The risks of identity theft when renting an apartment or making a Co-op / Condo application.
What no one tells you: Where and how exactly is your application information held?
Have you ever thought about all of the personal, financial and other information you hand out when completing an application for a new rental apartment or applying to buy in a Co-op or condominium building?
Amongst information you are often asked to provide:
- A signed letter of employment, stating your current position, annual salary and length of employment.
- Recent pay stubs.
- Recent federal tax returns (can go back several years for Co-ops).
- Up-to-date copies of bank statements (checking and savings accounts).
- Details of recent previous residential addresses, along with contact details for the landlord.
- A photo ID, such as a driver’s license and/or passport.
- Social security number.
- And, your Credit report often gets pulled.
If you are making a co-op application, you may also be asked for:
- Copies of financial statements, with account numbers, for retirement and investment accounts are often required as well as information on any other assets you hold.
- A list of references – both professional (accountant/lawyer/past employers etc.) and personal.
How and where does the co-op Board store this information? On the Board Treasurer’s family home computer that hasn’t had its virus protection updated since the first Bill Clinton Administration, and on which her teenage son regularly games with competitors in Eastern Europe?
A cyber criminal could easily use any and all of the above information to commit a number of different crimes including, most obviously, stealing your identity. Having such a large quantity of your personal information – banking details, earnings each pay period and where you have lived – will help them easily navigate many of the questions institutions ask you to establish your identity over the phone. The value of this data really cannot be underestimated, and it is highly vulnerable to compromise through negligence or cyber attack. As stated often in the real estate business, Buyer Beware…
While it is obvious why landlords and co-op Boards need this information to establish your eligibility to rent a property or buy an apartment, what is very rarely discussed is how that information will be handled once your application has been accepted or denied.
Dealing with a new financial institution often requires you to hand over much of this information, too. But financial institutions are strictly regulated regarding how they handle, store and transmit data. Rental companies and managing agents have responsibilities about how they look after your data, too. But there appears to be a near total lack of awareness of this either by the landlords or co-op boards on the one hand or the consumer on the other. It is probably safe to assume that, even when the consumer is aware of his or her rights, he or she will probably choose not to raise the matter for fear of rejection.
Remember, too, that there are often third parties, such as a real estate broker or attorney, in the middle of your negotiations and your information will likely pass through their hands. Whilst some of these agents may handle your data correctly – and destroy it properly when the process is over – it is probably safe to assume that some might not.
If an application is denied, managing agents / co-op boards or real estate companies are required by law to have in place, and follow, a formal policy of securely deleting all of your information. Secure deletion does not mean just hitting the delete button but requires a piece of software which deletes both the file and the directory information. Many applications these days are prepared and submitted over email with the pertinent information attached as files or scans. Once opened a copy of this file will be on the computer and should to be properly deleted when no longer needed. I’m not even touching on the issue of secure email here, but you should think about whether your email is being sent in a secure format. It’s also worth noting that malware generally targets information on email accounts – so if your information resides in somebody’s inbox somewhere (even if it was from some time ago) your personal information is likely to be compromised.
Where an application is successful, you should also be concerned about how your data is stored long term. Is it stored in an encrypted format on all of the devices or storage media it is held on? Are there printed hard copies – and, if so, how are they stored, is there a purging policy in place and, when they are destroyed when they are no longer needed, is the destruction carried out effectively (i.e., shredding or burning)?
What should you do?
YOU SHOULD ASK YOUR CO-OP BOARD / RENTAL COMPANY AND BROKER ABOUT SECURITY OF DATA YOU SUBMIT TO THEM! This in itself won’t make your data secure yet but if enough people ask perhaps the companies will wake up to their legal responsibilities and do something about it. If not driven by altruism but perhaps highlighting their potential liability risks might scare them into action. It could also show a co-op board that you take the security of data, including data the co-op may send to you, seriously.
The laws are there to protect you but many organizations are either unaware or don’t believe it’s in their economic interest to comply. According to the “Disposal Rule” the Fair and Accurate Credit Transactions Act of 2003 (known as FACTA), landlords and co-ops must:
“take reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal, i.e., keep the information in a locked cabinet, dispose of the information when they no longer need it, establish a system for purging their files, and use an effective method (such as a shredder) to destroy the documents. Computer files should be destroyed with a utility that will “wipe” the data completely, by deleting both the text and the directory.”
If your rental company or co-op’s managing agents Fail to comply with FACTA.
Have you learned that the information you provided to the landlord of co-op board is on the Internet, or has landed in the hands of identity thieves? The Federal Trade Commission (FTC) oversees compliance with the FACTA – and takes action for noncompliance. If the FTC finds that a landlord, rental agency or managing agent has violated FACTA the penalties include actual damages, statutory damages up to $1,000 punitive damages per violation (with no cap on class action damages), attorneys’ fees and civil penalties up to $2,500. It can all add up to a big number.
As ever in information security one of the biggest hurdles is identification and awareness of a problem. If more consumers start asking questions about data protections one would hope that the companies holding the data will wake up and start taking this issue seriously especially if their more responsible competitors begin to take business from them because of good information stewardship..
SIMON RUSSELL- Managing Partner, Bronzeye LLC (New York)
Simon opened the US operations of Bronzeye, LLC in January 2015 and has overseen the drive focusing on small and medium sized firms, which Bronzeye observed were being poorly catered to. In addition to the traditional consulting services Simon developed and implemented the subscription based outsourced CISO service for SME’s also known as BeCyberSure. He spends his time managing the US operations as well as speaking about Cyber Security at conferences and on panels.
Simon started his career in Financial services in 1993 and spent 21 years in equities and derivatives in both sales and trading capacities for institutions including Deutsche Bank, Bank Austria and Rabobank. He has lived and worked in multiple European countries as well as several extended stints in Asia before moving to New York in 2006. Simon holds a BA (Hons) in Economics from Kingston University.
KENNETH N. RASHBAUM
Kenneth N. Rashbaum advises multinational corporations and healthcare organizations in the areas of privacy, cyber-security and e-discovery. He counsels multinational corporations on information governance and its compliance with federal, state, and non-U.S. laws; the interface of e-commerce and legal and regulatory liabilities in areas such as cyber-security and breach response. Ken has vast experience in preparation of protocols for compliance with data protection and privacy laws in the U.S. and other countries; conduct of information security and data breach response assessments, investigations and remediation initiatives; and policies for social media legal and regulatory compliance.
Ken serves as special e-discovery counsel for complex litigation and in matters in which electronic evidence from beyond the U.S. is required. He has been recognized internationally as a thought leader in electronic discovery and disclosure, and has served as national e-discovery counsel for multinational pharmaceutical corporations and global e-discovery counsel in products liability and IP litigation. Ken was appointed to the faculty of the Federal Judicial Center for its September, 2010 session and the Georgetown Advanced E-Discovery Institute (November 2009 and December 2012 sessions) to lead sessions on international e-discovery issues and challenges.
In his capacity as a nationally known expert on data privacy, Ken counsels healthcare organizations on compliance with federal, state and judicial standards governing protected health information. He has served as HIPAA and privacy counsel to major hospital systems, health plans, physicians’ groups, cloud computing providers and health information application developers; advised academic hospital systems on protocols for implementation of electronic health records; and provided counsel on risk management issues in access, uses and disclosures of electronic patient information.
Ken is an Adjunct Professor of Law at Fordham University School of Law and had been a member of the Adjunct Faculty at the Maurice A. Deane School of Law at Hofstra University from 2013 – 2015.
Prior to joining Barton, Ken was a senior litigation partner in the New York office of Sedgwick LLP (formerly Sedgwick, Detert, Moran & Arnold) where he was the Co-Chair of the E-Discovery, Compliance and Data Management Practice Group.
This communication is for general information purposes only. It is not intended as a full analysis of the matters presented and should not be relied upon as legal advice. Transmission or receipt of this communication does not create an attorney-client relationship with Barton LLP. Parties seeking advice should consult with legal counsel familiar with their specific circumstances. This communication may be considered attorney advertising in some jurisdictions.
CEO of Bronzeye IBRM
BronzeyeIBRM offers an affordable monthly subscription-based information and cyber security service to SMEs and others.