How CRE Companies Can Improve Customer Trust with Effective Data Privacy
In this era of digital interconnectivity, commercial real estate (CRE) companies are rushing to deliver personalized tenant and occupier experiences by adopting technologies like intelligent buildings, the Internet of Things (IoT), and integrated tenant- and building-management solutions. They are betting that these connected technologies will help them customize occupant services, improve operational efficiencies and optimize revenues.
When implementing these platforms, however, businesses may unwittingly create a jumble of digital assets that generate a tsunami of data about individuals, operations, and facilities management, to name a few. Connected technologies also redoubles the number of devices and network endpoints, which can expand the attack surface and create new entry points for malicious actors.
It’s a problem that is particularly acute for CRE, a sector that has been transformed by technology. Businesses collect troves of sensitive personal and financial data, but often lack the tools and processes to safeguard this information. Compared with highly regulated sectors like financial services, commercial real estate companies typically have modest experience implementing up-to-date security and privacy safeguards. Compounding matters, some vendors of connected devices and real-estate management solutions have pushed new technologies into the connected ecosystem without first implementing proper security and privacy safeguards.
The result? Skyrocketing risks to unsecured devices, data, and networks - both those of CRE companies and their downstream business partners. It’s no wonder, then, that forward-thinking CRE executives now identify cybersecurity compromises as a critical enterprise-wide risk, alongside traditional liabilities like loss of tenants, underperforming assets, and operational inefficiencies.
It is a risk that carries potentially disastrous repercussions. The most common cyberattacks on CRE companies include business email compromise, ransomware, cloud computing hacks, and takedowns of infrastructure like building-management systems and IoT devices. While the impacts are primarily financial and operational, a highly public data compromise can also severely damage corporate reputations and erode tenant and occupant trust. Today’s consumers are more aware of data-collection and sharing practices, and often perceive privacy violations as a breach of trust and ethics - and a reason to reconsider their relationship with the business.
CRE companies - the ‘good guys’ that collect, store, and share tenant and occupier information to enhance services - often don’t fully understand what data they hold. This lack of awareness and planning is an open invitation for the ‘bad guys’ who target the CRE sector to pilfer sensitive data, disrupt operations, and wreak financial havoc.
The Primacy of Privacy
Beyond rising cyberattack risks, CRE companies face increased scrutiny by government regulators, which are responding to the rush of information collection with tighter data-privacy regulations. Most notable is the EU’s General Data Protection Regulation (GDPR), the sweeping data-privacy law that aims to protect the personal data of EU citizens by giving them more control over how their information is used.
Closer to home, the new California Consumer Privacy Act (CCPA) requires that organizations fully disclose the collection and use of sensitive personal data. Businesses must be prepared to demonstrate that they have implemented ‘reasonable security’ and processes to protect consumer information, respond to inquiries about use of personal data, and delete data on demand. In addition to California, Maine and Nevada have also enacted data-privacy laws, with legislation pending in a handful of other state legislatures.
These heightened regulatory obligations present a fresh challenge for CRE. In part, that’s because the industry is largely unregulated and has not been required to implement specific security controls and prove compliance. Regulation entails an unfamiliar set of processes that will likely confound CRE companies.
The first step will be to identify what privacy requirements apply to individual CRE firms in this rapidly shifting regulatory environment. What’s more, CRE firms must understand that the notion of privacy is not constant across borders; it is both a cultural and legislative chameleon. A nation’s stance on privacy is shaped by individual expectations and government regulations, as well as market and societal norms.
Best Practices for Privacy
In their headlong rush to adopt new digital services for tenants and occupiers, CRE businesses are amassing massive volumes of data - often without adequate planning or a judicious regard for privacy.
An effective data-privacy strategy cannot be founded on a check-the-box compilation of technology controls and tools. What’s needed is a holistic approach that combines a precise mix of technologies, processes, and people skills to meet current and future data-privacy threats. CRE companies should assess their current capabilities against these best practices:
- Data governance: Manages collection, storage, retention, and destruction of data for specific business purposes.
- Data classification: Classifies data based on timing and its current state, and tags relevant data for analytics and proper application of relevant set of controls.
- Data minimization: Curbs the potential for privacy violations by limiting the collection of personal data.
- Role-based access control: Limits user-access rights to the minimum permissions employees need to perform their work.
- Network segmentation: Divides networks into smaller zones that contain data with similar privacy requirements and allows IT to incorporate specific security controls.
- Centralized device management: A managed secure layer, often implemented in the cloud, that enables businesses to create common controls and processes for remote access to corporate networks.
- Third-party assessment: Ensures that third-party vendors agree to protect your confidential information and have a capable cybersecurity and privacy program in place to do so.
- Employee training: Establishes a privacy awareness and training program to educate users on current cybersecurity threats, data-management practices, and good cybersecurity hygiene.
Data privacy is an inherently personal discipline that should reflect the human values of tenants and occupiers. That’s where Privacy by Design comes in. This user-centric model emphasizes individual rights to privacy, with protection of personal data the default setting for all systems and business practices. Risk is considered at the earliest stages of development, and privacy is embedded into the very fabric of IT, business processes, and culture.
Privacy by Design addresses data privacy as a shared ethical value, much like businesses have adopted sustainability as a pillar of corporate responsibility. Organizations that embrace Privacy by Design will be better prepared to build a customer-focused business based on transparency, trust, and the ability to protect personal data.
Effective data security and privacy can be a differentiating capability that enriches personal services and experiences. But drawing the line between privacy and convenience can be tricky. It’s essential to respect customer privacy while delivering a convenient, customized experience. Programs that saddle users with onerous privacy controls can make services and products frustratingly difficult to use.
A Proactive Approach to Privacy
In a data-driven ecosystem, keeping the bad guys at bay will require that CRE companies proactively assume responsibility for the security and privacy of tenant and occupier data. Doing so will require that they carefully assess and address their individual threat landscape, attack vectors, and business processes across the organization. Also critical is regular employee training on data-privacy risks and responsibilities. What employees and stakeholders don’t know can indeed hurt the business.
This Week’s Sponsor
MRI Software delivers innovative applications and hosted solutions that free real estate companies to elevate their business. Our flexible technology platform and open and connected ecosystem meet the unique needs of real estate businesses, from property-level management and accounting to investment modeling and analytics for the global commercial and residential markets. For more information, please visit www.mrisoftware.com.
Quantifying Cyber Risk: How Much Can a Security Breach Really Cost You? Nearly every business has been a target to some form of cyber attack. This year, we’ve seen a major pipeline company and U.S. meatpacker become the latest victims of ransomware.
Ensuring You Are Making the Best Business Decisions in a Cut-Throat World When it comes to making decisions in your CRE business, you are relying on two factors. The first, and most important is your business acumen, your “gut instinct."
5 Commercial Real Estate Marketing Trends to Look Out For in 2022 Commercial real estate, just like every other industry, was molded and transformed by the upsurge of digital communication across 2020 and 2021.
CRE Tech Trailblazers Microsoft, Vornado, RXR, Carr Properties, WeWork and More Are Featured on Realcomm Live, Conference Edition For two days during the Realcomm | IBcon conference earlier this month, Realcomm Live was "on the air," webcasting mini education sessions and live interviews with dynamic thought leaders and innovative solution providers from across the commercial and corporate Real Estate industry.