The month of October is a celebration of all things spooky and scary.
Ghosts.
Ghouls.
Goblins.
Cyber threats?
Halloween may be October’s most infamous holiday, but there’s another noteworthy occasion that also deserves your attention - National Cybersecurity Awareness Month.
Between the recent onslaught of data privacy legislation and the vulnerabilities introduced by the explosive growth of AI, you’ll be forever haunted if you fail to adequately protect the sensitive data in your possession.
To help multifamily operators avoid a data privacy nightmare, WithMe hosted a webinar led by two renowned data privacy attorneys - Lisa Angelo and Kaylee Cox Bankston. The pair discussed the current legislative landscape, the implications of AI and strategies for managing risks.
Here are seven key takeaways.
Multifamily operators are not immune to cyber risk.
Read that again.
Historically, the multifamily industry has fallen under the radar when it comes to data privacy and security matters.
But, whether you realize it or not, the automation, smart home technologies and tech-enabled amenities that have gained popularity in recent years gather an incredible amount of data about individuals that could be considered sensitive - where people live, what their habits are, where they are and when.
Further complicating the matter is that these “smart” services and amenities are typically provided by third parties. If you're not fully aware of how your vendors and subcontractors are using the data collected by these technologies, you’re putting yourself at risk.
CCPA is the current gold standard.
Multiple states have already passed or are in the process of passing data privacy laws - but with no uniformity or consistency (for more on this topic, read our recent white paper). There are rumors of a federal bill, but in the interim, the California Consumer Privacy Act California is the gold standard, as it is the most strict and comprehensive. If you operate in multiple jurisdictions, the simplest way to guarantee compliance is to meet all CCPA standards and tweak accordingly per state.
REITs should take note of new SEC cybersecurity rules.
The recently finalized rules are a disclosure requirement. They don’t mandate what specific security controls companies must have in place. Instead, they dictate what companies must disclose about their programs in the event of a material cybersecurity incident.
Additionally, there are also disclosure requirements on the risk management and governance side. There's a requirement that companies explain how they are approaching, managing, monitoring and overseeing cyber risk. It’s unlikely companies will need to describe every nuance and detail of their program, but it does have to reflect the actual structure of the organization and the way it is managing cyber risk.
The actual effect of the SEC rules will likely be to drive more comprehensive risk management structure.
AI legislation is looming.
AI has already proved to be a powerful tool to increase efficiency. However, in light of the reactive approach we have seen by regulators in terms of cyber and privacy regulation, they are aggressively trying to get ahead of the regulation of AI.
Proposed AI legislation takes a risk-based approach. Regulators want to see responsible use and a calculated decision around what level of risk is acceptable in the use and development of AI technologies. They are looking closely at instances where AI could have a significant impact on people's lives and potentially lead to harm (i.e., loss of life, bias, discrimination).
For example, in a move directly adjacent to multifamily, the DOJ civil rights division recently filed a statement of interest explaining that the Fair Housing Act applies to algorithm-based tenant screening services. That being said, as you're looking to leverage various technologies to make your processes more efficient, be mindful of how they are being developed and deployed, because there are clear statements from existing regulators stating they believe existing laws around protection of discrimination and bias would apply to these technologies.
The takeaways? As you're engaging with different companies and investigating how they're using AI, ensure they're not being deployed in a way that could be perceived or have the effect of discriminatory impacts.
Develop a thorough understanding of how personal information is being processed in your business.
One of the most straightforward ways to manage cyber risk is data mapping and developing an understanding of how personal information is processed in your business. How does it come in? Where does it go? How is it being used? How does it exit?
Not only will data mapping help you clearly identify all third parties that are processing data for you, it will also help you with compliance, allowing you to pinpoint where you have gaps that need to be filled.
Document your due diligence. Question everything.
If a vendor says they're not using personal information, don’t take that at face value. You still need to form your own conclusions.
Proposed regulations include increased expectations around taking ownership and accountability for vendor management and appropriate diligence. Take the time to carefully document the diligence procedures you follow for each vendor.
Resident printing is a hidden and significant source of risk in multifamily.
If residents are emailing documents to staff members, there’s no way to prevent information from being viewed, distributed or retained.
As reported by The Washington Post, a frightening number of third-party printing services are reading, storing and selling confidential user information.
One of the only printing services that is transparent about its data collection practices is PrintWithMe. Multifamily’s first secure amenity solution, PrintWithMe is compliant with data privacy laws, including CCPA.
For more scary good information on cyber risk management, watch the playback of the webinar here.