The Risk Management Forum session “Data Breach: Best Practices for Avoidance, Management and Recovery” at the 2014 NMHC OpTech Conference & Exposition was one of the most well attended-serving as a visual reminder of growing concerns within the industry. The expert panelists made one point clear from the start: 2013 and 2014 were not anomalies when it comes data breach. Instead, small and large-scale breaches will continue to happen on a regular basis, so multifamily owners and operators need to be prepared with sophisticated tools and resources for combating sophisticated hackers.
“The days of simply having a corporate firewall and antivirus on your computer to combat data breach are over,” said panelist James Hamrick, vice president of information technology for Bell Partners.
“Liability, reputational and business interruption costs can range from $5 to $400 per personal record lost,” added panelist Adam Sills, managing director of healthcare for CapSpecialty. “And the organizations that pay are the ones who deny a breach has happened, saying they are doing their own ‘investigations’ - getting raked through the press and ending up with a lingering problem.”
Panelist Tyler Goff, assistant vice president for risk management with Equity Residential agreed, “You should start combating breach by asking about your risk ahead of time. There are a lot of ways to prevent and control a loss, including eliminating the risk, making the right data breach prevention IT investments, employee training, budgeting for loss, and insurance policies.”
In particular, added Hamrick, “A cyber security audit can help give you an idea of what your exposure is, providing IT ideas and more.”
“And, don’t forget, you need to implement plans for mitigating breaches from internal risks,” he said. Hamrick’s related topline recommendations include:
- Spam systems that read outgoing emails, preventing key information from leaving an organization;
- Web filtering can be used to scan the webpage itself to see if there is malicious content on the page;
- A mobile device management solution to enforce mobile passwords and remotely wipe them;
- Encryption for laptops, but also every computer in an organization because what someone could break into a leasing office and steal the computers; and
- Network threat detection that continuously scans for issues.
“Also, when any breach happens, know who you’re going to call,” said Goff.
“There are 48 states that have different laws on what is considered a data breach. For example, if one of your residents moves to California, you need to follow California’s data breach rules - it is ridiculously convoluted,” added Goff. “So a law firm and/or breach coach can help an organization develop an incidence response plan.”
“You can’t just do yourself, you need help,” agreed Hamrick.
The panelists also agreed that, in the event of a breach acting quickly is vital, and response plans should include the following steps:
- Begin an in-depth investigation with a forensic team and evaluate the scale of the breach, who discovered it, the type of breach, what was stolen and how, and all miscellaneous details about event;
- Fix the issues that caused the breach, assess other gaps and secure the situation;
- Notify law enforcement, if needed, and look to state and federal law, as well as consulting with legal counsel;
- Notify the insurer, if insured, as soon as possible;
- Set up a resident hotline for questions and assistance;
- Craft a message and identify a spokesperson, if it is necessary to make a public statement; and
- Identify legal obligations as mandated by state and federal laws (i.e., required notifications and timeframes).
Additional educational resources related to data breach, privacy and identity theft are available on NMHC’s website at http://www.nmhc.org/Data-Breach.
- Congress Presses Forward on Consumer Data Privacy
- Data Security Letter to Senate Committee on Banking, Housing and Urban Affairs
- Equifax, Marriott Take the Stand as More Senate Committees Join the Data Privacy and Security Debate
- Congress Looks to Add New Cyber Disclosure Rules for Companies
- Consumer Privacy and Data Security Issues Front-and-Center for Congress