Apartment Owner & Manager Liability for Data Breaches

October 11, 2016
Authors: USI Northwest Insurance
Publishers: The Northwest Apartment Investor Newsletter

QUESTION: Can you explain cyber-liability and data breach?

ANSWER: The term cyber-liability is often used to describe a range of cyber-exposures which could include: 

Data breach: Files held on apartment tenants are voluminous and detailed, and include all sorts of personal and financial information that is extremely valuable to identity thieves.  When this database is hacked, or personally identifiable information on residents, employees or applicants is compromised, apartment owners and managers can find themselves confronted with substantial costs.  Breaches can occur while data is stored and inactive, during transmission and when hard copies are being transported or discarded. 

Social Engineering Exposures: Social engineering techniques are being used to induce businesses to break normal security procedures. This can lead to a transfer of substantial monies to fraudulent third parties. 

Cyber-extortion risk: This involves a demand for money to avoid — or stop — a cyber-attack or release of resident or applicant information.  Companies are paying out millions of dollars to cyber-criminals for the safe recovery of stolen or encrypted data. 

QUESTION: Why should an apartment owner or manager be concerned with data security and cyber-breaches?

ANSWER:  The risk associated with data security and cyber-breach continues to grow. 

Cyber-criminals have become more creative and their attacks increasingly destruction.  The Real Estate industry has historically not been targeted as aggressively as retail, financial services and healthcare. 

Increasing reliance upon technology within the real estate sector and the fact that apartment owners and managers are creating, using, storing and sharing more information than ever should compel them to take a serious look at these exposures and how they are managed.  

For example:  rental applications, credit reports, leases and rental agreements contain personal information of applicants and tenants – precisely the type of information targeted by cyber-criminals.

It is vital that firms secure these documents.  The “disposal rule” of the Fair and Accurate Credit Transactions Act (FACTA), a federal law enacted in 2003, states that disposal of these records must be through incineration or shredding.  Even small landlords are obligated to comply with this requirement. 

QUESTION: What measures should apartment owners and managers take to prevent a cyber-breach?

ANSWER: Make sure you are familiar with state data security and breach notification laws and institute company-compliance programs accordingly.   Oregon recently expanded its data-breach law for 2016.  (Refer to S.B. 601, www.oregonlegislature.gov)

Maximize internal security measures to prevent a data breach.  Limit access to electronic and paper records to necessary employees and require employees to update passwords with stringent password protocols.

Educate employees on security risks.  Employees should be reminded to lock computers, file cabinets and offices when away.  Staff should pay very close attention to their mobile devises and laptops when transporting them.

Dispose of unnecessary hard and electronic records containing personal information. 

Perform due diligence when hiring third party vendors, and understand that you may still be considered the primary custodian and face legal challenges in a privacy breach.

Transfer the costs of a cyber-breach to a cyber-liability insurance policy.

QUESTION: What is the average financial impact of a cyber-crime?

ANSWER: In 2014, data breaches cost U.S. businesses $194 on average, per compromised record.  Costs increase if the attack is not resolved quickly.  The average time to resolve a cyber-attack is 24 days.  The average value of a lost laptop is $49,246 after a data breach—80% of which is for lost data, compared to 2% for the cost of replacing the laptop. 

To investigate and remediate a breach, forensic companies are often hired to identify its source.  The cost of these investigations can be in the hundreds of thousands of dollars. 

Notifying those whose confidential information may have been compromised can be costly as well as providing credit monitoring services to those who were compromised. 

QUESTION: Does buying a cyber-liability policy make sense for an apartment owner or manager?

ANSWER: Buying some level of cyber-insurance makes sense, regardless of the size of the company.  Every company has some level of private information that can expose them to legal claims.  Whether you purchase a small sublimit on your business owner’s package policy, or purchase a stand alone cyber-liability policy, be sure coverage isn’t contingent upon actual damage to those whose files were compromised, as notification, protective response, legal defense and forensic costs can still pile up. 

For information on cyber-liability insurance policies, contact Vice Presidents Heidi Tapasa or Ted Stark at (503) 224.8390.