Cyber security and large-scale data breaches have become a regular feature in the daily news. Chinese and Russian hackers are now suspected of spying on government officials. Personal information on more than 20 million federal workers was recently stolen from the U.S. Office of Personnel Management. And the databases and e-mail servers of retail giants like Target, corporations like Sony, and government offices like those of the Joint Chiefs of Staff are now regularly compromised.

A breach in the computer networks at Essex Property Trust last fall highlighted the multifamily industry’s particular vulnerability to cyber attacks. Apartment companies and their third-party service providers use and store highly sensitive, personally identifiable information, including the names and Social Security numbers of current residents, prospective residents, and employees.

This information makes every apartment company a target for hackers. Years of building a solid brand reputation can be lost overnight in the wake of a breach and can cost apartment companies millions in damages.

To prevent such catastrophic damage, apartment firms must not only work to ensure that the right protections are in place internally but also come together as an industry to help shape external policies that can help manage the growing risk of data theft.

Federal Versus State
Policymakers from across the political spectrum are grappling with what requirements, if any, should exist for entities that store personally identifiable information should they become victims of a cyber theft or network breach. To date, data-breach legislation has been largely left to the states as a consumer protection issue. This has resulted in a patchwork of laws in 47 states and the District of Columbia, with varying levels of consumer protection and security protocols.

Companies that operate in multiple states have long called for the creation of a federal data-breach notification standard to facilitate compliance. Some consumer advocates, however, are concerned that a national standard would weaken the consumer protections offered by stronger state laws. The challenge for lawmakers, then, is to strike a balance, ensuring that whatever is enacted at the federal level will protect consumers, as well as businesses, without creating a regulatory environment that is overly burdensome to the business community. 

The question of federal pre-emption of state law has implications for the apartment industry. For multifamily companies that operate in more than one state, a single federal standard could streamline compliance. But, for smaller companies that operate in only one state, especially one of the three states without data-breach laws—Alabama, New Mexico, and South Dakota—a federal standard could ultimately be burdensome and costly.

More Information Sharing
Congress and the administration have joined together to call for legislation to enhance information sharing within the private sector as well as with the federal government. This legislation would provide liability protection for companies, such as apartment firms, from civil lawsuits and existing antitrust laws when they voluntarily exchange information about potential cyber threats.

The House of Representatives has already passed information-sharing legislation, and a similar measure is awaiting debate in the Senate. If enacted into law, this type of cyber threat information sharing would provide timely intelligence and early warning against potential attacks.

As the policy debate continues, the National Multifamily Housing Council and its legislative partner, the National Apartment Association, recommend that apartment firms operate under the assumption that a cyber attack is inevitable. Apartment firms must put in place strong defenses to protect their company networks, data, and, ultimately, reputations. Additional information on data security can be found at

An Ounce of Prevention

Preparing an incident-response strategy to handle the legal, public relations, and technical consequences of a data breach can go a long way in limiting the damage from such an event. A good place to start in developing a strategy is the Federal Trade Commission’s Start With Security: A Guide for Business, which offers takeaways from recent data-security settlement cases. More best practices are available through the Department of Justice Cybersecurity Unit’s Best Practices for Victim Response and Reporting of Cyber Incidents.

Below are 10 practical lessons from the FTC’s 50-plus data-security settlements.

1. Factor security into all your business decisions.
2. Control access to data sensibly.
3. Require secure passwords and authentication.
4. Store sensitive personal information securely and protect it during transmission.
5. Segment your network, and monitor who’s trying to get in and out.
6. Secure remote access to your network.
7. Apply sound security practices when developing new products.
8. Make sure your service providers implement reasonable security measures.
9. Put procedures in place to keep your security current, and address vulnerabilities that may arise.
10. Secure paper, physical media, and devices.