Data and reputational risk

In the second in a series of three articles on the risks posed by cyber threats to the real estate industry, Laura Oliver, Seaton Gordon and Tomas Amaral look at the data protection issues.

Originally published in Estates Gazette on 23 January 2021

When we think of data breaches caused by cyber attacks, there is a tendency to focus on hackers obtaining credit card details or banking passwords and the direct – and sometimes dramatic – financial consequences. In the modern real estate world, there is a vast flow of data through technological systems and any complacency around protecting it could have serious consequences.

Getting personal

In 2013, the American retailer Target had details of 40m credit cards stolen by hackers from within its systems. It remains one of the largest data breaches and cost the company $202m. The source of the breach? Target’s third-party heating, ventilation and air conditioning supplier, from which network credentials were stolen.

The Target breach is a good example of the particular data risks faced by the real estate industry. Personal data is stored in various property management and customer information systems and there is exposure not only to the data stored, but also the manner in which that data is held and who has access to it. For example:

• Managing agents and landlords use increasingly sophisticated customer relationship management (CRM) systems.
• Building owners and occupiers use CCTV systems.
• The vast majority of businesses will use databases to store a wide range of personal data pertaining to customers and staff.
• Housing associations and student accommodation providers compile personal and financial data not only in relation to their tenants, but also their guarantors.
• Retailers use sophisticated point of sale systems to track customer activity and compile comprehensive data to inform targeted marketing.

The need to protect

Given how instrumental personal data is to commercial operations and the sheer volume being held, there is both a business need and legal obligation to secure this data from cyber attacks.

Since May 2018, the General Data Protection Regulation has harmonised the data protection compliance regime across EU member states and, shortly thereafter, in the European Economic Area jurisdictions. The GDPR requires organisations to have appropriate security measures in place to prevent personal data being compromised. While information security is sometimes conflated with cyber security, it also covers other things like physical and organisational security measures.

Failure to enact such measures could expose organisations to cyber attacks or leave them ill-equipped to respond, potentially increasing the exposure to penalties or worsening disruption to business operations. Failure to comply with the GDPR could result in enforcement action and supervisory authorities have the power to fine noncompliant organisations €20m or 4% of global annual turnover, whichever is greater.

Following Brexit, the GDPR was retained in UK law on 1 January 2021, but the legal framework will be kept under review. The “UK GDPR” (which retains the key principles, rights and obligations of the GDPR) will sit alongside an amended version of the Data Protection Act 2018.

Last year, the Information Commissioner’s Office fined hotel giant Marriott International £18.4m for failing to keep millions of customers’ personal data secure – the second largest ICO fine to date. The ICO found Marriott failed to put appropriate technical or organisational measures in place to protect the personal data being processed on its systems, as required by the GDPR.

The exposure to personal data does not end with customers. Organisations also need to consider data held about their employees; it is not unusual for some HR functions to be outsourced to third parties, for instance payroll. The organisation will likely remain responsible for any associated processing of employee data and is therefore exposed to any weak third party security practices, even if its own protections are robust. The GDPR requires data controllers to procure that third party processors provide “sufficient guarantees” of appropriate technical and organisational measures to ensure compliance with data protection legislation. This means that adequate security becomes a matter of contract.

Commercially sensitive data

Modern commercial real estate arrangements are such that other confidential data is also shared with third parties. For example:

• In property sales, the seller will often disclose a wide range of data, including financial records, legal actions and supply terms. Non-disclosure agreements are commonly used in this scenario and will impose obligations on the receiving party to keep the data confidential.
• Investment and managing agents hold a vast array of commercially sensitive data in relation to the financial performance and profitability of their clients’ assets. They will have contractual obligations to ensure that information is kept confidential.
• Prospective tenants will often be asked to share financial data to enable landlords and agents to assess covenant strength. Frequently this will take the form of publicly available accounts, but occasionally more sensitive information is shared, for example details of key supply contracts or pipeline work.
• Turnover leases ratchet up the data sharing obligations, particularly in relation to the tenant’s profit margins and turnover. Recognising this, such leases will impose strict confidentiality obligations on the landlord.

The consequences of a cyber attack that results in such commercially sensitive data being disclosed could therefore include contractual claims for damages and breach of confidentiality, and compensation payments to affected third parties. There are also several intangible costs that can blight a business long term – in particular, business interruption and reputational damage.

For regulated entities, notification to the Financial Conduct Authority may also be required. Relevant triggers include incidents that impact the entity’s continued ability to provide adequate services to customers and could result in serious detriment to them. An event which could cause significant adverse impact on the entity’s reputation is a separate, but related, trigger for notification.

Reputational issues

According to AON’s 2019 Global Risk Management Survey, UK businesses rate brand damage and cyber attacks in the top three risks. The reality is that cyber attacks have enormous potential to damage the reputation of a business, conflating the two risks. The negative impact can be tangible – a 2019 study reported by Forbes found that a breach can lower a company’s share price by 7%. It can be hard for the organisation to regain customers’ trust, particularly if the breach was widespread or caused by basic security errors.

Taking action

Organisations should be cognisant of the regulatory intersections between data, systems and reputation. Different regulators have different concerns (although the ICO and FCA share information). Technical and organisational controls are always key, but what and where the data “crown jewels” are will vary depending on the organisation and may determine the appropriate regulatory response.

Where data intersects with real estate, it is therefore crucial to assess the risks holistically. A siloed, modular analysis (of data, IT risks, physical security, regulatory obligations, contractual exposure, reputational exposure and so on) is unlikely to be strong enough because all of these factors can blur together and impact each other.

Regrettably, this type of holistic analysis is too frequently reactive and undertaken under extreme pressure. As a legal team, we frequently assist organisations in assessing why they are holding the data they do and attempt to anticipate whether there will be further fallout beyond the data breach – in particular from regulators. Often, there is also a mismatch between an organisation’s regulatory reporting obligations and their contractual obligations to inform third parties of breaches. In both cases, the damage is, to an extent, a step removed from the incident itself. The breach simply highlights the deficiencies that were always present.

The National Cyber Security Centre’ guidance recommends that organisations establish an incident response and disaster recovery capability that addresses the full range of potential incidents and test their incident management plans regularly so they are prepared to support staff and customers post-breach. For instance, there is a difference between ransomware rendering data inaccessible and attackers stealing information. Depending on the organisation and the data, one may be more or less crippling.

Businesses should undertake a desktop analysis to understand what data is held, the way in which it is held, and the adequacy of security safeguards. This will help identify areas of potential weakness and feed into the incident response, disaster recovery and business continuity plans.

Most security breaches (including some of the most high-profile and significant breaches) are the result of businesses failing to implement basic security precautions and procedures. Using outdated software and systems, having insufficient (or inadequate) staff training, and not controlling IT administrative privileges are all examples of basic failings identified by the ICO in recent enforcement decisions. In real estate businesses, any cyber exposures should be assessed with a keen eye on the physical nature of the buildings themselves.

Each organisation will face its own challenges and a cyber attack identifies issues with sometimes alarming speed. The range of attack vectors only adds to this difficulty, but the challenges are by no means insurmountable and organisations that are prepared will be better able to mitigate the impact of a cyber incident.