Equifax, one of the three biggest consumer reporting agencies, on September 8 announced that sensitive information on up to 143 million consumers was compromised from mid-May through July because of a vulnerability in one of its websites. The information is reported to include names, Social Security numbers, birth dates and addresses, driver’s license numbers, and in some cases, credit card numbers. Multifamily firms often use Equifax consumer reports and similar products during the resident screening process.
News of such a massive data breach has, not surprisingly, spurred strong interest on Capitol Hill and at federal agencies. To date, the Federal Trade Commission (FTC), the Consumer Financial Protection Bureau (CFPB), and the Government Accountability Office (GAO) have all launched investigations into the breach. Republican and Democratic leaders of many key Congressional Committees have expressed outrage and are working across the aisle to press the issue, moving to hold hearings and possibly craft legislation in response. The first Congressional hearing on the topic is set for October 3 when executives from Equifax will appear before the House Energy and Commerce Digital Commerce and Consumer Protection Subcommittee. Hearings before the Senate Banking and House Financial Services Committees are still distinct possibilities.
NMHC/NAA is tracking these issues carefully as apartment firms and their third-party service providers regularly collect, use and maintain sensitive financial and personal data about residents, prospective residents and employees that could potentially leave them vulnerable to cyber incidents.
Currently, NMHC/NAA member companies must comply with a patchwork of 48 different state laws that govern this space. And, while there has long been agreement that more needs to be done to protect consumer data, federal policy makers have been unable to forge a compromise on what requirements should be in place. It is likely that legislation such as the bill passed by the House Financial Services Committee in late 2015 or the bipartisan compromise package we reported on previously could gain traction in this political climate.
While NMHC/NAA strongly support efforts to safeguard a consumer’s personal information, NMHC/NAA will continue to express concerns about any legislation that imposes overly burdensome requirements on businesses without regard to their scope and size. NMHC/NAA continue to work to ensure that any proposal that moves forward recognizes the unique nature and needs of the multifamily industry while ensuring the data our members use is secure.
Industry information on data security, including a white paper with best practices, can be found at www.nmhc.org/data-security. Additionally, NMHC members can sign up for a newly launched cybersecurity notification system which aims to inform members of real-time cyber threats. Working with the Real Estate Information Sharing and Analysis Center (RE-ISAC), NMHC will distribute regular email alerts of cyber activity that could impact their firms, data or residents. Sign up here.
- FTC Commercial Surveillance and Data Security Comment Letter
- Legislation that Creates Federal Data Privacy Standard Advances to Senate
- NMHC NAA Data Privacy Letter to Energy and Commerce Committee
- NMHC NAA Letter on Data Privacy
- Bipartisan Lawmakers Release Federal Data Privacy Bill That Would Have Impact on Multifamily Data Practices