In the aftermath of multiple reports of data security breaches, much of the conversation regarding cyber-attacks has focused on the retail industry. The looming cyber-security threat, however, is not limited to industries with a point-of-sale component. Indeed, as reflected in recent news, broad definitions of “personal information” render a wide range of non-retail industries vulnerable to potential liability due to a data security breach. One perhaps unwary industry which should take a step back to analyze its risk is that of REITs.
The definitions of “personal information” which REITs (and others) will possess come from various state laws. While each state’s statute differs, each provides a definition of “personal information.” For example, in Georgia, “personal information” consists of information that, if compromised, would allow for the possibility of identity theft. Typically, this includes an individual’s name along with another piece of sensitive information, like a social security number, a bank account number or other financial account number (along with the corresponding personal identification number).
Many REITs will collect and maintain such personal information. In the context of an apartment REIT, for example, a great deal of information is provided by the tenant to the lessor. In addition to names and contact information, lessors may require social security numbers, birth dates, previous addresses, etc. Lessors may even maintain a tenant’s credit card or bank account information if rent or other fees are paid online. Shopping center REITs will often retain similar information from guarantors of leases. Indeed, in any lease transaction involving an individual, it is possible to see where personal information may be shared and, ultimately, stored.
The obligation imposed on an entity in possession of personal information varies from state to state. For the majority of states, state statutes do not create an affirmative duty to protect personal information. Instead, many state’s law imposes an obligation to require timely and adequate notice of a data breach involving personal information. Having said that, recent history reflects that individuals whose personal information is compromised may bring suit for alleged damages upon learning of the security breach. Banks and credit card companies have also brought a significant amount of recent litigation seeking to recover the costs associated with “repairing” compromised accounts.
As noted in President Obama’s recent State of the Union address and his publicized proposal for new federal laws, and with limited exceptions aimed at specific (non real-estate) industries, there is currently no overarching federal statute that establishes specific data security protocols for businesses maintaining personal information. Federal agencies have nonetheless inserted themselves into the equation with both the Federal Trade Commission and the Federal Communications Commission using their authority to investigate data security breaches.
The Securities Exchange Commission has noted that, under federal securities laws, companies may be required to disclose data security risks and potential liabilities in their public financial statements when such risks meet the level of “material information.” Moreover, according to Commissioner Luis A. Aguilar, “there can be little doubt that cyber-risk also must be considered as part a board’s overall risk oversight.” Any REIT therefore must assess the risk not only of claims from those individuals whose personal information is lost, but also from investors in the company who may argue the value of their investment has been undermined by breaches in data security.
Unfortunately, in the current environment, perfect data security is difficult. While malevolent cyber-attacks receive the publicity, many data breaches actually result from more everyday circumstances. Whether it is a lost laptop containing unencrypted information or the donation of an old hard drive to a charity without first wiping it clean, many data breaches are avoidable.
A REIT should therefore consider the implementation of adequate security measures in advance of any breach. Indeed, simply putting into place a plan of communication about the risks and avoidance techniques about which employees should be aware may go a long way towards avoiding problems from ever arising. Similarly, having in place a plan of action in case of a breach may go a long way to limiting potential liability. These issues may be addressed by retaining the appropriate professionals who understand both the REIT industry and the risks of data security to limit any potential exposure.
REITs may find themselves in possession of private consumer data which must be protected in the same way point-of-sale credit card data must be protected. A cyber-breach involving such personal information could expose a REIT to litigation from not only the individuals whose data is disclosed, but also banks, credit card companies, and investors in the REIT itself. Proper advance planning, however, is an efficient tool to help limit these potential exposures.
John C. Amabile is a trial lawyer in the Atlanta office of Schiff Hardin, LLP. He specializes in assisting clients in all manner of dispute resolution and avoidance. Alex Galvan is an associate in the Atlanta office of Schiff Hardin, LLP. He works in the litigation and product liability departments.