Safeguarding Personal Consumer Information

 Debbi Conrad  |    January 04, 2011
ConsumerInfoLRG.jpg

Data security is a growing concern throughout the country. Technology has dramatically increased the amount of consumer data collected and used by businesses, including real estate businesses. Keeping personal consumer information safe, and thus protecting consumers from identity theft, is a paramount goal.

Ensuring the security of consumer data is also a hot issue in Washington. Federal legislation requiring reasonable security policies and procedures to protect data containing personal information has been introduced and is expected to be enacted at some point. Many states have laws addressing the proper disposal of personal identifying information as well as security breach notification laws. Personal identifying information is typically defined as a person’s name in combination with the person’s Social Security number, driver’s license or state ID number, or a financial account number.

Data breaches and high rates of identity theft have led the Federal Trade Commission and the National Association of REALTORS® to provide policy guidance for REALTORS® and other businesses that collect sensitive personal information from consumers. These policies encourage real estate companies and other businesses to:

  1. Take stock and consider what personal information and data is in the company files and on its computers.
  2. Scale down by collecting and keeping only personal information that is absolutely necessary for essential business purposes.
  3. Pitch it—that is, properly dispose of whatever personal information and data are no longer needed.
  4. Lock it by implementing physical and computer-based data security measures to protect all personal data that must be kept.
  5. Plan ahead and create a plan for responding to a consumer data breach.

Data Collection 

Wisconsin brokers and their agents collect, store and share a great deal of consumer information throughout the course of their real estate transactions for a variety of reasons. Often the collected data is of a sensitive financial nature. What kinds of personal information and consumer reports do Wisconsin licensees collect?

A residential broker might collect:

  • Drivers license numbers as a safety precaution when agents leave the office with a new client for the first time.
  • Personal checks given as earnest money.
  • CLUE reports.
  • Medical history for persons with disabilities seeking reasonable accommodations.
  • Social Security numbers in order to complete the Wisconsin Real Estate Transfer Return at closing.
  • Bank account information and Social Security numbers contained in mortgage documents and closing statements.

A broker working on short sales might collect:

  • Social Security numbers and loan account information.
  • Complete copies of seller financial statements such as income tax returns, W-2s or bank statements for submission to the lender to qualify the seller for short-sale approval.
  • Seller’s hardship letter, employment background, medical history, credit report or credit scores.

A property manager might collect:

  • Social Security numbers in order to perform credit checks on rent applicants.
  • Personal checks given as earnest money, security deposits or rent.
  • Credit reports, credit scores, employment background, tenant history reports, etc. regarding rental applicants.
  • Medical information for persons with disabilities seeking reasonable accommodations or modifications.

Oftentimes, personal information is collected because the agent is trying to be helpful to the client and provide top-notch service, but in reality the agent may be unintentionally creating additional legal risk.

Because of Wisconsin real estate record retention rules, it may not be possible to simply discard personal information and data once the need for them has passed. Wis. Admin. Code § RL 15.04 requires a broker to retain for at least 3 years “exact and complete copies of all listing contracts, offers to purchase, leases, closing statements, deposit receipts, cancelled checks, trust account records and other documents or correspondence received or prepared by the broker in connection with any transaction.” The retention period runs from the closing date or from the date of the listing or buyer agency agreement, if there is no closing.

Any data included in transaction documentation or within any documents or correspondence associated with the transaction will need to be retained for at least three years, so the primary focus may need to be ensuring that the consumer’s personal information is protected during the time it must be retained by the brokerage. In addition, licensees may wish to study whether there are ways to avoid collecting personal information in the first place, for instance, guiding the parties to provide their personal data directly to third-party recipients rather than passing the information through the broker or agent as a conduit.

Brokers also need to address accounting records, corporate records, employment records, legal documents and other important files and records that might be maintained in a brokerage office. Some of these records may need to be retained permanently while others should be retained for varying periods of time best established by the brokerage attorney.

Data Protection 

Trust is at the heart of the real estate business. The safeguards real estate professionals take to protect the personal information they use in their businesses play an important role in earning the trust of consumers.

Data security and protection measures generally must address both physical security and electronic security. Physical security measures may involve the company’s central computer database, individual laptops, disks, file cabinets, branch offices, files employees/licensees have at home and mobile devices. Brokerage companies may need to: 

  • Store paper documents and files containing personal information in a locked room or locked file cabinets and limit access to those with a legitimate business need.
  • Require employees to put files away, log off their computers and lock their file cabinets and office doors at the end of the day.
  • Limit employee access to off-site storage facilities to those with a legitimate business need.

With respect to electronic security, brokerage companies would be prudent to ensure that any copies of e-mail and other electronic transaction documents that must be saved under § RL 15.04 are saved as read-only PDFs or in another unalterable format.

Other electronic security measures may include:

  • Strong passwords, firewalls and other controls to prevent unauthorized access to systems, data and communications
  • Establishing methods to detect unauthorized access, use or alteration of data
  • Avoiding storing personally identifiable information on any computer with an Internet connection whenever possible
  • Receiving and transmitting credit card information or other sensitive financial data using Secure Sockets Layer (SSL) or another secure connection that protects the information in transit.
  • Avoiding storing personal information on a laptop whenever possible or moving it to more secure computer as soon as possible
  • Encrypting sensitive data when stored or transmitted
  • Establishing personal agent responsibility for data security

Obviously, sensitive data should be stored only as long as it is needed or as long as is necessary to meet legal requirements.

Data Destruction 

Creating a data security program for a business means implementing and maintaining reasonable safeguards to protect the security, confidentiality and integrity of data, including the proper disposal of the data. The following measures, recommended by the FTC for the disposal of consumer records, are equally prudent for the disposal of other personal consumer information:

Burning or shredding papers containing consumer personal information so that the data cannot be read or reconstructed (cross-shredders are recommended).

Destroying or erasing electronic files or media containing personal consumer report information so that the data cannot be read or reconstructed.

Hiring a document destruction contractor to dispose of personal consumer information after conducting a due diligence review of the contractor’s qualifications, reputation and integrity.

Data Policy Guidance 

There is no one-size-fits-all approach to data security and compliance, but assistance is available for crafting policies that work for a particular real estate company or business:

  • NAR provides some of the tools necessary for developing a program that best suits a real estate business. Find the link to the NAR Data Security and Privacy Toolkit at www.realtor.org/government_affairs_secured/privacy_data_security.
  • The FTC guide “Protecting Personal Information: a Guide for Business” is available at business.ftc.gov/privacy-and-security.
  • Consumer data security and privacy measures are also addressed, along with social media use guidelines and an array of liability-reducing real estate practice guidelines and office policies in the Office Policy Manual Guide, now available in its Twelfth Edition (2010) from the WRA at www.wra.org/pub239.

Debbi Conrad is Senior Attorney and Director of Legal Affairs for the WRA.

Copyright 1998 - 2024 Wisconsin REALTORS® Association. All rights reserved.

Privacy Policy   |   Terms of Use   |   Accessibility   |   Real Estate Continuing Education