Shhhh. Donât say anything. Maybe if we donât talk about the potential for data breaches in the apartment industry, the identity thieves wonât know weâre here.
That seems to be the attitude among apartment operators when it comes to data security and the potential for resident information being compromised or stolen. In the wake of more than 40 million credit and debit card numbers being compromised during the holidays at retail giant Target, as well as other personal information for about 70 million of its customers, apartment operators seem nervous about the possibility of the multifamily industry being the next target, albeit with a small ât.â
From a criminal perspective, it certainly seems attractive: Multifamily operators store not just credit card data about their residents, but Social Security numbers, previous address information, and often date of birthâthe holy trinity of identity theft.
âThatâs all manna from heaven for data thieves,â says Scott Wiener, senior vice president of information technology at Santa Barbara, Calif.âbased multifamily software provider Yardi Systems. âMultifamily operators need to take their responsibility seriously.”
The prevalence of that kind of data in apartment operatorsâ systems seems to scare the bejesus out of them. For example, one executive at a major apartment REIT who is a frequent contributor to best-practice articles told us, âI know it sounds silly, but I need to check with our attorney to make sure he is OK with me doing an interview on this sensitive subject before I commit.â When pressed, the executive replied, âSorry, but I have to pass on this one.â
Another leading REIT that prides itself on being a technology leader declined to comment for this article as well, saying it needed to prepare for an earnings report that was a week away. And while the National Multifamily Housing Council (NMHC) has diligently promoted best practices and informational articles on the topic since at least 2011, its members have been reluctant to talk publicly about what theyâre doing to protect their data.
The industryâs mum lips may well make senseâafter all, thereâs no use in tipping off the bad guys about what weâre doing to stay ahead of their game. Then again, the potential for identity thieves to mine multifamilyâs treasure trove of personally identifiable information also means the industry will have to be very cautious, indeed, to not end up as the next major headline.
âThe danger of writing this article is that, quite frankly, it could very well show how vulnerable multifamily housing is,â says Sam Richter, an online reputation management expert who delivered a keynote to NMHCâs annual OpTech Conference this past November. âWhen youâre applying to rent an apartment, thatâs the exact information a bad guy would need to completely steal your identity. They could open up checking accounts, lines of credit, debit cards, you name it. Your credit would be completely destroyed. So would your ability to fix it; you wouldnât even be able to get a driverâs license.â
Robert Siciliano, a security and identity theft consultant to apartment owners, puts it succinctly: âA multifamily operator is a one-stop shop for criminals looking for Social Security numbers,â he says. âAnyone who stores sensitive data is at risk.â
The Cost of Big Data
That risk doesnât just come as a hit to your brand or reputation, either. With the average legal and other associated costs of a data breach at $188 per record, according to the 2013 Cost of Data Breach Study from the Traverse City, Mich.âbased Ponemon Institute, losing your residentsâ data could have a major impact on your bottom line, as well. âEven if they only have 1,000 records, that could get pretty significant really fast,â Richter says.
Then there are the myriad laws you would have to deal with, depending on your portfolioâs footprint: 46 states currently have data-breach legislation on their books, with varying requirements. For a national operator of apartments, that could translate into a byzantine headache of navigating whatâs required where in the wake of a data breach. Congress is exploring potential national standards that would make compliance easier for multistate operators.
The good news is the industry says it hasnât experienced any major data breaches to this point. âThere are none that weâre aware of or that have been reported,â says Jeanne McGlynn Delgado, the NMHCâs vice president of business operations and risk management, who has been following data breaches for the industry.
Then again, how would we know if such a breach had occurred? While Targetâs size and brand profile made for easy headlines, many experts say a breach at a small or medium-sized apartment operator could happen without the company being aware of it, and without generating major news coverage.
In fact, Daniel W. Draz, principal of Naperville, Ill.âbased fraud consultancy Fraud Solutions, says it has already happened. âI have personal experience with entities in this industry that have been breached in one manner or another,â Draz says, though he declined to name names. âIt may not have been of the magnitude of Target, but even a small breach has significant fraud.â
Not IfâWhen
Whether a wide-scale breach has occurred in the apartment industry is really beside the point, though. Experts say itâs just a matter of time until it does.
âJust because there havenât been any high-profile data breaches doesnât mean multifamily owners are not at risk,â says Kevin Smith, vice president at Philadelphia-based Graham Co., which underwrites cyber liability insurance policies for businesses. Smith says that, as an industry, multifamily has âlow take-up ratesâ for cyber liability insurance, which he attributes to a lack of heightened awareness among apartment operators precisely because a wide-scale breach hasnât happened in the industry to date.
At the NMHC, the industryâs umbrella advocacy group, McGlynn Delgado has diligently been pursuing a path of education and awareness. Itâs particularly important now, as technology has proliferated in the industry to a degree that could hardly have been imagined 10 years ago.
âAs more companies utilize the services of third-party providers to collect and manage this information, itâs critical they understand their obligations and practices relative to privacy, security protection, and data-breach events,â McGlynn Delgado says.
In other words, while it may be an operatorâs third-party system that gets hacked, the operator itself will bear the brunt of the blame in the public eye. So youâd better already be doing all you can to protect your data up front and have a data-breach plan in placeâi.e., a detailed script of exactly how to respondâbefore your data go missing.
Data Defenders
The flip side of that is that within the industry itself, were a breach to happen, all eyes would likely focus back on the provider of the software. At Carrollton, Texasâbased multifamily software provider RealPage,the specter of a major data breach occurring in the industry has helped shape its business philosophy.
âData security and the trust of continual data stewardship are fundamentally important to RealPage and a core business proposition,â says Seth Sanders, senior manager of information security at the firm. âWe understand the importance of maintaining information security to give our clients peace of mind while allowing them to focus on core business operations.â
Sanders says the firm has a dedicated, 24/7 team in place monitoring its systems. âWeâre utilizing multilayered resources, including firewalls, encryption, intrusion detection systems, security incident response procedures, and various other tools to provide comprehensive coverage in the event of attempted unauthorized access to our clientsâ data.â
At Yardi, Wiener says the firm maintains âa secure cloud environment and applies such best practices as multiple firewalls, off-site data hosting, regular data backups, and around-the-clock monitoring of servers.â
Indeed, contracting with third-party software vendors who manage data in the cloud has become industry standard, not just for multifamily, but for business in general. In that sense, apartment operators can have some peace of mind that the companies providing their systems are taking steps to protect their information.
Doing It Yourself
And yet, even when you call in the pros, youâve got to make sure the data youâve still got in-house are protected. âYou want to minimize the number of systems on which sensitive data is stored,â says Nicholas Jones, a computer scientist at Boston-based technology litigation consultancy Elysium Digital. âIn security, itâs called âminimizing your attack surface.â So, if a multifamily operator is using a third-party solution to store data, they need to make sure they donât also store that information on their unencrypted desktop hard drive, for instance.â
Of course, for large operators who are invested in systems such as RealPage and Yardi, thatâs a given. But what about mid-sized and smaller operators who may still do things in-house? Thatâs the scenario that gets the attention of Kara Schwab, executive vice president at Sunrise, Fla.âbased Anton Systems, a consultant that helps commercial and residential operators implement Skyline Property Management software.
âAny application that is of any good industry standard already has security in the solution,â Schwab says. âBut itâs really about how the users choose to leverage it. When I go to a client and thereâs no password to log in, that means theyâre not using the security thatâs there.â
Those instances may be due to a lax attitude toward data security, or simply a lower level of resources to throw at the problem. âWeâve reached a point where everybody understands something about technology, or feels that they do. So, unlike 20 years ago, where they would say, âSet it up for meâ; now, they say, âTell me how to do it and Iâll do it myself,â because that keeps costs down. But, now, itâs up to them to make those decisions and make sure everything is secured properly.â
Stepping Up Security
There are companies that can help you do that, of course. Just as numerous firms now offer identity-theft protection for consumers, similar programs are in place for businesses. Minneapolis-based Argos Risk Defender, for instance, offers credit- and business identityâtheft monitoring, as well as response options, in case of a data breach. âTheyâll put together a customized breach plan and tell you everything that needs to get done in the first 24 hours,â says Richter. (Disclosure: Richter sits on Argosâ board.) âTheyâve got a team of former cops, FBI agents, and CIA agents. You pick up the phone, and these guys take care of it for you.â
Also, data breaches donât have to happen systemwide, or even originate from outside a company. Security gurus are quick to point out that a lost laptop or iPhone, or misplaced or stolen paper files, can provide just as much of a target as an automated system for identity thieves. The 2004 Lifetime movie Identity Theft: The Michelle Brown Story was based on actual events in which an identity thief stole information from a womanâs application to lease an apartment and ended up impersonating her for years, racking up more than $50,000 in bills in her name.
For that reason, data-protection best practices include making sure files are secured when not in use, log-on credentials are required for any machine accessing system information, and standard user profiles are set up with tiered access permission depending on an individualâs job responsibilities. In other words, your maintenance personnel probably donât need access to your rent roll to see whoâs current, but your property managers most certainly do.
Checking out those personnel from the start is also paramount, especially when viewed from the worst-case scenario after the fact. âYou need to do background checks on everybody who works for you, and not the $15 background check you buy when you search someoneâs name on Google,â Richter says. âYouâve got to use a professional background-check company. I mean, itâs a liability. Can you imagine being in front of a judge and your employee has been arrested six times for the same thing before? Thatâs a big whoops.â
