FTC Safeguards Rule: Real Estate Businesses Must Check Their Status

The new FTC Safeguards Rule goes into effect on June 9. Everyone in the real estate industry needs to take note of this and evaluate their need for compliance. Failure to comply can result in fines up to $43,972 per day. There is an above-average chance that your real estate business will be subject to these regulations.

The new FTC Safeguards Rule goes into effect on June 9. Everyone in the real estate industry needs to take note of this and evaluate their need for compliance.Who Is Subject to the FTC Safeguards Rule in Real Estate?

The National Association of Realtors® (NAR) issued a Washington Report update on the Safeguards Rule, outlining who is subject to the new regulations.

You are considered a “financial institution” under the FTC Safeguards rule if–

You maintain customer information for more than 5,000 customers

and you provide the following:

    • Real estate settlement services
    • Appraisal services (unless you are appraising on a one-time basis and destroying records)
    • Mortgage services
    • “Finder” services that match buyers and sellers who negotiate their own transactions

The size of your agency, including number of employees, transactions or annual revenue, has no bearing on Safeguards Rule compliance. If you store records for more than 5,000 customers, you are subject to these regulations.

Two Options for Real Estate Safeguards Rule Compliance

The simplest way for any real estate professional to comply with the Safeguards Rule is to delete old data. If you maintain fewer than 5,000 records, you are not subject to the rule. Note that the regulations apply equally to paper records and digital records and they do not specify the type of customer information that is considered. In other words, if you have a storage unit full of old customer files or a huge email list, that could put you over the limit of 5,000 records, even if you do not have in-depth, digital financial records for all of those customers. Specifically,

Customer information means any record containing nonpublic personal information about a customer of a financial institution, whether in paper, electronic, or other form, that is handled or maintained by or on behalf of you or your affiliates.

This can create confusion, because some may interpret the rule to mean financial information, while the Safeguards Rule itself has no such limitations. In thinking about whether a particular record contains personal information, ask yourself this question: Could this information, by itself or in combination with information gathered elsewhere, be used to harm a customer? Considered in that context, information as mundane as an email address or phone number qualifies for protection under the Safeguards Rule.

Can you delete or destroy your old records? For most appraisers, agents and brokers in small agencies, this should be possible. Think about the number of transactions you process in a year and the average time you need to hold on to information to complete a transaction. Even if you want to hold on to information for your most valuable clients, you should be able to get under the 5,000-record limit. Be aware that you will need to put a program in place to delete or destroy records on a regular basis to stay under the limit, and that it is prudent to allow some breathing room: You do not want to have 4,998 records if the FTC launches a compliance investigation. It is better to set a cap around 4,000 or fewer, if your business allows.

If you must maintain more than 5,000 records, you must comply with the FTC Safeguards Rule. In general you cannot do this on your own. The regulations require a qualified individual, someone with a professional background in cyber security, to evaluate current security measures, enforce security protocols and verify compliance among all third-party vendors and service providers. The Qualified Individual will also create a written security plan that includes information on how data are stored and retrieved, as well as data destruction protocols and steps to take in case of a cyber attack.

For most real estate businesses, a Virtual CISO can handle the majority of compliance needs. This is an experienced cyber security professional who offers their support as a service at a much lower rate than a full-time cyber security specialist. Larger real estate businesses that process a significant amount of transactions each year, those who build and operate apps or online systems, or those with extensive archives of paper and electronic records, may want to consider a full-time Chief Information Security Officer who can manage the risks of custom software.

Protect Now can help you find a Virtual CISO versed in FTC Safeguards Rule compliance, and provide CE-eligible cyber security training for real esate professionals. If you have questions or concerns about the Safeguards Rule, please contact us online or call us at 1-800-658-8311.

SEO Poisoning: Train Employees, Watch Your Search Results

SEO poisoning is a new tactic that scammers use to steal credentials. It can be difficult to detect, and it can harm the reputation of your business if scammers attempt to spoof your identity.

What Is SEO Poisoning?

SEO poisoning is a type of phishing attack. Cyber criminals create a fake version of a website or a landing page, then use search engine optimization (SEO) techniques to get it to rank highly in online searches.

This technique emerged for a simple reason: cyber security employee training teaches workers to never click on links in texts or emails. Because that training has had some success, cyber criminals have changed their tactics. They still send fake texts and emails that you have likely seen, claiming to be from Amazon, Ebay, PayPal or some other major online company. The email includes a link to click to resolve some phony problem, such as a package that cannot be delivered, or loss of account access.

People with good online habits know to never click on these links. Instead, they go directly to the website, log in and see if there is a problem. This is where SEO poisoning may be effective: By setting up a fake site that looks legitimate and ranks highly in search results, scammers can capture login credentials just as if the target had clicked a link in an email.

The scam relies on the trust people have in search results, and their tendency to quickly click the first or second link that they see without investigating in closely. Once thieves have an individual’s login, they can take control of their accounts and potentially compromise business systems.

In some cases, criminals buy paid advertising that appears at the top of search results to trick people. Those ad campaigns get shut down quickly, sometimes in just a few hours, but they can snare unwary individuals while they are online. Criminals time their ad buys and SEO poisoning efforts to coincide with mass emails, hoping to steal credentials before their campaigns and sites get kicked out of search results.

Fake Sites Can Harm Your Reputation

There are two ways that SEO poisoning can damage your online reputation, and potentially damage your search rankings. The first and most obvious risk is someone spoofing your website and using it for criminal activity. Never assume that you will be immune to this. While top sites remain the biggest targets for spoofing, any site that requires users to log in can become spoofing victims. Even nonprofits can be spoofed, if their sites collect donations or personal information.

The best defense against SEO poisoning and spoofing is to check your branded search results regularly. Search your company’s name and your main website URL at least once a week. If you find sites ripping off your identity, report them to the search engines immediately.

The second danger lies in abandoned websites. Some businesses have old websites, promotional sites or microsites that have not been used, or in some cases, accessed, for several years. Sites like this are a prime target for takeover by cyber criminals, who rely on older domains and sites to legitimize SEO poisoning campaigns. Make a point to review all of your online properties and to shut down any that are no longer in use. URLs should be forwarded from out-of-date sites to your main site, which prevents scammers from hijacking old domains for criminal activity.

Easy Steps to Avoid SEO Poisoning

Employees should be taught to be skeptical about any link they come across, even at the top of search results. Follow these steps to avoid clicking on a fake site:

  1. Never click on links in texts and emails. This rule still applies. If you receive an email or text with some alarming information, be suspicious. Then go directly to the site from a web browser.
  2. Look at links before clicking. Even if the link is an ad, even if the link is at the top of the search page, study it carefully before you click. Most businesses have an easy-to-remember URL, like amazon.com, ebay.com or paypal.com. Search engines always show the link address under the search result, for both paid advertisements and organic search links. Check those links, and check the spelling to make sure it’s accurate. When in doubt, try typing the URL into the bar at the top of your browser. If it’s a site you visit frequently, the full URL should appear.
  3. Only click on top-level links. Scammers may try to fool you by asking you to look up a “customer service” or “client login” page. Ignore that advice. Only click on links pointing to the top-level domain, such as etsy.com or mercari.com.

As a final way to protect yourself, consider refreshing or starting your cyber security training. Our CSI Protection Certification program teaches the skills needed to detect and avoid online scams, including SEO poisoning attacks. Available in person, virtually or online, CSI Protection Certification develops superior cyber awareness and will make you and your employees nearly impossible to scam. To learn more, call us at 1-800-658-8311 or contact us online.

Lawsuits: A New Reason to Invest in Cyber Security

Lawsuits relating to cyber security incidents are on the rise, according to the 9th Annual Data Security Incident Response Report published by law firm BakerHostetler. For 2022, there were 42 lawsuits filed from 494 incidents that led to individual notifications, including 4 lawsuits filed in cases where fewer than 1,000 people were impacted by a data breach.

Lawsuits: A New Reason to Invest in Cyber SecuritySecurityWeek noted that this represented a significant trend, as 2018 data from BakerHostetler showed just 4 lawsuits filed from 394 incidents reported to impacted users.

Why Are Cyber Security Lawsuits Increasing?

Individuals and businesses are fed up with data breaches and the time and expense needed to address them. As a result, the days of providing free credit monitoring for a year or two are over.

Stronger state data protection laws also play a role in the rise of lawsuits, as they offer a framework for individuals to seek compensation for business and personal expenses incurred by a data breach. The California Consumer Privacy Act has become the model for a growing number of state-level regulations that hold businesses accountable for data breaches.

Insurance companies have also begun to push back against claims for business disruptions caused by cyber security incidents. Taking advantage of stronger state and Federal regulations, insurers who offer cyber security liability and recovery policies may require business owners to certify data protection measures for vendors and third parties. If those organizations experience a cyber attack, insurers may sue to recover their costs.

Invest in Cyber Security Employee Training to Keep Lawsuits at Bay

In the event of a lawsuit, businesses must disclose all aspects of their cyber security, including methods used to protect data, attack response and recovery plans and employee training and protocols. Businesses that have strong cyber security measures will be less likely to face lawsuits, while businesses  with weak security measures could be liable for significant damages and legal expenses.

Business owners should expect their cyber security to be scrutinized, and significant gaps will become a greater liability. In BakerHostetler’s report, 39% of cyber attacks were due to human factors, including phishing, social engineering or employee abuse of access. Collectively, this made up the greatest percentage of attack causes; while the root cause was unknown in 26% of attacks, phishing ranked second overall at 25% of attacks.

Sending employees a training video twice a year is not effective employee training. Real employee training teaches workers to recognize obvious attacks, to flag suspicious activity and to report anything that concerns them. CSI Protection Certification from Protect Now delivers this kind of effective training, empowering employees to stop threats by changing their attitudes toward business security. Our training is available through in-person or virtual seminars, or through our eLearning platform. To learn more, contact us online or call us at 1-800-658-8311.