Recent ransomware attacks and major hacks have thrust into the spotlight the importance of businesses, including those in the real estate industry, having the necessary protocols and protections in place to protect themselves and their clients from cybercriminals. During the COVID-19 pandemic there has been a substantial rise in cybercriminal activity. The recent ransomware attacks and cyber-attacks on targets such the Colonial Pipeline Co. (which runs a major East Coast fuel pipeline), JBS, S.A. (one of the world’s largest meat processors), the Washington D.C. Metro Police Department, and New York City’s Law Department, to name a few, should make businesses aware of the very real threat of such attacks and the widespread disruption they can cause.
The real estate industry, unfortunately, is extremely vulnerable to attack by cybercriminals because many real estate agents, attorneys, bankers, mortgage brokers, appraisers, home inspectors and others involved in a real estate transaction do not implement the cybersecurity protections necessary to protect themselves against such attacks. Many real estate agents, who are independent contractors, utilize their own personal e-mails, which leaves them, and their clients’ data and personal information vulnerable. This can cause the real estate brokers for whom the real estate agents work for to accrue liability for such data breaches.
In 2016 (see Beware of Cyber Threats: The Importance of Implementing Data Security and Privacy Policies at https://bit.ly/3ziZNxF) and again in 2018 (see Cybercrime and Ransomware Are Very Real and Costly Threats! at https://bit.ly/3ghYvue), this column focused on the risks and threats that exist in connection with cybersecurity and data breaches. Those articles highlighted existing laws and related requirements of businesses to protect consumers from data breaches and cyber-attacks as well as best practices and insight on cybersecurity insurance coverage. Real estate brokers and agents should review these articles as they are even more relevant today in light of current events. This article will revisit these issues. It will provide an update on the FBI’s 2020 IC3 Report on Cyber Crimes (“IC3 Report”) issued in March (see https://bit.ly/2TWReIP). It will also highlight some of the more recent laws dealing with data protections and cybersecurity such as New York State’s SHIELD Act (see https://bit.ly/3g8BbjR) and New York City’s pending Tenant Data Privacy Act (see https://on.nyc.gov/3vaW6H0).
2020 FBI IC3 Report on Cyber Crimes
The FBI’s Internet Crime Complaint Center (IC3) provides individuals and businesses victimized by cyber-attacks with a place to report cybercrimes. The IC3 also provides the public with invaluable information on cybercriminal activity and publishes its annual IC3 Report. In the introduction to the 2020 IC3 Report, Deputy Director of the FBI Paul Abbate points out that “In 2020, while the American public was focused on protecting our families from a global pandemic and helping others in need, cyber criminals took advantage of an opportunity to profit from our dependence on technology to go on an Internet crime spree.” It is clear that while society’s primary focus was (and still is) on the COVID-19 pandemic, cybercriminals have been taking advantage of current conditions, targeting and exploiting individuals, as well as businesses and governmental agencies of all types and sizes.
IC3 reported that in 2020, it “received over 28,500 complaints related to COVID-19.” These criminals targeted the individuals and businesses which sought to receive economic assistance under the Coronavirus Aid, Relief, and Economic Security Act (“CARES Act”). The IC3 indicated that it “received thousands of complaints reporting emerging financial crime revolving around CARES Act stimulus funds, specifically targeting unemployment insurance, Paycheck Protection Program (PPP) loans, and Small Business Economic Injury Disaster Loans, as well as other COVID-related fraud.” These cybercriminals obtain personally identifiable information through phishing and other methods and then file false unemployment claims and submit fraudulent grant and loan applications.
The IC3 Report points out that in the last five years there were 2,211,396 complaints filed and more than $13 billion in total losses that were suffered by victims of cyber-attacks. In 2020 alone, there were 791,790 complaints filed with the IC3 and $4.2 billion in total losses. The number of complaints filed represented a 69% increase from 2019. In 2020, Business E-mail Compromise (BEC) and E-mail Access Compromise (EAC) attacks were among the most common and the costliest totaling $1.8 billion. BEC/EAC attacks involve sophisticated scams that target businesses and individuals performing transfers of funds. The real estate industry is specifically targeted due to the frequent use of wire transfers, especially during the COVID-19 pandemic, where remote closings were commonly utilized. Real estate agents and real estate attorneys are particularly vulnerable because the e-mails exchanged between these parties and their clients contain critical information as to when a closing will occur, the amounts that will need to be wired and the location to which the wire transfers are to be made. A cybercriminal will wait for the opportune moment and then strike.
The IC3 Report further points out that in 2020 there was “an increase in the number of BEC/EAC complaints related to the use of identity theft and funds being converted to cryptocurrency.” The IC3 Report explained that victims would be forced through “Extortion, Tech Support, Romance scams” to provide a form of personal identification to cybercriminals. The criminal would then use the victim’s identification to set up a bank and use it to receive stolen funds and then transfer the funds to anonymous cryptocurrency accounts. With the popularity of cryptocurrency and the anonymity it offers, this form of cybercrime will certainly increase in the years to come. Ransomware was also on the rise in 2020.
IC3 received 2,474 ransomware complaints and victims suffered losses in excess of $29 million. Based on recent events, a substantial increase in incidents and losses is expected in 2021. In operating their businesses, real estate professionals have in their possession critical client information and must, to the best of their ability, safeguard that information and adhere to all legal requirements.
New York State’s Cybersecurity Law: The SHIELD Act
In July, 2019, New York State enacted the Stop Hacks and Improve Electronic Data Security Act (the SHIELD Act). The SHIELD Act expanded the data breach notification obligations under New York law and imposed affirmative cybersecurity obligations on those entities specifically enumerated in the law. The SHIELD Act makes significant changes to existing New York law. One change now makes any business that maintains private information of New York residents subject to New York data breach obligations under the law regardless of the location of the business, even if that business is located in another state or country.
The SHIELD Act also broadened the definition of “private information” and expanded the notification obligations of a business in the event of a breach. In addition, the law also expanded the definition of a data breach which would trigger the notification requirements to include unauthorized “access” to private information. Previously, New York law only required a business to notify affected individuals if their private information was “acquired” in the event of a data breach.
Prior to the enactment of the SHIELD Act, New York law provided for minimum civil penalties of $5,000 for a violation of the notification obligations, or $10 per instance of failed notification to each affected individual, whichever was greater, up to a maximum penalty of $150,000. Under the SHIELD Act the minimum penalty is still $5,000, however, the penalty for each failed notification has been increased to $20. Additionally, the maximum penalty was increased to $250,000.
The most significant change under the SHIELD Act is that as of March 21, 2020, “any person or business that owns or licenses computerized data which includes private information of a resident of New York shall develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information including, but not limited to the disposal of data”. Due to the COVID-19 pandemic there was not much attention paid to the new requirements. A business or individual is now affirmatively obligated to put in place reasonable safeguards and procedures with regard to the maintenance and security of private information. The SHIELD Act specifies three distinct areas: (1) Reasonable Administrative Safeguards, (2) Reasonable Technical Safeguards and (3) Reasonable Physical Safeguards. The SHIELD Act outlines specific requirements for each of the areas. While the new “safeguards” requirement applies to all businesses or individuals owning or licensing private information, there is a carve out for small businesses (i.e., businesses with less than 50 employees) that provides for a less stringent standard based on the size and scope of the small business.
The SHIELD Act provides that “a small business” is in compliance with the above requirement if the “small business’s security program contains reasonable administrative, technical and physical safeguards that are appropriate for the size and complexity of the small business, the nature of the small business’s activities, and the sensitivity of the personal information the small business collects from or about consumers.” Nevertheless, all businesses, including real estate brokerage firms, law firms, title companies, etc., must adhere to the requirements of the SHIELD Act as well as all other data breach and notification laws.
New York City: The Tenant Data Privacy Act
The Tenant Data Privacy Act (“TDPA”) became law in New York City on May 28. The TDPA “would require owners of multiple dwellings that utilize keyless entry systems, including but not limited to key fobs, biometric identifiers and electronic technologies, to provide tenants with a data retention and privacy policy.” The TDPA also sets forth restrictions relating to the use and collection of tenants’ data contained in these systems and databases. It will also require a landlord to do or comply with the following: (1) obtain consent from tenants and other users to use any such information, (2) restrict the sharing of such information with third parties, and (3) require that any data collected be “…removed, anonymized, or destroyed within a given time.” This legislation would establish a private right of action for tenants against a landlord that violates the TDPA. Tenants could sue for compensatory damages or statutory damages ranging from $200 to $1,000 per tenant and could also seek attorney’s fees.
Under the TDPA, building owners would need to provide a “plain language” privacy policy to tenants. The owner of a smart access building, or an agent thereof, must provide to tenants a written policy in plain language that describes, at a minimum, the information listed under subdivision b of § 26-3004 of the TDPA (see https://on.nyc.gov/3vaW6H0). Similar to the SHIELD Act, the TDPA requires that affirmative “security measures and safeguards” be put in place. If the TDPA is signed into law, it will take effect at the end of June 2021 and there will be a grace period until Jan. 1, 2023 for building owners to come into compliance.
Being Prepared is Critical!
The potential for a cyberattack should never be taken lightly. Individuals and companies must put in place protections to ensure that they are protected. Cyberattacks are very real and all individuals and businesses need to be aware of dangers and risks, and take them seriously. While these hacks and cyberattacks can cost thousands and even millions of dollars in damages, the compromised companies and individuals are also required to spend thousands more to comply with the data breach and notification requirements of state and local laws. Businesses and individuals should look into obtaining cybersecurity insurance coverage as most insurance policies do not cover cyberattacks or the damages and costs incurred as a result. Appropriate cybersecurity coverage will not only cover the damages incurred, but will also provide coverage for the costs involved to send the required notices under the law, which can be very expensive. Once an attack occurs it is too late; preventative measures are critical.