Cyber Attack: How to Defend Against a Data Breach

As the U.S. government's international pursuit of Edward Snowden captivates the nation, multifamily owners face their own cyber security threat every day, right in their own backyard.

There’s no shortage of news stories about security breaches—whether it happens to Facebook, a retail chain or a credit card company—with sensitive consumer information being spread into cyberspace. Yet, many multifamily owners have yet to take that same risk seriously.

“I do think this is a serious concern for multifamily owners,” says Kevin Smith, vice president of Philadelphia-based insurance brokerage firm The Graham Co. “All you have to do is look at their [apartment] application and the kind of data they collect on that app, and that’s where they’re vulnerable. And I don’t think they think about it in that regard because we haven’t had that big front page story about a property owner having all their information breached.”

Related Stories

It used to be as simple as securing filing cabinets to protect data from paper applications, such as social security numbers. But as information technology grows more sophisticated the threat has elevated, to the point where it’s become a legitimate insurance claim.

Once in the hands of a hacker, sensitive data can be sold to a third party, presenting cyber-liability issues once property owners essentially "allow" the breach to happen. But the loss of information can occur easily, and doesn’t have to happen maliciously, says Jeanne Oronzio Wermuth, CPCU, CIC, ARM, senior technical specialist with Graham.

“It could be someone internally losing something,”  Oronzio Wermuth ays. “They take the laptop home, they leave it in the car, and the car gets stolen. They take a box of papers on the train, they leave it there, and it’s gone. You don’t know what happens to that information after it leaves your hands.”

Playing Defense

Once a breach happens, property managers should get strategic about remediation–sometimes the first instinct to contact residents may not be the best instinct.

“I would say they should not immediately contact residents that have been affected,”  Oronzio Wermuth says. “They think they might be doing a good thing by notifying everybody, but they might be creating more of a headache for themselves down the road by doing that.”

The first step is figuring out if you’re required by law to notify potential residents affected by the breach. Notification laws exist in almost every state, but many of them vary as to what may or may not constitute a breach.

Depending on the magnitude of the breach, and how much information was leaked, owners can expect to pay anywhere from $30 to $50 per tenant for data notification, and for their ongoing credit monitoring.

By encrypting sensitive data, owners can enact their first line of defense against breaches. And when using an internet-based service for storage, owners should ensure the provider is on the leading edge of cyber security.

“Does the data reside in the cloud?” asks Scott Weiner, senior vice president of information technology at Santa Barbara, Calif.-based Yardi System. “If yes, does the cloud provider have the proper controls in place to protect that data?

Weiner suggests that property managers understand how sensitive data is handled, and prioritize the sensitivity of the data they collect.

“Protecting third-party marketing information is typically less critical than protecting personally identifiable information and the data needed to process credit card payments,” Weiner says.