Shhhh. Don’t say anything. Maybe if we don’t talk about the potential for data breaches in the apartment industry, the identity thieves won’t know we’re here.
That seems to be the attitude among apartment operators when it comes to data security and the potential for resident information being compromised or stolen. In the wake of more than 40 million credit and debit card numbers being compromised during the holidays at retail giant Target, as well as other personal information for about 70 million of its customers, apartment operators seem nervous about the possibility of the multifamily industry being the next target, albeit with a small “t.”
From a criminal perspective, it certainly seems attractive: Multifamily operators store not just credit card data about their residents, but Social Security numbers, previous address information, and often date of birth—the holy trinity of identity theft.
“That’s all manna from heaven for data thieves,” says Scott Wiener, senior vice president of information technology at Santa Barbara, Calif.–based multifamily software provider Yardi Systems. “Multifamily operators need to take their responsibility seriously."
The prevalence of that kind of data in apartment operators’ systems seems to scare the bejesus out of them. For example, one executive at a major apartment REIT who is a frequent contributor to best-practice articles told us, “I know it sounds silly, but I need to check with our attorney to make sure he is OK with me doing an interview on this sensitive subject before I commit.” When pressed, the executive replied, “Sorry, but I have to pass on this one.”
Another leading REIT that prides itself on being a technology leader declined to comment for this article as well, saying it needed to prepare for an earnings report that was a week away. And while the National Multifamily Housing Council (NMHC) has diligently promoted best practices and informational articles on the topic since at least 2011, its members have been reluctant to talk publicly about what they’re doing to protect their data.
The industry’s mum lips may well make sense—after all, there’s no use in tipping off the bad guys about what we’re doing to stay ahead of their game. Then again, the potential for identity thieves to mine multifamily’s treasure trove of personally identifiable information also means the industry will have to be very cautious, indeed, to not end up as the next major headline.
“The danger of writing this article is that, quite frankly, it could very well show how vulnerable multifamily housing is,” says Sam Richter, an online reputation management expert who delivered a keynote to NMHC’s annual OpTech Conference this past November. “When you’re applying to rent an apartment, that’s the exact information a bad guy would need to completely steal your identity. They could open up checking accounts, lines of credit, debit cards, you name it. Your credit would be completely destroyed. So would your ability to fix it; you wouldn’t even be able to get a driver’s license.”
Robert Siciliano, a security and identity theft consultant to apartment owners, puts it succinctly: “A multifamily operator is a one-stop shop for criminals looking for Social Security numbers,” he says. “Anyone who stores sensitive data is at risk.”
The Cost of Big Data
That risk doesn’t just come as a hit to your brand or reputation, either. With the average legal and other associated costs of a data breach at $188 per record, according to the 2013 Cost of Data Breach Study from the Traverse City, Mich.–based Ponemon Institute, losing your residents’ data could have a major impact on your bottom line, as well. “Even if they only have 1,000 records, that could get pretty significant really fast,” Richter says.
Then there are the myriad laws you would have to deal with, depending on your portfolio’s footprint: 46 states currently have data-breach legislation on their books, with varying requirements. For a national operator of apartments, that could translate into a byzantine headache of navigating what’s required where in the wake of a data breach. Congress is exploring potential national standards that would make compliance easier for multistate operators.
The good news is the industry says it hasn’t experienced any major data breaches to this point. “There are none that we’re aware of or that have been reported,” says Jeanne McGlynn Delgado, the NMHC’s vice president of business operations and risk management, who has been following data breaches for the industry.
Then again, how would we know if such a breach had occurred? While Target’s size and brand profile made for easy headlines, many experts say a breach at a small or medium-sized apartment operator could happen without the company being aware of it, and without generating major news coverage.
In fact, Daniel W. Draz, principal of Naperville, Ill.–based fraud consultancy Fraud Solutions, says it has already happened. “I have personal experience with entities in this industry that have been breached in one manner or another,” Draz says, though he declined to name names. “It may not have been of the magnitude of Target, but even a small breach has significant fraud.”
Whether a wide-scale breach has occurred in the apartment industry is really beside the point, though. Experts say it’s just a matter of time until it does.
“Just because there haven’t been any high-profile data breaches doesn’t mean multifamily owners are not at risk,” says Kevin Smith, vice president at Philadelphia-based Graham Co., which underwrites cyber liability insurance policies for businesses. Smith says that, as an industry, multifamily has “low take-up rates” for cyber liability insurance, which he attributes to a lack of heightened awareness among apartment operators precisely because a wide-scale breach hasn’t happened in the industry to date.
At the NMHC, the industry’s umbrella advocacy group, McGlynn Delgado has diligently been pursuing a path of education and awareness. It’s particularly important now, as technology has proliferated in the industry to a degree that could hardly have been imagined 10 years ago.
“As more companies utilize the services of third-party providers to collect and manage this information, it’s critical they understand their obligations and practices relative to privacy, security protection, and data-breach events,” McGlynn Delgado says.
In other words, while it may be an operator’s third-party system that gets hacked, the operator itself will bear the brunt of the blame in the public eye. So you’d better already be doing all you can to protect your data up front and have a data-breach plan in place—i.e., a detailed script of exactly how to respond—before your data go missing.
The flip side of that is that within the industry itself, were a breach to happen, all eyes would likely focus back on the provider of the software. At Carrollton, Texas–based multifamily software provider RealPage,the specter of a major data breach occurring in the industry has helped shape its business philosophy.
“Data security and the trust of continual data stewardship are fundamentally important to RealPage and a core business proposition,” says Seth Sanders, senior manager of information security at the firm. “We understand the importance of maintaining information security to give our clients peace of mind while allowing them to focus on core business operations.”
Sanders says the firm has a dedicated, 24/7 team in place monitoring its systems. “We’re utilizing multilayered resources, including firewalls, encryption, intrusion detection systems, security incident response procedures, and various other tools to provide comprehensive coverage in the event of attempted unauthorized access to our clients’ data.”
At Yardi, Wiener says the firm maintains “a secure cloud environment and applies such best practices as multiple firewalls, off-site data hosting, regular data backups, and around-the-clock monitoring of servers.”
Indeed, contracting with third-party software vendors who manage data in the cloud has become industry standard, not just for multifamily, but for business in general. In that sense, apartment operators can have some peace of mind that the companies providing their systems are taking steps to protect their information.
Doing It Yourself
And yet, even when you call in the pros, you’ve got to make sure the data you’ve still got in-house are protected. “You want to minimize the number of systems on which sensitive data is stored,” says Nicholas Jones, a computer scientist at Boston-based technology litigation consultancy Elysium Digital. “In security, it’s called ‘minimizing your attack surface.’ So, if a multifamily operator is using a third-party solution to store data, they need to make sure they don’t also store that information on their unencrypted desktop hard drive, for instance.”
Of course, for large operators who are invested in systems such as RealPage and Yardi, that’s a given. But what about mid-sized and smaller operators who may still do things in-house? That’s the scenario that gets the attention of Kara Schwab, executive vice president at Sunrise, Fla.–based Anton Systems, a consultant that helps commercial and residential operators implement Skyline Property Management software.
“Any application that is of any good industry standard already has security in the solution,” Schwab says. “But it’s really about how the users choose to leverage it. When I go to a client and there’s no password to log in, that means they’re not using the security that’s there.”
Those instances may be due to a lax attitude toward data security, or simply a lower level of resources to throw at the problem. “We’ve reached a point where everybody understands something about technology, or feels that they do. So, unlike 20 years ago, where they would say, ‘Set it up for me’; now, they say, ‘Tell me how to do it and I’ll do it myself,’ because that keeps costs down. But, now, it’s up to them to make those decisions and make sure everything is secured properly.”
Stepping Up Security
There are companies that can help you do that, of course. Just as numerous firms now offer identity-theft protection for consumers, similar programs are in place for businesses. Minneapolis-based Argos Risk Defender, for instance, offers credit- and business identity–theft monitoring, as well as response options, in case of a data breach. “They’ll put together a customized breach plan and tell you everything that needs to get done in the first 24 hours,” says Richter. (Disclosure: Richter sits on Argos’ board.) “They’ve got a team of former cops, FBI agents, and CIA agents. You pick up the phone, and these guys take care of it for you.”
Also, data breaches don’t have to happen systemwide, or even originate from outside a company. Security gurus are quick to point out that a lost laptop or iPhone, or misplaced or stolen paper files, can provide just as much of a target as an automated system for identity thieves. The 2004 Lifetime movie Identity Theft: The Michelle Brown Story was based on actual events in which an identity thief stole information from a woman’s application to lease an apartment and ended up impersonating her for years, racking up more than $50,000 in bills in her name.
For that reason, data-protection best practices include making sure files are secured when not in use, log-on credentials are required for any machine accessing system information, and standard user profiles are set up with tiered access permission depending on an individual’s job responsibilities. In other words, your maintenance personnel probably don’t need access to your rent roll to see who’s current, but your property managers most certainly do.
Checking out those personnel from the start is also paramount, especially when viewed from the worst-case scenario after the fact. “You need to do background checks on everybody who works for you, and not the $15 background check you buy when you search someone’s name on Google,” Richter says. “You’ve got to use a professional background-check company. I mean, it’s a liability. Can you imagine being in front of a judge and your employee has been arrested six times for the same thing before? That’s a big whoops.”