The new FTC Safeguards Rule goes into effect on June 9. Everyone in the real estate industry needs to take note of this and evaluate their need for compliance. Failure to comply can result in fines up to $43,972 per day. There is an above-average chance that your real estate business will be subject to these regulations.
Who Is Subject to the FTC Safeguards Rule in Real Estate?
The National Association of Realtors® (NAR) issued a Washington Report update on the Safeguards Rule, outlining who is subject to the new regulations.
You are considered a "financial institution" under the FTC Safeguards rule if--
You maintain customer information for more than 5,000 customers
and you provide the following:
- Real estate settlement services
- Appraisal services (unless you are appraising on a one-time basis and destroying records)
- Mortgage services
- "Finder" services that match buyers and sellers who negotiate their own transactions
The size of your agency, including number of employees, transactions or annual revenue, has no bearing on Safeguards Rule compliance. If you store records for more than 5,000 customers, you are subject to these regulations.
Two Options for Real Estate Safeguards Rule Compliance
The simplest way for any real estate professional to comply with the Safeguards Rule is to delete old data. If you maintain fewer than 5,000 records, you are not subject to the rule. Note that the regulations apply equally to paper records and digital records and they do not specify the type of customer information that is considered. In other words, if you have a storage unit full of old customer files or a huge email list, that could put you over the limit of 5,000 records, even if you do not have in-depth, digital financial records for all of those customers. Specifically,
Customer information means any record containing nonpublic personal information about a customer of a financial institution, whether in paper, electronic, or other form, that is handled or maintained by or on behalf of you or your affiliates.
This can create confusion, because some may interpret the rule to mean financial information, while the Safeguards Rule itself has no such limitations. In thinking about whether a particular record contains personal information, ask yourself this question: Could this information, by itself or in combination with information gathered elsewhere, be used to harm a customer? Considered in that context, information as mundane as an email address or phone number qualifies for protection under the Safeguards Rule.
Can you delete or destroy your old records? For most appraisers, agents and brokers in small agencies, this should be possible. Think about the number of transactions you process in a year and the average time you need to hold on to information to complete a transaction. Even if you want to hold on to information for your most valuable clients, you should be able to get under the 5,000-record limit. Be aware that you will need to put a program in place to delete or destroy records on a regular basis to stay under the limit, and that it is prudent to allow some breathing room: You do not want to have 4,998 records if the FTC launches a compliance investigation. It is better to set a cap around 4,000 or fewer, if your business allows.
If you must maintain more than 5,000 records, you must comply with the FTC Safeguards Rule. In general you cannot do this on your own. The regulations require a qualified individual, someone with a professional background in cyber security, to evaluate current security measures, enforce security protocols and verify compliance among all third-party vendors and service providers. The Qualified Individual will also create a written security plan that includes information on how data are stored and retrieved, as well as data destruction protocols and steps to take in case of a cyber attack.
For most real estate businesses, a Virtual CISO can handle the majority of compliance needs. This is an experienced cyber security professional who offers their support as a service at a much lower rate than a full-time cyber security specialist. Larger real estate businesses that process a significant amount of transactions each year, those who build and operate apps or online systems, or those with extensive archives of paper and electronic records, may want to consider a full-time Chief Information Security Officer who can manage the risks of custom software.
Protect Now can help you find a Virtual CISO versed in FTC Safeguards Rule compliance, and provide CE-eligible cyber security training for real esate professionals. If you have questions or concerns about the Safeguards Rule, please contact us online or call us at 1-800-658-8311.