We all transact personal matters and business on the Internet each and every day and may rather freely provide credit card numbers and other personal information. We may tend to assume this is all relatively safe and that we enjoy online privacy, but in reality there clearly are risks. We also increasingly conduct business with clients and customers through the Internet, email, social media and other technologies, but now the shoe is on the other foot. We are the business that is charged with keeping collected personal information protected and secure. But the news of late warns that this is not so easy. If Target, the United States government and Ashley Madison can all be hacked, what about your company website and email?

Data insecurity

Target

We also increasingly conduct business with clients and customers through the Internet, email, social media and other technologies, but now the shoe is on the other foot. We are the business that is charged with keeping collected personal information protected and secure. But the news of late warns that this is not so easy. If Target, the United States government and Ashley Madison can all be hacked, what about your company website and email?During the 2013 holiday season, hackers stole credit and debit card information for 40 million Target customers. Additional personal information such as email and mailing addresses was also stolen. A federal court gave preliminary approval earlier this year to a $10 million settlement in the class action lawsuit filed against Target. Target admitted its computer security systems alerted it to suspicious activity after hackers infiltrated its networks, but that it ignored the alert, allowing what would become one of the largest data breaches recorded. As part of the settlement, Target promises to bolster protection of customer data, including setting up a protocol for responding to online security threats and providing data security training to employees.

U.S. Office of Personnel Management 

The sensitive personal information of 21.5 million people was compromised in the recent massive breach of the United States Office of Personnel Management computer systems. The compromised information came from security clearance applications and included personal information such as addresses, Social Security Numbers, and fingerprints and sensitive information such as health and financial history, marital and family problems, and other private details. This information pertained to the security applicants and in some cases their spouses and friends. The theft was separate from, but related to, a prior breach that compromised the personnel data of 4.2 million federal employees, officials said. Both attacks are believed to have originated in China. 

Ashley Madison

Thousands, if not millions, of married persons are signed up on the Ashley Madison website, which facilitates extramarital dating. They were none too pleased when the site was hacked and members’ data was made public when the site owner declined to take the “cheating” site down. The data released by the hackers includes names, passwords, addresses and phone numbers, although it’s unclear how many members provided legitimate details to open accounts. However, Ashley Madison files containing credit card transactions likely contained real names, street addresses, email addresses and amounts paid, along with four digits that may be the last four digits of the credit card numbers. The data also includes descriptions of what members were seeking and encrypted passwords.

The Ashley Madison hack, in addition to the release of potentially scandalous information, provides some valuable lessons regarding encryption and passwords. While Ashley Madison members believed their passwords were safely encrypted, it turns out that there were programming errors and shortcuts taken with the result of the passwords being crackable. Properly encrypted passwords should take years to crack.

For some Ashley Madison members, cracking the passwords might impact only their Ashley Madison activities but unfortunately that is not necessarily the case. Research indicates that 56 percent of office workers use the same passwords for personal and corporate accounts and rely on an average of just three different passwords. If Ashley Madison’s passwords are crackable, it is probably only a matter of time before cyber criminals crack the Ashley Madison passwords and begin using them to attempt to access various other accounts and online services used by Ashley Madison subscribers.

The lesson here is that everyone who uses the same password on multiple Internet sites should change it immediately. It is always important to have strong, hard-to-crack, unique passwords for every online account. Because remembering an array of different passwords is a daunting task, this would likely also require the use of a password manager program. 

Safeguarding client information in real estate companies

Savvy companies think through the implication of their data decisions. By making conscious choices about the kind of information you collect, how long you keep it, how you protect it and how it is disposed, you can reduce the risk of a data compromise.
In this digital economy, trust is essential. It is important for brokers and agents to implement and maintain reasonable safeguards that protect the security, confidentiality and integrity of personally identifiable information. 

Lessons from the Federal Trade Commission

Lessons from FTC cases illustrate the benefits of building security in from the start by going lean and mean in data collection, retention and use policies. No one can steal what you don’t have.

Don’t collect personal information you don’t need

The FTC complaint against RockYou, the operator of a social game site, alleged that the company collected and stored information during the site registration process, including the user’s email address and email password. The business did not need email passwords but they were nonetheless collected and stored in clear text, thus creating an unnecessary risk to people’s email accounts. The business could have avoided that risk simply by not collecting sensitive information in the first place. 

Hold on to information only as long as you have a legitimate business need

Sometimes it’s necessary to collect personal data as part of a transaction. But once the deal is done, it may be unwise to keep it. In the FTC case regarding BJ’s Wholesale Club Inc., the company collected customers’ credit and debit card information to process transactions in its retail stores. It also, however, continued to store that data for up to 30 days, long after the sale was complete. This created an unreasonable risk. By exploiting other weaknesses in the company’s security practices, hackers stole the account data and used it to make counterfeit credit and debit cards. Fraudulent purchases were made using counterfeit copies of the credit and debit cards used at BJ’s stores. The business could have limited its risk by securely disposing of the financial information once it no longer had a legitimate need for it.

If you have personal information protect it properly

The BJ’s case illustrates another point: if you must keep it then lock it down. The FTC charged that BJ’s engaged in a number of practices that, when taken together, did not provide reasonable security for sensitive customer information. BJ’s failed to encrypt consumer information when it was transmitted or stored on computers in BJ’s stores, created unnecessary risks by storing it for up to 30 days, stored the information in files that could be accessed using commonly known default user IDs and passwords, failed to use readily available security measures to prevent unauthorized wireless connections to its networks, and failed to use measures sufficient to detect unauthorized access to the networks or to conduct security investigations.

Don’t use personal information when it’s not necessary

You wouldn’t juggle with a Ming vase. Nor should businesses use personal information in contexts that create unnecessary risks. In the Accretive Health Inc., case, the company used real people’s personal health information in employee training sessions, and then failed to remove the information from employees’ computers after the sessions were over. After the training, an Accretive employee’s laptop computer, containing 20 million pieces of information on 23,000 patients, was stolen from the passenger compartment of the employee’s car. The risk could have been avoided by using fictitious information for training or development purposes.

The National Association of REALTORS^® recommends five steps for brokerage companies looking to protect the online privacy of their clients and customers:

1. Take stock
2. Scale down
3. Lock it
4. Pitch it
5. Plan ahead

Read all about it in the article, “Five Steps Towards Achieving Data Security,” from NAR available online at www.realtor.org/articles/five-steps-towards-achieving-data-security.

Resources

Encryption resources

How to Encrypt Your Email: www.pcworld.com/article/254338/how_to_encrypt_your_email. 

How to Encrypt Your Email and Keep Your Conversations Private: www.lifehacker.com/how-to-encrypt-your-email-and-keep-your-conversations-p-1133495744. 

Data security and privacy resources

Internet Security Best Practices – 2014 from NAR Information Central: www.realtor.org/sites/default/files/reports/2015/InternetSecurityBestPractices2014.pdf.

May 2013 Legal Update, “Safeguarding Personal Information”: www.wra.org/LU1305. 

NAR's Data Security and Privacy Toolkit: www.realtor.org/law-and-ethics/nars-data-security-and-privacy-toolkit. 

Federal Trade Commission’s “Start with Security: A Guide for Business”: www.ftc.gov/tips-advice/business-center/guidance/start-security-guide-business.

Debbi Conrad is Senior Attorney and Director of Legal Affairs for the WRA.