Skip to Content

Stay Informed

Cybercrime in Real Estate

Attorney: Anna Greenstin Kudla | Published 7.10.18

Technological developments have changed how realtors conduct business. With advances like electronic notary services eliminating wet signatures or the conveniences of virtual assistants, realtors depend on technology to increase efficiency and keep abreast with competitors. However, maintaining a vast amount of personal information electronically poses a significant danger.

Recognizing electronic devices are the primary means of conducting business in real estate, legislature and law enforcement struggle to keep up with data breaches. According to the National Association of Realtors (NAR) an annual cost of data breaches related to cybercrime is expected to reach $2.1 trillion by 2019. An ideal target for cybercrime are brokerages conducting business with various participants such as lenders and escrow, with daily transmittal of confidential information and large sums of money.

Trick or Treat, Click My Link

Sophisticated hackers compromise brokerages’ email systems through captured passwords or malware. Unauthorized access over a computer network system will result in the destruction, theft or denial of accesses to your own system. Once a hacker infiltrates your computer, mobile phone or tablet, they monitor (1) keystrokes to capture passwords and (2) written communications to mimic the personality of the sender. There could be weeks of cyber-shadowing before a hacker decides to intercept a realtors wiring instructions or take over a network.

Ransomware remains a concern for brokers. A hacker can lock a computer to prevent access and demand a ransom. Digital extortion has improved since 2005 with the development of ransom cryptoware. Now a hacker can grant access and deny it on a whim. Moreover, there is no guarantee the hacker will release information or never return once the ransom is paid. Caution must be taken, as ransomware doesn’t just affect desktop machines or laptops, it also targets mobile devices.

Beware of free Wi-Fi

Public places such as coffee shops, bookstores, and hotels offer free WiFi. As a result realtors are connecting to unsecured networks to check and send emails, buy products, and work remotely logging onto corporate networks. While “free” may sound appealing, if a hacker gains access to your device it will end up costing you in the end.

Contaminated Links

Many hackers infiltrate servers by phishing. This occurs when a realtor is baited into opening an email or responding to a text message. By simply clicking on a link or opening an attachment the user inadvertently downloads malware that infects the electronic device, permitting access into the entire operating system.

The Evolution of California Law

In 2010, California legislature required business to take reasonable steps in disposing customer records. In 2016, California legislature required security procedures and practices with respect to personal information about California residents (Cal. Civ. Code § 1798.81.5).

Most recently, on May 3, 2018, California Assembly Bill No. 2678 was updated, setting out to amend the existing law found in Cal.Civ.Code § 1798.82 related to notification of data breach. Existing law requires a person or business in California that licenses or maintains personal information to disclose a breach to a California resident whose personal information was, or is reasonably believed to have been, acquired by an unauthorized person.

The notification must include specified information, such as if the breach exposed a social security number, a driver’s license, or a California identification card number, the toll-free telephone numbers and addresses of the major credit reporting agencies. Assembly Bill No. 2678 requires the notification to include information of what the person may elect to do next, such as place a security freeze on a credit report and an explanation of how a security freeze differs from identity theft prevention and mitigation.

Once the scope of the breach is determined, notice should be done within a reasonable time. The law requires that a sample copy of a breach notice sent to more than 500 California residents be provided to the California Attorney General. Sample notices approved by the Attorney General can be found by clicking here.

What Should You Consider Doing

It is increasingly hard to keep up with the latest scams and spyware. Brokers should consider taking the appropriate precautions by (1) implementing strict guidelines on the use of business networks and devices, (2) hiring an IT consultant or programmer, (3) changing passwords regularly and make them complex, (4) updating security software properly, (5) complying with industry standards in disposing of consumer records, (6) obtaining insurance coverage for data breaches and cybercrime, (8) learning how to encrypt sensitive data especially on mobile devices: laptops, phones, USB & external drives, to hide it from others in case the apparatus is stolen or lost, (9) learn how to decrypt to access the original plaintext, and (10) providing disclosures with instructions to principals prior to wire transfers. These are only a few suggestions.

NAR recommends hiring IT consulting firms to conduct a computer system audit to ensure past, present and future confidential information is protected, and using encryptions when possible. NAR also recommends that brokers instruct buyer clients to call the intended recipient of wired funds immediately prior to sending the wire, using an independently verified phone number, not the one listed in the email with wire instructions. Both NAR  and the FBI websites provide tips and updates for cybercrime prevention.

In response to increases in fraud scams, California Association of Realtors revised its new form titled the “Wire Fraud Advisory” form WFA, December 2017. The new form advises buyers and sellers of the existence of wire fraud and addresses steps to be taken to prevent an illegal scam. Realtors are to use this form. However, that may not be enough. Realtors may also want to consider directing recipients to call if an email they send requires sensitive information be transmitted.

This article is for general information purposes and is not intended to be and should not be taken as legal advice, as each specific situation needs to be evaluated based on its specific facts.