Data Security is the Law

Most cybercrime experts say it isn't "if" your data will be breached, it's "when." And real estate brokers must understand that securing data isn't just good business practice — it's the law.

Today, 47 states have data security and private protection laws on the books to safeguard consumers and businesses when breaches occur (Washington, D.C., Guam, Puerto Rico, and the Virgin Islands also have laws).

Melanie Wyne, senior technology policy representative at the National Association of REALTORS®, says these state laws typically explain what constitutes a breach, how businesses or organizations should notify their clients when a breach happens, and whether there are any exemptions to the law. These laws also describe what kinds of personal information must be secured, such as social security numbers, driver's license numbers, and financial account information.

Wyne says the laws may vary but that there is one common denominator: "What's true for all the state laws is that they require having encryption on any personal data."

According to the Electronic Privacy Information Center, Massachusetts' data breach notification law is one of the most comprehensive in the country. It establishes minimum standards that any person, agency, or entity that owns or licenses personal information on Massachusetts' residents must meet and requires the implementation of "a comprehensive information security program." Some of the other requirements include security training for employees, secure storage, protocols for strong user authentication, prevention of terminated employees from accessing records containing personal information, and annual reviews of the scope of security measures.