Zack Brown loves hacking into multifamily property management data systems to steal social security numbers and other resident and employee data that he can use nefariously for identity theft or any illicit, dubious purpose that suits him. Brown starts by getting hired on as an on-site property manager, nabs computer access, and then let’s the downloading begin. When he’s eventually discovered, Brown relishes even more pulling lease applications and employee addresses and phone numbers off of the network until human resources finally shuts down his log-on credentials—sometimes days, weeks, even months later. And the best part? Zack Brown gets paid by multifamily companies to do it.
As CEO and president of AppTechBiz, Brown provides his hacking services to multifamily companies concerned that their data management and storage protocols (or lack thereof) could present serious liability issues. “I specialize in uncovering all of the things you don’t know about your data security that keeps you up at night,” said Brown this week at the 2009 NMHC Apartment Technology Conference and Exhibition, where he joined Gables Residential's vice president of information technology Bob Lamb; Place Properties' vice president of information technology Michael Burnette; and Ty Brewer, CIO of Riverstone Residential, a CAS Partners Co.; on a panel addressing IT executive responsibilities when it comes to resident and employee privacy.
At issue are the vast amounts of personal data collected by multifamily companies on residents and employees alike that remains unsecured in either electronic databases or as paper hard copies. When a breach of that data occurs, it costs the average multifamily operator $830,000 to mitigate, said Brewer, who lamented that multifamily owners are still reticent to invest in security efforts that don’t show immediate ROI in either increased revenue or decreased costs. “Our industry is behind the times, and it's imperative that firms address data privacy initiatives with IT, general counsel, and risk management personnel all at the same table working in tandem.”
At Gables, Lamb reports that adherence to Sarbanes-Oxley when the company was a public REIT and bank-level security expectations from its current ownership group have kept data security initiatives top of mind. “We’re doing annual user security audits, full-time network penetration monitoring, and seven-year retention of all e-mail communications,” Lamb said. “The thing that continues to scare me the most, however, are thumb drives. No matter how hard you protect your data, someone can just dump it all onto a thumb drive and walk out the door.”
Companies with a keen interest in data breach protection can avail themselves with even stricter IT policies, such as eliminating USB ports on hardware, disallowing the use of personal email accounts, and employing electronic document rights management software that render data unusable should it be removed from core systems. Those efforts, however, run counter to expectations from the user base. Lamb says security-minded firms should just pull the trigger. “We eliminated personal e-mail three years ago and haven’t lost any personnel because of it,” he said. “It’s just another tool in controlling the flow of data going outside of your company.”
Brewer additionally recommended moving to single log-on or using ID lifecycle management technologies, which automate the on-boarding and off-boarding of employees and show an increased ability to quickly block user log-on from terminated employees. “It’s perfectly tailored for a technological solution: It's a definable, repeatable process that systems can show improvement on over paperwork-based procedures.”
And speaking of paperwork, panelists agreed that the No. 1 strategy for preventing security breaches was better education of on-site personnel on the document management procedures for paper leases and lease applications. “Paperwork is one of the biggest exposures,” Lamb said. “And when you track back to a paper-based breach, prevention is usually as simple as putting something away in a drawer.