Tighten It Up

With privacy intrusions making headlines these days—consumer data has been pilfered from companies including ChoicePoint Inc. and LexisNexis— it’s never been more important to take reasonable precautions to protect sensitive customer information. Your failure to do so can have devastating effects, including liability for breach of privacy laws or negligence, especially if your client became a victim of identity theft.

In addition to privacy provisions in federal laws, such as the Gramm-Leach-Bliley Act and the Fair Credit Reporting Act, there are now varying privacy statutes in 25 states. Whether any judgment is ever entered against you, the defense of a lawsuit alone can be expensive, and your hard-earned reputation can be destroyed through a careless act.

To protect yourself and ensure your clients’ privacy is safeguarded, you should

• Identify what constitutes sensitive customer information. Financial data is probably the largest category of sensitive client information that you work with every day. Questions on client in come, debt, and capacity to pay a loan are all common qualifying questions. In California, for example, a bill approved by Gov. Arnold Schwarzenegger in September 2004 requires any business that owns or licenses personal information about a California resident to implement reasonable security procedures. The phrase “owns or licenses” includes personal information a company retains as part of its internal customer accounts. The phrase also applies to information used to conduct a transaction with the person. Customer income information used for qualifying a buyer or for applying for a mortgage loan would likely be covered by this legislation.

In addition to financial data, many other types of information could have a negative impact if made public. For example, identifying and displaying on the MLS times when a homeowner will be gone during the day could facilitate burglary. Or consider a seller who’s quitting her job and relocating to another state but isn’t ready to give notice to her employer. What would be the impact of sending a fax to her office congratulating her on her home and move to another state? Although such information isn’t likely to be included in any privacy statute, the impact on a client could still be detrimental.

• Identify the potentially weak links in the privacy chain. At what points might you, someone else at your brokerage, or a third-party vendor in advertently reveal sensitive client information? For example, when you send an e-mail, some e-mail programs such as Outlook will complete the address you’ve begun to type if it’s one that’s been used before. Unfortunately, if several addresses have the same first few letters or characters, it’s easy, especially when you’re in a hurry, to send a buyer’s loan application to the wrong party.

Leaks can happen outside your office, too. When using e-mail or sending faxes, talk to your clients about whether the e-mail system they use is companywide. If it is, they need to understand there’s generally no e-mail privacy with these types of systems: System administrators and other authorized personnel can access all company accounts. Like wise ask whether you should call ahead before sending a fax so it isn’t intercepted by someone else.

A good place to begin analyzing your company’s data security is by using a service such as the REALTOR® Secure self-review. At REALTOR.org, search by “REALTOR Secure.”

• Develop security standards to protect critical data. Areas for which to establish standards include passwords, e-mail, faxes, paper handling and shredding, and how data is shared with and maintained by third-party vendors, including Internet service providers, software publishers, and storage vendors. If vendors have poor data security practices, they could be the weak link in your privacy chain.

To help insulate yourself against vendor weaknesses, never disclose passwords to vendors. If you use an electronic transaction management program, for example, sharing a password could lead to the disclosure of client information. One commonly used resource for establishing policies is available at the Sans Institute (www.sans.org/resources/policies).

• Ensure your team, associates, staff, and outside service providers follow your policies. How many times have you walked by a computer monitor and seen a password to the MLS or to personal data files written on a Post-it note that’s stuck to the monitor? This sort of carelessness makes it too easy for people to access sensitive data.

• From a legal perspective, it’s worse to adopt a policy on how to handle sensitive information and fail to follow it than to have no policy at all. In a lawsuit, opposing counsel can use your policies to establish that you were aware of what constitutes reasonable procedures but that you acted unreasonably in failing to ensure those procedures were implemented. Following a policy, on the other hand, will provide evidence of your good-faith attempt to protect customer information.

The law isn’t always specific about exactly what you must do to demonstrate that you’re protecting clients’ privacy. And it can be difficult to keep up with all the laws being passed. But to protect yourself, implement reasonable security procedures and follow any specific practices outlined in your state’s privacy laws. If a judgment is entered against you because you’ve failed to think through how you handle sensitive information and to take appropriate steps to implement reasonable security policies, you’ll learn just how serious privacy issues can be.

Rees is an attorney with Callister Nebeker & McCullough in Salt Lake City. You can reach him at jhrees@cnmlaw.com.

MORE ONLINE
FACT Act rules for disposing of consumer report information
REALTOR® Secure self-test
REALTOR® Secure home page