Of the many topics discussed by presenters at Optech 2022, data privacy was one of the most recurring. It was made clear that as the number of owners implementing smart community systems increases, so are cybersecurity concerns. The number of data breaches across the board are accelerating rapidly. A recent NAR poll (National Association of Realtors) revealed 60% of Americans are “very or extremely concerned about the security of their smart-home tech.” A call for owners to place high priority on data privacy and protection was delivered loud and clear.
The good news is industry experts assure there is a path to security. A little knowledge, proactivity, and system-building can put owners and residents largely out of harm’s way, details of which are discussed below. Further, a data privacy bill (also discussed below) is in the making at the federal level containing provisions designed to have a positive impact on the multifamily sector.
Understanding Cybersecurity Risks & Vulnerability
Cybersecurity concerns in multifamily are similar to those in the banking industry, in that owners and managers are handling personal information of two parties - in multifamily’s case, employees and residents. Also like a bank, it involves the handling of a person’s most valuable and important details; salary, phone number, emergency contact info, employer info, social security number, and more. It’s no wonder bad actors are targeting multifamily databases.
Protecting data is much more than simply taking measures to store it securely. Skillful hackers gain access regularly to systems presumed to be secure, but in reality are not. There’s a multitude of attack types, each one dangerous and attached with a unique name, such as ransomware, DDoS (Distributed Denial-of-Service), wiper, or credential harvesting. Without getting into each method in detail, there is an important similarity among them. The most common vector (entrance location) where hackers gain access to multifamily data and execute one of the various cyberattacks is through the WiFi. This is where you should focus your data privacy plan. Without properly fortifying your property’s WiFi network, your residents and employees are particularly vulnerable to cyberattacks.
Where To Start
A key starting point for owners is to make yourself aware of where responsibilities lie concerning all the data collected during the resident screening process. Not just your responsibilities, but also those of the service providers you’re integrated with who touch the data (suppliers, smart tech providers, etc.) In the event of a breach, it’s ultimately the housing provider’s reputation at risk, regardless of who’s responsible. Having a working knowledge of the responsibilities of all parties involved is essentially covering your bases, as they say.
The next step in protecting multifamily data can be more complicated…but it doesn’t have to be. Some owners overcomplicate cybersecurity implementation by trying to address each measure individually. This isn’t recommended because an owner can’t be expected to have a technical, working knowledge of everything involved. Effective cybersecurity involves 24/7 threat monitoring, malicious code detection, analytic reporting, penetration testing, dark web monitoring, security training, VLAN unit security, and more. It’s a lot, and each aspect is of equal importance. This is a reason why many industry experts, including Multifamily Executive and ButterflyMX, recommend MWF (Managed WiFi) as the best data privacy solution for multifamily properties. Providers like Level, Boingo, and others take cybersecurity VERY seriously. It’s one of the defining features of MWF. By joining forces with a reputable MWF provider, you’re stepping into a robust cybersecurity system providing exceptional data privacy and protection, including every measure mentioned above and more.
To learn more about Managed WiFi, click here and here; both short articles to help you make informed connectivity decisions for your properties.
How Smart Community Systems Protect Data
Though many voices express concern about data security in relation to smart technology, smart community system providers are largely well-known for their meticulous attention to detail in this area. Despite an increasing number of cyberattack attempts, you won’t find multifamily on on any most vulnerable industries lists. This is, in part, due to the increasing number of owners and developers implementing smart community systems into their properties. Consider Level's data protection protocol:
Regular company-wide security audits and penetration testing throughout our entire tech stack to ensure security is enforced throughout.
Alert subscription for every vendor and operator system we use to get real-time patches and bug discoveries, with an average turnaround time of 1 hour.
Risk identification and mitigation measures that include protection from spoofing, tampering, repudiation, information disclosure, denial of service attacks, and elevation of privilege.
Infrastructure auditing, data aggregation, service telemetry, and alerts monitored centrally via Datadog.
Though we are very proud of our cybersecurity measures, we aren’t alone. To our knowledge, other providers employ data protection protocols that closely resemble ours. Level's smart community system is incredibly safe because we know how important data privacy and protection are.
Cyber Insurance
Liability protection against data security breaches is becoming more popular in multifamily. According to EMBroker.com, the average cost of a single ransomware attack in 2021 was $1.85 million. Naturally, owners want liability protection in the event of a potential worst-case scenario. Because it’s a relatively new product (becoming mainstream in the mid-2000s), there are still kinks being worked out. Underwriters are still determining how to appropriately price cyberattack coverage, shape deductibles, and arrange sub-limits. Incidents aren’t as cut-and-dry compared to other insurance claims.
Thomas Bentz Jr. of Holland & Knight recently told MHN (Multifamily Housing News) that cyberattack claims often involve crossover with other policies, which is why things sometimes get complicated. He gave a real-life example of a cyberattack triggering a property’s fire suppression system, causing extensive property damage. He then had to determine where the loss belonged; the general liability policy or the cyber policy.
Despite cyber insurance still coming of age, Bentz highly recommends multifamily owners get it, and to place importance on choosing the best underwriter (even if it’s not the cheapest option). He suggests doing research and feeling good about your choice. As with any insurance policy, the more an owner knows about the policy, the better prepared they will be should an issue arise.
New Data Privacy Bill On The Horizon
Many in the multifamily industry have been aware of the mounting challenges presented by cyberattacks for a long time and have championed the government to take action in some way. Though a long-time coming, something concrete is starting to take shape. The American Data Privacy and Protection Act, as of this writing, is in the discussion draft stage. The last update released to the public took place on June 3, 2022, stating as much. The protections granted in the Act are broad. It covers discriminatory data use, front-end requirements for covered entities, incident reporting procedure, consumer’s right to access, and a lot more.
It’s taken a long time for this piece of legislation to get as far as it has, and how much longer it takes to see daylight is still uncertain. The NAA (National Apartment Association) and the NMHC (National Multifamily Housing Council) have both publicly stated that, though they’re happy with the legislation’s progress, it still needs work. They feel that, as currently written, it still fails to address important issues needed to safeguard the industry.
How Will It Affect Multifamily?
As it reads now, the only thing we know for sure is that there will be new reporting requirements to comply with. More specifically, covered cyber incidents will need to be reported to the CISA (Cybersecurity and Infrastructure Security Agency). These would include incidents that cause (quoting directly from the proposal):
unauthorized access or disruption of business or industrial operations due to loss of service facilitate through, or caused by, a compromise of cloud service provider, managed service provider, or other third-party data hosting provider or by a supply chain compromise
disruption of business or industrial operations
substantial loss of confidentiality, integrity, or availability of such information system or network, or a serious impact on the safety and resiliency of operational systems and processes
Also, a federal standard of consumer’s right to consent to/access their data is of particular interest to owners, which is hinted at in the bill. Because regulations of this kind vary by state, operational consequences are notoriously difficult to navigate. Many owners agree that a federal standard on this front would be a great thing.
Conclusion
But even if a bill is eventually passed, owners should not rely only on federal regulations to ensure data privacy and protection for their residents. Owners should understand their own cyber-related responsibilities as well as those of integrated third parties, and a system should be in place. Despite a degree of uncertainty surrounding the topic of cybersecurity in multifamily, data suggests that as smart community systems continue to increase in number, so will attempts to steal data. A proactive owner who implements a system of data protection provides the safest environment for resident’s data.
Contact us today to learn more about what we’re doing to protect the data of residents and staff in Level communities.