Data breaches affected one billion personal records in 2014. With automated software constantly searching for internet vulnerabilities, organized crime utilizing the same hacking capabilities as nation states and the sheer volume of data multifamily operators collect, NMHC's 2015 Spring Board of Directors Meeting session “Data Breach: Not If, But When” shined a frightening light on the risks the industry faces today.
Hackers are not only getting more sophisticated but much more patient. Experts estimate that hackers are lurking in a breached system for approximately 229 days before they are discovered, allowing them plenty of time to do significant damage. Moreover, an average breach is estimated to cost a company between $3 million and $5 million, or roughly $200 per record compromised.
Despite the scary scenarios, “a little bit of prevention can go a long way," said moderator Jeanne McGlynn Delgado, NMHC vice president of business and risk management policy.
“Eighty to 90 percent [of data breaches] were totally preventable," said panelist Christopher G. Cwalina, partner and co-chair of data privacy and security team at Holland & Knight. "These things are expensive mistakes. There is a role for you all.” Cwalia noted that while at Choice Point, a high-profile data breach more than a decade ago cost the company in excess of $100 million. "That is a pittance compared to what's happened [recently],” he added.
One of the first steps as part of the C-suite is to simply make data security a priority for the organization. "Don't delegate tasks because the buck stops with you. Dive in and get smart," said panelist Mark Seifert, partner and co-leader of corporate data practice at Brunswick Group.
“Attorney Generals admit that everyone gets hacked. What they want to see is that companies are putting the time and dollars up front to protect the information they have," said Cwalia. "If they feel like you have your head in the sand, they will sue. If you're able to say we've done XYZ, they may not take any action.”
That up-front action suggested by the panelists includes not just creating a data security and response plan, but also testing it across the entire organization. Testing IT systems in advance of a breach can bring average costs down $42 per record. Beyond saving money and headaches from a data breach, these tabletop exercises provide critical insight into the resiliency of the company.
“You're getting a lot of people in the room putting the puzzle together,” said Cwalia.
And that test will come sooner than any apartment leader wants.
“When you start looking at all of the data you collect on people, at some point the target may turn towards you,” said Delgado.
View the full presentation here. For additional information on how firms can prevent and address data breach, read Delgado's "Six Ways Apartment Firms Can Better Prevent Data Breach" or visit NMHC's Data Security summary of the topic.
- Congress Presses Forward on Consumer Data Privacy
- Data Security Letter to Senate Committee on Banking, Housing and Urban Affairs
- Equifax, Marriott Take the Stand as More Senate Committees Join the Data Privacy and Security Debate
- Congress Looks to Add New Cyber Disclosure Rules for Companies
- Consumer Privacy and Data Security Issues Front-and-Center for Congress