Target, JP Morgan Chase, Sony, Home Depot, Essex Property Trust. Who’s next?
Data breaches aren’t a short-term trend. They're expected to increase in size and scope, especially among multifamily owners and operators since the data kept—social security numbers, previous addresses, checking account numbers—is more valuable than just the credit card information retailers hold.
But what can owners do to prevent, minimize, or manage such an attack? Those questions were explored at the recent NMHC OpTech conference, where a panel on data breaches included Tyler Goff, Equity Residential's assistant vice president of risk management; James Hamrick, vice president of IT at Bell Partners; and Adam Sills, a managing director at CapSpecialty.
“Hackers aren't typically a kid in a basement," said Goff. "They're very organized and sophisticated."
Sills added that data-breach victims can’t just close the open portal and hope something bad doesn’t happen. They need to take action and follow a series of steps to protect themselves.
Here are seven key tips the panelists shared to prepare for and handle a data breach:
1. Find Your Soft Points. You have to find out where your company is most vulnerable in its people, its buildings, and it systems. Use vulnerability scanners for all devices and systems so you know what holes you need to close. You can also find vulnerability in staff by emailing them a fake e-mail with a link that will track who clicked it. If employees click the link, they need extra training to prevent allowing viruses into your software.
2. Encrypt your hardware. This can be expensive and timely, but necessary. Laptops and mobile devices can get lost or accidentally left on a train. These devices should be encrypted so no one can access the available data on them. Some companies don’t encrypt desktop computers, but what if someone breaks in?
3. Transfer the Risk. Your insurance policies and contracts should cover the risk for a data breach. Insurance policies can be general liability, property insurance, errors and omissions, and network security and cyber liability. Likewise, strong contracts with database warehouses, accounting software, consultants, cloud providers, and credit card processors will stronghold your company against liability should any of those parties experience the data breach.
4. Purge Excess Data. You have to pay to insure data, and often companies have excess or duplicated data in their software and hardware. By purging the unnecessary information, you can save yourself a lot of money and make insuring your data more cost-effective.
5. Underwrite Your Vendors. Your third-party vendors should have the same privacy and security standards as you do. If your vendors don’t already match the level of security your company is comfortable with, you can underwrite the security standards in your vendors’ contracts.
6. Budget for a Breach. We all know by now it’s not if, but when you have a data breach, so budgeting for it should be a no-brainer. Costs related to data breaches include coaches, liability, reputation loss, business interruption and more, which have been estimated anywhere from $5 per record to $400 per record.
7. Create a Response Plan. Knowing what to do immediately after a breach is the quickest way to protect your company. You should know who you’re going to call. The quicker you can fix the problem, the less damage you’ll incur. Your response plans should include an investigation; fixing the issues or gaps; notifying law enforcement and insurer; and setting up a resident hotline.