking proactive steps to identify, mitigate and manage its cybersecurity and privacy risk, an organization can substantially reduce both the likelihood and impact of cybersecurity and data privacy incidents. This two-part series will describe 10 concrete actions any CRE organization can take to better position itself to weather the next cybersecurity storm.
- Make Cybersecurity and Privacy Organizational Priorities – Not Just an IT Problem. It’s often said that cybersecurity is a team sport. The same is true for data privacy. The maxim speaks to the fundamental truth that protecting against cyber-attacks and privacy incidents isn’t only a problem for information technology personnel – it requires cross-functional coordination and collaboration throughout the organization. Teams tasked with securing a company’s systems and data must cooperate and collaborate with system administrators, business users, and legal and risk management personnel.
Thus an important first step in reducing cybersecurity and data privacy risks is getting agreement from key stakeholders in the organization that: (a) those risks exist; and (b) addressing them is an organizational imperative. While the company’s information technology group can lead the effort, the involvement and support of the greater organization is critical to the success of for any cybersecurity and data privacy initiative.
- Take Stock of What Data You Hold – and Why You’re Holding It. To protect PII and other sensitive information the organization must first have a clear understanding of what’s been collected and why. It’s therefore critical to create an inventory of the data the company holds and uses in its operations. That inventory should include, at a minimum, (a) a detailed listing of the data the organization collects and stores; (b) the purposes of collection and storage; and (c) the applications and systems used to access or store it.
The inventory should account for all potential systems and storage locations, including servers, desktops, laptops, mobile devices, flash drives and digital copiers that are owned and controlled by the organization. It should also account for systems and applications operated or controlled by vendors and suppliers. Finally, it should include, if relevant, employee-owned devices, like laptops and smartphones that are used for business purposes.
- Understand and Evaluate the Legal Obligations that Apply to Your Data. Once a data inventory is prepared, the organization should carefully determine what legal obligations apply to the data. Those obligations can come from contracts with third parties and from state and federal data privacy and security laws. Understanding those obligations will enable the organization to properly assess the legal and financial exposure it could face from a data breach.
The specific legal obligations that apply to the organization’s data will vary based on a variety of factors. These include the location of the organization’s operations, the residency of the individuals to whom its data relates, the particular business activities of the organization, and the commitments made to employees, customers, business partners, in agreements or public notices. Companies that collect and process payment card information, for instance, are contractually (and in some states statutorily) bound to comply with the Payment Card Industry Data Security Standard. And companies that collect social security numbers, drivers’ license numbers, financial account numbers, or similar sensitive data from individuals can be subject to any of 47 different state breach notification laws that require the organization to notify individuals if their data is compromised.
- Evaluate the Risks Presented by Connected Building Systems. CRE companies should pay particular attention to the risks presented by internet-connected building systems. These systems can include HVAC, building security, CCTV, fire alarms and elevators. Attacks on those systems can endanger customers and employees, or lead to costly damage to other systems and equipment. Dan Bilefsky of the New York Times recently reported on an incident at an Austrian hotel in which attackers infiltrated the hotel’s electronic key system and locked guests out of their rooms. And in 2010 a hacker was convicted in Texas of various federal offenses for obtaining remote access to computer that controlled a hospital’s HVAC, and thereby was able to modify the facility’s temperature and endanger patient health and temperature-sensitive drugs and supplies.
These incidents show that CRE companies should exercise caution when implementing connected building systems. If the organization hasn’t already, it should assess any security risks that are inherent in the systems themselves, and any risks that could be created by connections between those systems and other company or tenant-owned information technology systems.
- Design and Implement a Comprehensive Written Information Security Program. Once the organization understands the data and systems it must protect, it should then proceed to prepare and implement a comprehensive written information security program. The program should detail physical, technological and organizational security controls reasonably chosen by the organization to protect those systems and data in light of identified risks. The scope and content of the program will vary according to the organization’s unique characteristics, but as a starting point organizations can look to free publications such as Start with Security: A Guide for Business and Protecting Personal Information: A Guide for Business, both published by the Federal Trade Commission, and the Center for Internet Security’s Critical Security Controls for Effective Cyber Defense.
Part two of this series will explore five more concrete actions organizations can take to reduce their cybersecurity and data privacy risk.
Alex Pearce is an attorney with Ellis & Winters LLP in Raleigh, North Carolina. His practice focuses on Privacy and Data Security law.