The Growing Reach of Data Protection Laws in the US
It’s been over one year since General Data Protection Regulation (GDPR) was implemented in Europe, now the primary law regulating how companies protect EU citizens’ personal data. As security breaches continue across the globe, the push in the U.S. for federal laws and regulations that protect personally identifiable (PII) information grows.
The U.S. approach to federal data security and privacy regulation traditionally has been sector-specific (e.g., healthcare, financial services). State legislators have taken a broader approach to enacting privacy- and security-related laws and regulations. At least 25 states either have their own data security laws in place or have laws in progress in their state’s legislature.
One of the key state data security laws to watch is the California Consumer Privacy Act (CCPA), which goes into effect Jan. 1, 2020. The CCPA directly impacts operations of businesses serving California consumers, specifically targeting:
- Companies with over $25M in gross revenue
- Companies of any size that have personal data of at least50,000 people
- Companies that collect more than half of their revenues from the sale of personal data
The CCPA has created momentum for other U.S. states, and potentially the U.S. Congress, to introduce sweeping new privacy requirements. In September, a key industry advocacy group, the National Multifamily Housing Council (NMHC), issued a “News Alert” highlighting the CCPA and offering its White Paper examining the “rapidly evolving data protection and regulatory landscape.” While focused on habitational real estate, NMHC anticipates the implementation of “industry agnostic” standards and federal regulation beyond jurisdiction and location that will no doubt impact all sectors of commercial real estate.
Data Privacy Considerations for Commercial Real Estate
Technology has made sensitive data more available than ever. Wireless PDAs, transaction management software and the electronic transfer of documents, among many other technologies, extend the possibilities for interruption, misuse and inappropriate access to your clients’ data.
As it stands, there are disparate laws across the country. What’s more, because of the array of data protection laws at the state level, businesses that collect information on individuals located in multiple jurisdictions can be subject to numerous laws, often with differing and potentially conflicting requirements that can create significant implementation and compliance challenges.
Imagine the task of property management firms running popular apartment complexes near college campuses. Each student’s home state may have regulations requiring compliance in addition to those on the books for the state in which the building is located.
Taken from that perspective, the implementation of federal regulations can’t come too soon. And it is coming – sooner or later. Uniform federal guidance will help real estate companies prioritize and shore up the information security protocol.
Where to Start
The appetite for federal data protection laws is growing as a result of continued high-profile information security breaches and data-leak scandals such as Facebook’s Cambridge Analytica incident. Legislators are focused on companies’ use —and misuse — of information in business operations, separate and apart from security breaches alone.
A driving force in the evolving privacy frameworks is the demand for transparency about organizations’ data-processing practices. Companies that want to begin to prepare for eventual data privacy law changes, in whatever form they come, may want to use the GDPR regulations as a guide. Many companies, both domestically and abroad, found that GDPR compliance took significant work.
One way your company can test how much effort might be involved in data protection before any U.S. law goes into effect is to measure your data privacy readiness and awareness. The following questions may provide some insight into the types of requirements that are gaining popularity as a result of the GDPR:
- Do you have an opt-in and opt-out policy on your website or marketing materials?
- Have you sold or purchased a list of personal contact information?
- Have you recently conducted a general scan for current information security control weaknesses?
- Have you completed a penetration test and/or a network scan in the last 12 months?
- Have you thought about where most of your consumers live?
- Have you started reviewing how you are interacting with customers?
- Have you checked with your web-based communication platforms, such as marketing, ecommerce and loyalty services, to find out what their security and data protection policies are?
Bottom Line – One Step at a Time
This might seem like a large undertaking, and indeed it is, but momentum is moving in the regulatory direction. Consumers are challenging the use and misuse of data at all business levels and demanding government regulation. Business executives, agents, appraisers and all professionals in the real estate industry must realize that this is an important area of consumer service that needs to be addressed. The benefits can extend beyond liability minimization and reputation protection; it can also create consumer trust and add value to your company’s brand. A heightened commitment to data protection and information security can generate client goodwill. Starting this process one step at a time will help ensure your business is ready if (or when) new privacy laws roll out across the U.S.
How to Have a Transition-Ready Strategy for Information Security
It’s Past Time for CRE Cybersecurity Strategy and Governance
The National Association of Realtors Data Security and Privacy Toolkit
Guide to Identifying Personally Identifiable Information (PII)
CBIZ approaches privacy and cyber issues from both management/systems and mitigation/recovery perspectives. If you have questions or simply want to run some ideas by experienced professionals, don’t hesitate to reach out to our authors, Bart Kimmel (310.268.2000) and Bryan Dziak (216.525.1976). Both are both members of the CBIZ Risk & Advisory practice.