What is Your Data Breach Plan?

Think about all the personal information that you may encounter during a real estate transaction — social security numbers, bank account numbers, driver’s license numbers — and how much of it you retain in your practice. Do you know your company’s policy on handling data breaches?  

Pennsylvania’s Breach of Personal Information Notification Act (BPINA), which was recently updated, applies to all businesses in Pennsylvania, non-profit and for-profit alike, who collect and store “personal information” of consumers. Businesses are required under the law to provide certain notices without unreasonable delay in the event of a breach of the security of their system.  

“Personal information” is defined by BPINA as an individual’s 1) first and last name or 2) first initial and last name linked to any of the following unencrypted or unredacted elements: 

• Social security number 
• Driver’s license number or state identification card number 
• Financial account number, credit or debit card number with any security code, access code or password, 
• Medical information in the possession of a state agency or state agency contractor 
• Health insurance information 
• Username or email address, in combination with a password or security question and answer 

For example, if client contact records are stored in a way that links the client’s first and last name with a social security number you collected for a rental credit check or a copy of their driver’s license you asked for before a showing, and that information is not redacted, then that would be considered “personal information” under BPINA.  

A breach occurs when there is “unauthorized access and acquisition of computerized data that materially compromises the security or confidentiality of personal information” and that causes, has caused or will cause loss or injury to any resident of Pennsylvania. This could be as dramatic as an outside hacker accessing your system, or as simple as an employee’s laptop with the information being stolen from a coffee shop. 

If a data breach occurs and more than 500 Pennsylvanians would have their data compromised, businesses must quickly provide three separate notices: notice to the affected individuals, notice to the Office of the Attorney General and notice to consumer reporting agencies. The notice to the affected individuals must direct each person “to promptly change the person’s password and security question/answer … or to take other steps appropriate to protect the online account with your particular business and their other online accounts …” 

In addition to directing affected individuals to secure their accounts, the company may be required to provide credit monitoring services for 12 months, at no cost to the consumer, if the breach includes, along with their first/last name or first initial/last name, the person’s social security number, bank account number or driver’s license or state identification card number. 

A violation of BPINA is considered a violation of the Unfair Trade Practices and Consumer Protection Law (UTPCPL). The Attorney General could seek injunctive relief, restitution and monetary penalties against the violating entity, which can be tripled where the victim of the unlawful act is over the age of 60. 

All brokerage employees and agents should be educated on the company’s policy on data collection and storage and know who to contact if they suspect a data breach. Brokerages should review, with counsel, the types of personal information they request and store and ensure that their company policy is compliant with the law.

To learn more about cybersecurity in real estate, watch PAR’s webinar, “Protect Against a Cyberattack,” with former FBI agent John Iannarelli, and view the attached resources.