Weekly Briefing

article sponsor image
Feature

How CRE Companies Can Improve Customer Trust with Effective Data Privacy

5 min read
listen to article Listen to this article

In this era of digital interconnectivity, commercial real estate (CRE) companies are rushing to deliver personalized tenant and occupier experiences by adopting technologies like intelligent buildings, the Internet of Things (IoT), and integrated tenant- and building-management solutions. They are betting that these connected technologies will help them customize occupant services, improve operational efficiencies and optimize revenues.

When implementing these platforms, however, businesses may unwittingly create a jumble of digital assets that generate a tsunami of data about individuals, operations, and facilities management, to name a few. Connected technologies also redoubles the number of devices and network endpoints, which can expand the attack surface and create new entry points for malicious actors.

It’s a problem that is particularly acute for CRE, a sector that has been transformed by technology. Businesses collect troves of sensitive personal and financial data, but often lack the tools and processes to safeguard this information. Compared with highly regulated sectors like financial services, commercial real estate companies typically have modest experience implementing up-to-date security and privacy safeguards. Compounding matters, some vendors of connected devices and real-estate management solutions have pushed new technologies into the connected ecosystem without first implementing proper security and privacy safeguards.

The result? Skyrocketing risks to unsecured devices, data, and networks - both those of CRE companies and their downstream business partners. It’s no wonder, then, that forward-thinking CRE executives now identify cybersecurity compromises as a critical enterprise-wide risk, alongside traditional liabilities like loss of tenants, underperforming assets, and operational inefficiencies.

It is a risk that carries potentially disastrous repercussions. The most common cyberattacks on CRE companies include business email compromise, ransomware, cloud computing hacks, and takedowns of infrastructure like building-management systems and IoT devices. While the impacts are primarily financial and operational, a highly public data compromise can also severely damage corporate reputations and erode tenant and occupant trust. Today’s consumers are more aware of data-collection and sharing practices, and often perceive privacy violations as a breach of trust and ethics - and a reason to reconsider their relationship with the business.

CRE companies - the ‘good guys’ that collect, store, and share tenant and occupier information to enhance services - often don’t fully understand what data they hold. This lack of awareness and planning is an open invitation for the ‘bad guys’ who target the CRE sector to pilfer sensitive data, disrupt operations, and wreak financial havoc.

The Primacy of Privacy

Beyond rising cyberattack risks, CRE companies face increased scrutiny by government regulators, which are responding to the rush of information collection with tighter data-privacy regulations. Most notable is the EU’s General Data Protection Regulation (GDPR), the sweeping data-privacy law that aims to protect the personal data of EU citizens by giving them more control over how their information is used.

Closer to home, the new California Consumer Privacy Act (CCPA) requires that organizations fully disclose the collection and use of sensitive personal data. Businesses must be prepared to demonstrate that they have implemented ‘reasonable security’ and processes to protect consumer information, respond to inquiries about use of personal data, and delete data on demand. In addition to California, Maine and Nevada have also enacted data-privacy laws, with legislation pending in a handful of other state legislatures.

These heightened regulatory obligations present a fresh challenge for CRE. In part, that’s because the industry is largely unregulated and has not been required to implement specific security controls and prove compliance. Regulation entails an unfamiliar set of processes that will likely confound CRE companies.

The first step will be to identify what privacy requirements apply to individual CRE firms in this rapidly shifting regulatory environment. What’s more, CRE firms must understand that the notion of privacy is not constant across borders; it is both a cultural and legislative chameleon. A nation’s stance on privacy is shaped by individual expectations and government regulations, as well as market and societal norms.

Best Practices for Privacy

In their headlong rush to adopt new digital services for tenants and occupiers, CRE businesses are amassing massive volumes of data - often without adequate planning or a judicious regard for privacy.

An effective data-privacy strategy cannot be founded on a check-the-box compilation of technology controls and tools. What’s needed is a holistic approach that combines a precise mix of technologies, processes, and people skills to meet current and future data-privacy threats. CRE companies should assess their current capabilities against these best practices:

  • Data governance: Manages collection, storage, retention, and destruction of data for specific business purposes.

  • Data classification: Classifies data based on timing and its current state, and tags relevant data for analytics and proper application of relevant set of controls.

  • Data minimization: Curbs the potential for privacy violations by limiting the collection of personal data.

  • Role-based access control: Limits user-access rights to the minimum permissions employees need to perform their work.

  • Network segmentation: Divides networks into smaller zones that contain data with similar privacy requirements and allows IT to incorporate specific security controls.

  • Centralized device management: A managed secure layer, often implemented in the cloud, that enables businesses to create common controls and processes for remote access to corporate networks.

  • Third-party assessment: Ensures that third-party vendors agree to protect your confidential information and have a capable cybersecurity and privacy program in place to do so.

  • Employee training: Establishes a privacy awareness and training program to educate users on current cybersecurity threats, data-management practices, and good cybersecurity hygiene.
Addressing Human Factors

Data privacy is an inherently personal discipline that should reflect the human values of tenants and occupiers. That’s where Privacy by Design comes in. This user-centric model emphasizes individual rights to privacy, with protection of personal data the default setting for all systems and business practices. Risk is considered at the earliest stages of development, and privacy is embedded into the very fabric of IT, business processes, and culture.

Privacy by Design addresses data privacy as a shared ethical value, much like businesses have adopted sustainability as a pillar of corporate responsibility. Organizations that embrace Privacy by Design will be better prepared to build a customer-focused business based on transparency, trust, and the ability to protect personal data.

Effective data security and privacy can be a differentiating capability that enriches personal services and experiences. But drawing the line between privacy and convenience can be tricky. It’s essential to respect customer privacy while delivering a convenient, customized experience. Programs that saddle users with onerous privacy controls can make services and products frustratingly difficult to use.

A Proactive Approach to Privacy

In a data-driven ecosystem, keeping the bad guys at bay will require that CRE companies proactively assume responsibility for the security and privacy of tenant and occupier data. Doing so will require that they carefully assess and address their individual threat landscape, attack vectors, and business processes across the organization. Also critical is regular employee training on data-privacy risks and responsibilities. What employees and stakeholders don’t know can indeed hurt the business.

Shahryar Shaghaghi, Principal, National Leader Cybersecurity, CohnReznick
Shahryar Shaghaghi, a Principal with CohnReznick Advisory and national leader of its Cybersecurity and Privacy Practice, is focused on helping clients with their cybersecurity strategy and transformation programs. By leveraging his extensive technology and risk management leadership experience garnered from his tenure with major consulting and financial services companies and his solid track record with complex and global implementations, Shahryar has successfully helped chief technology, risk, compliance, legal, finance, operations and security officers achieve their goals and optimize their critical and strategic programs.

This Week’s Sponsor

MRI Software delivers innovative applications and hosted solutions that free real estate companies to elevate their business. Our flexible technology platform and open and connected ecosystem meet the unique needs of real estate businesses, from property-level management and accounting to investment modeling and analytics for the global commercial and residential markets. For more information, please visit www.mrisoftware.com.