Inman

Keep real estate clients’ private info private

Editor’s note: In this four-part series, Inman News looks at real estate security in the Internet era. It’s no longer just a matter of keeping clients’ home keys in a safe place. The Web has opened up vulnerabilities to data scraping, and new responsibilities for consumer privacy, MLS passwords and lockbox pass codes. (See Part 1: Real estate industry steps up MLS security; Part 3: Getting a grip on real estate data scraping and Part 4: Security gurus spread the word.)

Every one of mortgage broker David Huete’s client files is behind walls – whether they’re the walls of locked steel file cabinets or electronic firewalls keeping computer files safe.

“We have firewalls on our computers and we do not use wireless connections,” says Huete, the owner and president of Huete Mortgage in Emeryville, Calif. “People can break in through wireless connections. Most of the time we scan in paper files as soon as we get them and then shred them.”

Privacy is a primary concern to Huete, a broker with many years’ experience who opened his own mortgage company about four years ago. And he’s smart to make it that way – though one expert says Huete is in the minority.

“I don’t think real estate agents and brokers are doing enough to protect their clients’ privacy,” said Darity Wesley, CEO of La Mesa, Calif.-based Privacy Solutions. Her company works with real estate industry entities such as the MLS system in West Palm Beach, Fla., to keep client information safe.

While the Internet has become an essential medium for real estate information exchange, the ease of access now poses a security challenge for industry professionals. The real estate industry is now looking at ways to safeguard its property listings information and sensitive client information from a variety of vulnerabilities.

In addition to existing privacy laws and regulations, Wesley said, the California Online Privacy Protection Act, which went into effect in 2004, mandates that all companies that collection information from California residents must have a privacy policy.

“You don’t know whether California residents are using your Web site or not, so you need to conform to this rule,” Wesley said. Besides, even if privacy policies weren’t mandated, she said, having a privacy rule is a best practice to protect consumers’ information.

Generally speaking, Wesley said, a privacy policy will have five major elements.

“First, it must be conspicuously posted,” the privacy guru said. This means a link on the company’s home page in good-sized type, she said.

Second, under the law, the privacy policy should identify what categories of personally identifiable information are collected, Wesley said.

An example: Chicago-based Baird & Warner, one of Illinois’ largest independent real estate firms, has a link to its privacy policy on its homepage. This takes you to a secondary page with a table of contents to the various elements of the privacy policy. On this page, the third link is, “Your Information, How We Collect and Use it.”

Third, “you have to identify the categories of people you share the information with or tell the readers you don’t share information with others,” Wesley explained.

Fourth, generally speaking, “you should describe how someone who gives you information can review and change the information you do have,” Wesley said. For example, Baird & Warner’s privacy policy lists a U.S. mail address where changes can be sent.

Fourth, you should describe how you will notify your visitors of changes to the privacy policy, and finally, state the effective date of the policy.

“I have not seen that anywhere,” Wesley stated – though Baird & Warner’s statement appears to be an exception, with “Effective date: July 1, 2004 ” conspicuously posted.

Broker associate Anna May of Hayward, Calif., agrees that protecting privacy is critically important.

“The same thing we do for ourselves to protect our own information is what we do for our clients,” said May, who works with Realty World Neighbors.

When a deal is underway, May and her colleagues keep clients’ information in their own locked drawers. “Once the deals are closed, we transfer them to office files which are locked,” May explained. Under California law, the documents must be retained for three years, after which they are shredded, she said.

“We have a shredder in the office,” May explained. “When we have a big bulk of files that’s too much to be handled in one sitting, we use Shred Works (in Oakland, Calif.)”

May also deletes client information from her computer after deals are closed – but, she says, she protects clients’ privacy by entering very little information on her PC in the first place. “There’s no reason I need to have Social Security numbers or the like,” May said. In her office, agents’ and brokers’ accounts are also password-protected so only they can access them, she said.

Her Web site, AnnaMayRealEstate.com, has a link to the privacy policy of VREO, which provides the site design and hosting, on the home page. This functions as May’s privacy policy.

Geri Sonkin, a Realtor with RE/MAX Hearthstone in Merrick, N.Y., had a useful tip about shredding.

“I use a cross-cut shredder,” said Sonkin. “The regular shredder shreds papers in large enough pieces for an enterprising person to put the pieces together,” Sonkin noted. “With cross-cut the pieces are smaller, and because they’re cut in two directions, there’s just no way.”

Sonkin’s Web site has a privacy guarantee, though currently no privacy statement; the Realtor says she’s working on it and will soon have it up.

Sonkin’s privacy policies are stringent. She never sells information to third parties, and is currently creating a page with her Web site provider telling visitors they can cruise her site anonymously for information without having to give up their personal details.

SettlementRoom, a transaction management software company, in April, received the National Association of Realtors’ Realtor Secure certification, a recognition of the company’s security standards. The company’s technology makes it possible for people involved in real estate transactions, such as buyers, sellers and agents, to view the transaction documents online, among other things.

SettlementRoom spokeswoman Celeste Starchild had a number of tips for keeping information secure.

“Most people think the big risk is a hacker getting into their system and stealing information. But the number one risk is user names and passwords,” Starchild said. “You can walk through an office building and see sticky notes posted on peoples’ computers saying, ‘SettlementRoom user name Harry Burns, password Scooby Doo.’ That’s the biggest risk you can see with security like this.”

The answer? “Don’t share passwords,” she said.

As part of the company’s certification process with NAR, SettlementRoom has included a lot of information to users for their passwords, Starchild said. The company suggests, among other things, that users update their passwords regularly and choose passwords that are difficult to guess.

“Avoid words that are found in the dictionary,” Starchild suggested. Such words are easier for hackers to guess. “Use a combination of numbers and letters.”

These rules apply to any system that requires a password as part of its security, and can help brokerages keep clients’ information from being accessed by electronic intruders. Often, each agent or broker has his or her own password-protected account. Keeping passwords from being hacked is a vital security measure.

To keep electronically transmitted information secure, Starchild said, SettlementRoom encrypts the information when sending it. “That means the information is scrambled using an algorithm, so that when it’s enroute it can’t be read by any hacker,” she said.

Every time someone opens a document in the SettlementRoom system, the activities are time dated and stamped. This helps protect sensitive information, Starchild said, because everyone knows which users have accessed which information and when.

As a final piece of advice, Starchild suggested that agents and brokers use products reviewed by third party organizations.

“Unless they are very highly technical, they aren’t going to be able to discern whether a Web server is secure or not,” Starchild noted. “So the best thing is to use Web products reviewed by organizations such as the NAR. They have extensive technical knowledge and know how to look for vulnerability.”

***

Send tips or a Letter to the Editor to janis@inman.com or call (510) 658-9252, ext. 140.