Real Estate Data Security: How Brokerages Can Protect Transaction Data

Real estate brokerages hold a huge amount of sensitive data—and this makes them and their clients prime targets for fraudsters.

Real estate data fraud is common. According to wire fraud security services provider CertifID, 5% of real estate clients surveyed were victims of fraud in the year leading up to November 2023.

Real estate brokers are required by law to implement thorough data protection measures to protect their clients.

Failure to do so could result in a fine, deals falling through, and reputational damage to your business. Worse still, it can financially devastate your clients.

This article explains how you can keep your clients’ transaction data safe.

What do Data Breaches Involve?

Before explaining how to keep confidential client data safe, it’s important to understand how criminals can use it.

The most common examples are:

Stealing client data: This is simply gaining access to your clients’ data and copying it. From here, criminals can:

Sell it to a third party: Companies are willing to pay money for people’s data for marketing purposes. Other criminals will also buy people’s data and target them with scams.
Commit identity theft: Criminals might apply for a passport under an assumed identity.
Access finances: Criminals may get enough sensitive information to access your client’s banking or other services.

Ransoms: These are when criminals demand a ransom be paid, or they will deny you access to your operating systems or data.

Scamming companies or clients: Scammers may contact your clients pretending to be from your brokerage or third-party company. They might ask for payment for fees—clients often fall for this because they expect this request from you sooner or later.

Phishing or social engineering: Criminals might use sensitive client information to scam them in other ways. For example, they might pose as a long-lost relative seeking to travel to the U.S.

Unsolicited messages: Unscrupulous companies might steal people’s data to sell products or services to them.

Why is the Real Estate Industry Vulnerable to Fraud?

Real estate professionals are uniquely vulnerable to data breaches, here are some of the reasons why:

Brokerages hold large amounts of sensitive client data: The nature of the real estate sector means brokerages need to collect names, addresses, social security numbers, and the source of your funds.

Property information is publicly available: Criminals can easily find information about a property and masquerade as someone involved in its sale.

Large sums of money: In real estate, it’s not unusual for clients to pay tens or even hundreds of thousands of dollars in one go. This makes it easier for fraudsters to request large sums of money from victims. According to the CertifID report, the median amount lost by fraud victims is $70,000.

Lots of parties involved: Clients will talk to many different people at various businesses during a real estate transaction. This could typically include banks, escrow companies, attorneys, surveyors, and more. This makes it easier for criminals to expose poor data security practices in a third-party company. Alternatively, they might pose as a representative of a fake third party.

What Data Security Regulations Do Realtors Need to Meet?

There are no federal data security laws specific to real estate. However, there are general state regulations regarding privacy. The California Privacy Rights Act (CPRA) is a good example of this.

The sector is also governed by its own guidelines. For example, the National Association of Realtors includes data security in its code of ethics. It requires three main best practices from realtors:

Publish a privacy policy and share it with consumers.
Understand state laws regarding privacy and consumer rights.
Adopt policies regarding document retention and data breach notification.

The organization has launched its Data Security and Privacy Toolkit to help you do this.

What Happens if Your Data is Breached?

Failure to comply with data protection laws can result in a fine. Under the CCPA, for example, real estate firms can be fined up to $7,500.

However, clients have the right to sue companies for losses that result from non-compliance with data security regulations. The losses from such legal action can be far higher than a fine.

In one case, a buyer was forwarded fake wire instructions that appeared to come from their real estate agent. As a result, they lost $196,622.

The agent and brokerage were found primarily liable and were ordered to pay the buyer $167,129 in lost funds.

The impact on your reputation could be even more damaging—who wants to work with a realtor who doesn’t keep their data safe and could lose them hundreds of thousands of dollars?

How to Improve Your Real Estate Data Security

Here’s a checklist of requirements you must fulfill to meet most regulations.

Tell people how you use data

Create a statement explaining what sensitive information you collect, what you use it for, and how long. Display it on your website and give it to any clients or potential clients you engage with.

Provide opt-outs

You must allow customers to request that you limit the use of their personal data. If they choose this option, you can only use their data for purposes reasonably expected by an average customer.

The wording is vague, but it’s sensible to assume that this would include any use related to buying and selling a property. It is unlikely to cover marketing—for example, adding them to your email marketing list.

Similarly, people who engage with your real estate business should have the option for you not to sell or share their personal information unless doing so is critical to you providing them with services.

Delete sensitive information when requested

You must delete a customer’s sensitive data if they ask you to or when the period that you said you would retain it for expires.

There are exceptions to this rule—for example, it’s not reasonable for a client to ask you to delete their personal information if you are in the middle of the closing process with them. However, you could delete it once the transaction has been completed.

Only collect and store data you need

The less data you have, the less likely a breach will be. Carry out regular security audits on the personal data you collect and store to decide whether you really need it. Stop collecting any data that does not service a clear, justified need.

Ensure third parties have robust cybersecurity measures

Real estate agents often share data with finance providers, solicitors, and other realtors.

Any contracts that you have with third-party partners should include a data protection clause requiring them to meet the standards set out in the CPRA.

You should also require service providers and contractors to delete your clients’ sensitive information once they have finished providing the service you engaged them for.

Train your people

Employees are your biggest vulnerability when it comes to data security. Many data breaches involve brokerage staff being fooled by scam emails or failing to use strong passwords.

All staff should be required to attend a data security course and have a refresher each year.

This should teach them:

The importance of data protection
The regulations they must meet
The procedures they must follow
How to recognize potential fraud

You should also conduct regular employee training sessions on the latest cyber risks.

Implement data security measures

Regulations don’t give specific guidance on this. However, most experts agree it involves documenting and implementing thorough data management systems.

Where relevant, software should be used to reduce instances of human error leading to a data breach. Your data security measures should include:

Set strong password policies

It’s well-known that most people don’t use strong enough passwords. Today, the most common password is “123456,” and 59% of U.S. adults use their birthday or name in their password. A significant number of people use the same password for everything.

Relying on staff to make their own passwords leaves the possibility of poor password management open. It’s therefore recommended you use:

Password managers: This is software that auto-generates strong, unique passwords. The passwords are then automatically filled in when the employee needs to access a platform, so the employee doesn’t have to remember them.
Multi-factor authentication: Sometimes known as two-factor authentication (2FA), this is when the employee must confirm their login using a separate approved device. Having a 2FA system in place will block 99.9% of all cyber attacks.

Free tools are available for both of these functions. For example, Microsoft Edge includes a free password manager plugin, and Microsoft also provides built-in 2FA for its 365 tools suite.

Encrypt data

Encryption is when the plain text used to store or transmit data is scrambled and becomes unreadable. It can only be decrypted by someone who has a matching key.

This means that even if a cybercriminal intercepts a message or accesses your data, they won’t be able to use it.

You can encrypt many types of data, including emails, documents, and databases. Once again, free software is available to do this and is often built into reputable office suites. For example, Microsoft Outlook gives you the option to encrypt any email:

In a new message, select Options > Encrypt > Encrypt.

Source

Use a VPN

If you like the added security provided by encryption, consider getting a virtual private network (VPN). A VPN encrypts any data that is transferred across it.

Think of it as having all of your devices connected by a secure tunnel that outsiders cannot see into or access. This is particularly useful for remote employees who can log into the VPN from home or public Wi-Fi and know that their connection is secure.

The only downside to VPNs is that a decent one costs money. However, the peace of mind is often worth it.

Use software

Firewalls allow you to choose the traffic you allow in and out of your network. For example, you may block any traffic from public Wi-Fi due to the elevated threat risk.

You can take security to the next level by implementing a security and event management (SIEM) system. This allows you to monitor security across your network.

For example, if your brokerage experiences a data leak, a SIEM lets you track how it occurred so you can fix weak points in your data security.

Update your software regularly

New cyber threats arise constantly, so software companies regularly issue patches to keep their apps secure. Failure to implement these updates leaves the door open to these new threats.

Always install updates when prompted and regularly check for security updates in all your applications.

Back up your data

A typical ransom attack involves cybercriminals copying your data and then deleting it. They then demand money to return it. During this time, your real estate business will be unable to function.

However, if you backed up your data, you would be able to continue serving clients. There would still be a major data breach for you to deal with, but at least your business wouldn’t ground to a halt.

Regular reviews

Compliance is an ongoing process. If your existing real estate operations aren’t protected from new cyber threats, you could expose your clients to a data breach.

At the same time, new technologies for improving data security are constantly being introduced. It’s your responsibility to consider every opportunity to protect your clients better.

How Paperless Pipeline Keeps Your Data Secure

Paperless Pipeline is transaction management software. It allows you to manage all your real estate transactions, track deadlines, handle commissions, and securely store documents in the cloud.

We know that data security is critical to modern brokerages. That’s why we include a range of measures to protect your clients’ data—and your reputation.

Powerful Encryption

We use SHA-256 with RSA encryption by GeoTrust, which gives you the same level of data protection as an online bank.

Our email-sending service, Sendgrid, uses the latest data encryption standards to secure the messages and documents you send.

⚠️ Paperless Pipeline is only as secure as your email server

You’ll likely regularly send emails to Paperless Pipeline’s secure server. Therefore, your own server needs to be encrypted and secure, too—otherwise, hackers could break in and access your transaction data.

Regular data backups

Paperless Pipeline is so secure that data back-ups aren’t necessary. And we save all transactions and documents for an entire decade as standard.

However, we allow our users to back up their data should they so wish. Each backed-up transaction contains all its documents, notes, checklists, transaction history, and emails.

Flexible permission categories

You can choose who can view transaction documents. This is known as a permission category, and every doc added to a transaction must have one. This limits data exposure by ensuring only staff who need it can access it.

Secure passwords

We’ve updated our password requirements to meet the latest National Institute of Standards and Technology (NIST) guidelines. Anyone whose password doesn’t meet the minimum requirements will be prompted to create a new one the next time they log in.

Simple 2FA

We provide an optional 2FA setting for all users. When enabled, users are emailed a security code every time they log in. They need this code to log in successfully. Users can also opt to have the system remember their device for 30 days.

Account data isolation for reduced risk

There is zero risk that other Paperless Pipeline customers can access your data. Every account operates within its own distinct and secure environment, preventing data compromise across multiple accounts.

PCI compliance certification

Your payment details are secure with Paperless Pipeline. We comply with the Payment Card Industry Data Security Standard (PCI DSS) and hold a PCI compliance certificate.

Choose Paperless Pipeline for a More Efficient, More Secure Brokerage

Good data security management can seem overwhelming. One of the best places to start is using transaction management software with the highest security standards—like Paperless Pipeline.

Not only will you enjoy peace of mind that your clients’ data is safe, but you’ll also enjoy simpler, more efficient transaction management.