How operators can offer internet-driven resident services while safeguarding resident data and complying with privacy-oriented legislation.
Privacy and data concerns gain momentum daily as technology and services continue to innovate and hackers become savvier. Legislation is likewise evolving to better protect consumers, putting an even greater emphasis on cybersecurity best practices.
Terms like CCPA (California Consumer Privacy Act) and GDPR (General Data Protection Regulation) aren’t just initialisms rental housing operators need to at least know about, they are enacted legislation that operators must adhere to on a consistent and proactive basis.
Jonathan Treble, Founder and CEO of PrintWithMe, moderated a panel discussion with privacy and data security experts, Kaylee Cox Bankston, Counsel, Privacy and Data Security for Manatt, Phelps and Phillips, LLP; Jeniece Martinez, Senior Technology Risk Program Manager for LMC; and Mark Zikra, Vice President of Innovations for CA Ventures during NAA’s APTvirtual session, “Data Privacy and the Future of Internet-Driven Amenities.”
When asked about how the privacy regulatory landscape evolved in 2020, Cox Bankston started her insight with the disclaimer that the privacy world—and the world in general—may look very different after this session and she reserves the right to amend anything said during the session. But she did share that, “While the pandemic has changed a lot of things, it certainly hasn’t stalled CCPA enforcement or litigation. The ADP has reportedly sent out notices of potential violations to businesses as well. On the private litigation side, CCK litigation has not slowed down.”
Although early in these filings, trends are starting to take shape in CCPA litigation, but the judiciary action remains to be seen. Cox Bankston notes that some of the trends associated with CCPA violations stem from the ambiguous language found within the legislation. More specifically, the term “data breach” is not actually defined in CCPA itself for purposes of a private right of action: The private right of action is available where there is unauthorized access and exfiltration, steps or disclosure.
“We will have a better picture, much like we do with GDPR, once enforcement, a period of time has passed, or we’re able to see how enforcement is happening and how the regulators and courts are interrupting the law,” Cox Bankston said. “But practical steps operators and vendors can take now are transparency by making sure your disclosures are accurate; consider the impact of incorporating privacy policies into your customer contracts and what legal implications that may have; and, finally, have a good defensible story to tell if your practices are ever called into question.”
According to Cox Bankston, even if organization practices are deemed “compliant,” companies still have to spend time, money and resources to address and defend complaints. Operators can better prepare by focusing on documentation—how they got there, why they’re doing what they are doing and showing that they actually put some thought into the analysis.
Operations often involves multiple suppliers and service contracts. And as operators layer in more service-focused amenities for residents like smart-home technology, mobile apps and communication tools, service providers need to play a much larger role in data privacy compliance.
“Hopefully, everybody is already doing vendor security and privacy risk assessments. If you’re not, that’s an area of concern,” Martinez said. “They offer insights into how your vendors are using your data, your residents’ data, how they are collecting it, how it’s being shared, and most importantly, how it’s being secured. It’s also important to understand how a vendor is processing personal information and what categories they are processing.”
As more companies move data to the cloud, suppliers will highlight being on AWS or Azure. While these cloud providers offer security controls, operators need to be aware that those controls are only in place at infrastructure levels. Those secure locations are not going to apply to the supplier’s security controls at the application level, which can lead to a greater risk of external exposure. Service providers are still responsible for protecting the data they are moving to the cloud.
Steps operators should take now to optimize the privacy and data security of working with suppliers include reviewing a supplier’s penetration test at the application level, which will provide an understanding of where vulnerabilities may be or whether secure coding practices are in place. Also recommended is adding supplier security and privacy addendums to all contracts that involve accessing any personal information from residents—this should cover topics like baseline security and provide requirements, breach notifications, data destruction and regulatory compliance on data usage. Operators also need to keep their data maps as up to date as possible, especially when a new supplier is onboarded.
Martinez also suggests requiring suppliers who will be accessing resident personal information to have cyber liability insurance.
“You need to consider the limits, the costs of a break from a reputational and financial impact, Martinez said. “Maybe a $1 million per occurrence policy isn’t sufficient for a vendor that’s going to be accessing thousands of records, or if they are going to be accessing sensitive personal information.”
As important as having the right security and privacy protocols in place is, training teams to communicate those efforts to residents is equally important. Onsite teams should know and understand their roles in privacy, especially as legislation like CCPA have been enacted.
“Different asset types—student, multifamily, senior and even commercial—there are a lot of different concerns but at its core is the privacy of data,” Zikra said. “Looking at student housing, in particular, we interface with parents a lot. We interface with guarantors who might be a parent or a legal guardian. It might be a family friend. It might be a good friend of the student. People have concerns about how their data is being used.”
Conducting Q&A role-play can help empower team members as well as provide a greater understanding of what questions they can answer. Questions should be forwarded to the privacy team, says Martinez. “This enables the resident-facing staff to really focus on what they’re good at, rather than trying to answer questions outside of their domain, or worse, answering them incorrectly.”
Having short, quick information for staff and corporate staff enables transparency that residents are wanting.
“Understand what your policies are so that you can communicate that,” Zikra said. “Otherwise, it looks like you don’t know what you’re talking about or what you’re doing. And that’s concerning because this is important—I mean it’s not just data.
“We throw around the term ‘data’ a lot, but it’s bank accounts, it’s health records, it’s building controls and building systems,” he continued. “We need to be working with our vendors to make sure we are taking the right steps to protect ourselves, our residents and our buildings.”
Marlena DeFalco is an Account Director for LinnellTaylor Marketing.