Why do cybersecurity incidents expose the real estate industry to risks?

Over the past decade, the number of cyber attacks and data breaches has been rising globally, with public announcements of new security incidents on an almost daily basis. Booming proptech services and digital innovation in smart home products and intelligent building concepts open numerous opportunities to reduce costs, increase efficiency and gain new market share for property owners, managers, developers and real estate insurance companies. Likewise, the use of internet of things services, connected devices, the opportunity to have remote access to facilities and to steer smart technology deployed in buildings creates the risk of abuse, service interruption, accidental or unlawful destruction, loss, alteration or access to personal data and business information stored or otherwise processed by these new digital real estate gadgets. But even the more traditional means of processing personal information could be affected, such as CCTV recordings in shopping malls, hotel guest databases and CRM systems. Company websites or e-mail exchange servers for business communication with vendors and customers are suitable targets for cyber attackers. While data breaches are a global phenomenon, imposing technical challenges on companies on a worldwide scale, recent legislation established particular hurdles for real estate companies in Europe. With the General Data Protection Regulation (EU) 2016/679 coming into effect in May 2018, data controllers have to notify the data protection authorities of any data breach within 72 hours after having become aware of it. This short timeframe does not leave much time for a reasonable business decision unless the company is well prepared with a diligent incident response plan. This three-day deadline introduced by the GDPR is even more relevant, since non-compliance with the notification obligation can trigger considerable fines up to €10m or up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher, as well as other sanctions. Recent enforcement by DPAs all over Europe show that those companies that are unprepared to respond to a cybersecurity incident in time run a realistic risk of being subject to administrative proceedings and enforcement actions by DPAs regardless of which European member state the incident is taking place. For example, in the UK a hotel group was ordered by the Information Commissioner’s Office to pay a €110m fine in 2018 for being hacked and having exposed hundreds of millions of datasets of its guests. In June 2019, the French supervisory authority (CNIL) sanctioned a company specialising in real estate for not having applied reasonable IT security and access control to its company website and the confidential information uploaded by its customers. Since data breaches can lead to long-standing reputational damage for companies and cause severe financial losses by regulatory fines and remediation costs, companies in the real estate industry should take different steps to mitigate the risks associated with the digital innovation of the business. Firstly, they should perform a technical due diligence of their IoT services, connected devices and smart technology used in their properties, services and products. Secondly, they should review the commercial contracts with all IT service providers, hardware retailers and system integrators for security standards applied, notification obligations imposed and support services agreed in case of an IT security incident. Thirdly, and based on the findings of the first two steps, reasonably invest in state-of-the-art cybersecurity technologies to prevent and detect security threats and incidents and test the availability and resilience of their digital infrastructure, and form an incidents response team responsible for taking appropriate steps in the event of a data breach. An investment in digital devices and smart technology should always go hand-in-hand with an investment in appropriate cybersecurity and digital protection.