Understanding the Ever-Evolving Data Security Threat Landscape

cybersecurity_lead — Copyright: one photo

The holiday season is notorious for headline-creating cyberattacks and data security incidents impacting consumers. The impact of cyberattacks is increasingly being viewed as a national security issue, as state-sponsored cyberattacks against U.S. companies are also common, proliferating the business community as never before.

By Julianne Goodfellow, VP of Government Affairs

Julianne Goodfellow is Vice President, Government Affairs, with primary responsibility for data privacy, technology, property operations and regulatory reform from both an industry and federal policy perspective.

For rental housing providers, it is particularly important to remain vigilant of this ever-evolving threat given the reputational and operational stakes are high. Advances within the property technology sector, otherwise known as PropTech, and artificial intelligence increase the surface area through which criminals can access apartment companies’ devices, infrastructure and networks and ultimately impact the lives and data security of their residents.

The Threat Landscape

Today, social engineering/phishing and stolen credentials remain the most common methods by which a cybercriminal gains access to an organization’s network.¹ But ransomware and business email compromise (BEC) scams are increasingly difficult to thwart. Cybercriminals use AI to significantly reduce the time spent gathering information within a victim’s system before launching an attack. In addition, employees’ unsanctioned use of AI tools can create vulnerability, such as the loss of data to a third-party AI system, since information shared with such systems can become part of the AI program’s knowledge base.

An organization’s third-party service providers and suppliers create additional cybersecurity risk. Rental housing providers and suppliers may require access to an organization’s network and/or its data to provide services. In an increasingly interconnected environment, third parties often have third-party suppliers of their own.

Ultimately, the human element continues to represent the most critical vulnerability in accessing a company’s network and/or data. Insider threats remain prevalent as employees accidentally facilitate or maliciously engage in cyberattacks. These threats are difficult to detect, as technical security measures are limited in their ability to prevent insiders from using their legitimate access maliciously. Seventy-four percent (74%) of all breaches “include the human element, with people being involved either via error, privilege, use of stolen credentials or social engineering.²

Legal and Regulatory Environment

The legal and regulatory landscape surrounding data security and breach notifications is complex and nuanced—and no single data security law governs rental housing providers. Rental housing providers fall within the scope of several sector-specific federal laws, state-by-state requirements, self-regulatory regimes and industry standards.

Congress has been stymied in efforts to create national data breach, notification and data privacy standards. While there’s broad bipartisan consensus that something needs to be done, disagreements on issues such as state preemption and the private right of action have prevented legislation from moving forward. NMHC has long communicated the need for flexible and scalable national cybersecurity and data privacy standards that preempt state laws to help organizations that operate in more than one state to ensure they are protecting their residents and their business. In the absence of a federal standard, federal agencies and states are filling in with a patchwork of laws and regulations that are increasingly challenging to navigate and have the potential to negatively impact consumers.

It is particularly important to be aware of these regulations, as regulators have increasingly brought enforcement actions against companies that have failed to comply with these requirements. Several federal agencies, including the Consumer Financial Protection Bureau (CFPB), Federal Trade Commission (FTC) and Securities and Exchange Commission (SEC), have regulations that could apply to apartment firms and related industry services.

Notably, public companies and investment advisors will soon have to comply with new Securities and Exchange Commission regulations surrounding cybersecurity disclosure requirements and governance. In light of the new SEC regulations, the National Institute of Standards and Technology (NIST) released a draft Cybersecurity Framework 2.0 to include governance around incident reporting. In the absence of a federal data security and breach notification law and given the current patchwork of state data security and breach notification laws, it is likely that the SEC’s disclosure requirements and the evolving NIST Cybersecurity Framework could soon be seen by regulators as the de facto national standards, even for non-publicly traded firms.

Also of note is the growing public scrutiny and accompanying pressure to regulate emerging technologies like Artificial Intelligence (AI). To combat the new risks posed by AI at the federal level, the Biden Administration released an Executive Order (EO) in October 2023, outlining eight guiding principles and priorities to advance the development and use of AI. Building off President Biden’s Blueprint for an AI Bill of Rights, issued in late 2022, the EO priorities include cybersecurity and data privacy. Legislative and regulatory proposals have also begun to emerge at the federal, state and even international level that is worthy of watching given the growing role of AI in all aspects of multifamily development, financing and operations.

Practical Considerations

As the enterprise risks associated with cyberattacks increase, maintaining a robust cybersecurity and data privacy program is necessary to reduce these risks. Companies should also ensure their suppliers and service providers engage in reasonable cybersecurity practices before sharing sensitive information.

Many of the federal and state laws and regulations in the cybersecurity space require businesses to develop cybersecurity risk management programs, including conducting risk assessments, implementing safeguards to protect sensitive information and developing incident response plans. In addition, more regulations require oversight and accountability at senior levels and cybersecurity governance practice at the board level.

Rental housing providers should prioritize cybersecurity risk management programs and cyber governance practices. The existing patchwork of cybersecurity incident and data breach disclosure obligations can be difficult to navigate; however, businesses must understand how the various laws can apply to them.

New Member Resource

The ever-evolving cybersecurity and data privacy landscape requires diligence and an awareness of regulatory changes. NMHC released a white paper, Cybersecurity Risks, Regulations & Considerations for the Multifamily Housing Industry, which provides an in-depth analysis of the cybersecurity risks facing the multifamily industry and offers some practical considerations for developing a reasonable and robust cybersecurity program. Specifically, this resource covers:

the current cybersecurity threat landscape;
the proliferation of cybersecurity and data privacy laws and regulations;
the changing cyber insurance market; and
practical considerations for managing risk, incident response, oversight/governance and supplier relationships.

Further Member Resources

Subscribe to NMHC’s Cyber Alerts
Join the cross-sector Commercial Facilities Working Group (CSWG), in partnership with NMHC and the Real Estate Information Sharing and Analysis Center (RE-ISAC). CSWG members receive a Cybersecurity Update newsletter three times a week and a daily ransomware report. This is a great resource for NMHC members who are focused on cybersecurity. Please reach out to NMHC’s Julianne Goodfellow, who serves on the CSWG Steering Committee, at jgoodfellow@nmhc.org to join.
NMHC White Paper: Artificial Intelligence & Resident Screening: Considerations for the Rental Housing Industry

¹ See Verizon DBIR, 2023 Data Breach Investigations Report, p. 8, https://www.verizon.com/business/resources/Tde3/reports/2023-data-breach-investigations-report-dbir.pdf

² Verizon DBIR, p. 8

Julianne Goodfellow jgoodfellow@rettc.org