Why brokerages should care about the FTC Safeguards Rule 

Most real estate professionals are familiar with the policies of their brokerages and any MLSs or associations they may belong to. But how many know about Federal Trade Commission rules?

On June 9, the Federal Trade Commission (FTC) expanded its Safeguards Rule to cover a broad range of real estate businesses. The response from the industry has been a shrug. Businesses either do not know about the rule change or do not believe it applies to them.

This could be a costly mistake. Failure to comply with the Safeguards Rule can trigger fines of $43,972 per day. The rule is in effect, and real estate professionals need to act now to ensure they are in compliance.

Who is subject to the Safeguards Rule?

The FTC expanded its definition of "financial institution" to include businesses like real estate agencies, appraisers and brokers. Answering these two questions can help you determine if the rule applies to you:

1. As a routine part of your business, do you collect client financial information, process financial transactions for them, determine their creditworthiness, assess and record the value of their property, or recruit potential clients for transactions or introductions to others involved in transactions?

For example, if your firm keeps records that contain Personally Identifiable Information, such as name, address, date of birth, Social Security number; credit card and bank or checking account numbers; appraisals or property valuations; or mortgage and credit application data, you could be subject to the rule.

2. Do you currently store records for more than 5,000 clients, or plan to do so in the future?

If you answered "No" to either question, you are exempt. 

If you answered "Yes" to both questions, the FTC considers you a financial institution, and you must comply with the Safeguards Rule — unless you can reduce the number of client records you keep to 4,800 or fewer.

How to stay in compliance

If you are considered a financial institution, you will need to be diligent about destroying older records, both digital and print, which each count toward your total.

A separate exemption exists for real estate appraisers who conduct one-time appraisals and do not establish an ongoing relationship with their clients.

For smaller businesses, staying well below the 5,000-record threshold — which could require destroying old records several times a year — will be the most cost-effective way to steer clear of the Safeguards Rule. 

How might businesses run afoul of this rule? If your firm experiences a data breach — an all-too-common occurrence — you may be audited. If you find yourself under investigation by the FTC and you have 4,998 records, investigators are likely to conduct an exhaustive search to see if you have more. If you have 4,000 records, that extra investigation becomes far less likely.

Why firms need outside support

The Safeguards Rule mandates that you hire a Qualified Individual to oversee your cybersecurity — meaning someone with professional experience in that field, though specific qualifications are not defined.

Business owners and staff are prohibited from acting as their own Qualified Individual unless they are also cybersecurity professionals.

Look for someone who specializes in real estate compliance and is certified as a Computer and Information Systems (CIS) Manager or CIS Professional by the Information Systems Audit and Control Association (ISACA).

Do it now. 

Once the FTC issues its first penalties against a real estate company, there will be a stampede toward these services, and it could become more difficult or more expensive to get the certified help you need.

Create and maintain compliant processes

If your firm maintains more than 5,000 client records, your Qualified Individual will need to do the following:

1. Audit all record-keeping and online systems to ensure they meet current best practices for data encryption and storage.

2. Bring all digital systems up to date with the latest security patches. All data communications must use end-to-end encryption.

3. Verify that all third-party vendors are compliant with the Safeguards Rule. Anyone who processes, accesses or stores your data must also meet Safeguards Rule standards. Most large vendors already comply and can quickly provide their certifications.

4. Develop processes to destroy customer records, both digital and physical, on request. Data must be disposed of securely and completely.

5. Regularly train employees in cybersecurity awareness and fraud protection.

6. Enable two-factor authentication for access to all systems that hold confidential customer data.

7. Regularly review all software and systems for vulnerabilities, apply any needed security updates, and discontinue using software that cannot be updated.

8. Develop written policies and procedures to respond to a data breach, including notifying impacted customers and relevant authorities, and steps to stop a cyberattack in progress.

9. Prepare an annual report for the company CEO or Board of Directors outlining your compliance. This will be prepared and attested to by the Qualified Individual.

Robert Siciliano is the head of training and co-founder of Protect Now, a cybersecurity employee training company that provides CE-eligible training tailored to the real estate industry.