As we begin the new year, I thought that it would be a good idea to write a brief reminder about the importance of protecting Personally Identifiable Information (PII) in our business practices. It is important to keep in mind that PII is captured in many ways, some that immediately jump out at us, and some that don’t. For example, we have more and more on-line tools at our disposal with each passing day, and this is a good thing. Pretty much everyone on the planet is now involved in Social Networking, Blogging and/or other forms of beneficial on-line communication and networking. However, these tools also bring with them the responsibility to protect large volumes of sensitive information. The following outlines a few thoughts about protecting PII in the real estate business. I hope that you find it helpful.
Protection of Personal Identifiable Information – Paraphrased from the US Department of Labor web site http://www.dol.gov/dol/ppii.htm, Personal Identifiable Information (PII) is defined as:
“Any representation of information that permits the identity of an individual to whom the information applies to be reasonably inferred by either direct or indirect means. Further, PII is defined as information: (i) that directly identifies an individual (e.g., name, address, social security number or other identifying number or code, telephone number, email address, etc.) or (ii) by which an agency intends to identify specific individuals in conjunction with other data elements, i.e., indirect identification…Additionally, information permitting the physical or online contacting of a specific individual is the same as personally identifiable information. This information can be maintained in either paper, electronic or other media.
The loss of PII can result in substantial harm to individuals, including identity theft or other fraudulent use of the information. Because employees and contractors may have access to personal identifiable information concerning individuals and other sensitive data, we have a special responsibility to protect that information from loss and misuse.”
According to the ‘Swanepoel TRENDS Report’, the following eleven considerations are specifically key in the protection of data in a real estate business environment.
- Location of any paper information
- Mail and special delivery procedures
- Mortgage and pre-qualification information
- Access to office and home computers including staff and encryption
- Paperless transactions and encryption
- Archived data on backup tapes
- Natural disaster and terrorist attacks
- Employee access
- Vendor access and sharing of information
- Virus protection and unauthorized use
- Notification systems
The Swanepoel Report goes on to cite several points to consider when reassessing risk. If you feel that your company needs to revisit the area of risk mitigation, the points that follow are recommended by the Association of Certified Fraud Examiners (acfe.org).
- Only hold the personal data that you need
- Keep all personal data secure
- Don’t over promise, but adhere to the customer security program you commit to
- Make data security a priority with your employees
- Require vendors to sign nondisclosure agreements
- Test your plan periodically
- Plan for the worst-case scenario!
There is no question that identity theft has become rampant in our society. As real estate professionals, we must recognize the enormous body of sensitive consumer information held within our data collection systems. Since protecting personal information is of great concern to consumers and with issues of proper business ethics at play, it is clear that every professional real estate organization must have a strong risk mitigation plan in effect.