Connect with us

Hi, what are you looking for?

The American Genius Real EstateThe American Genius Real Estate

Real Estate Brokerage

Reducing brokerage liability (how not to lose a quick million)

You don’t know what you don’t know, brokers. Truly, there are always more ways to safeguard your company and your information.

google patent

Brokers who don’t actively manage their company’s information security practices could be on the hook for a lot of money – in the case of one West Coast brokerage, $1.5 million – and, like many of their peers, find their reputation ruined. The media likes to dramatize the story whenever a brokerage has a security breach. One recent TV story, while trashing a broker’s reputation, seems to have been going for a literary prize:

“The paper trail stretched for blocks, billowing in the cold breeze on Columbus Avenue. It was not litter but bits and pieces of people’s lives.”

Now that’s drama! But it’s drama that your brokerage can avoid – here’s how:

Train your agents on how to manage the physical security of client information in their mobile and home office environments – and also train them on many of the other best practices that follow in this article to reduce brokerage liability:

Manage the physical security of sensitive information

Keep sensitive information physically secure – that goes for paper, hard drives and flash drives, computers and mobile devices. Keep it all in a locked cabinet – ideally in a locked room – when unattended, and be especially careful with it when you are mobile. Use a cross-cut shredder to dispose of items you no longer need.

Most publicized security breaches in our industry happen because of a physical security breach rather than a computer security issue.

Advertisement. Scroll to continue reading.

Use secure software to manage sensitive information

Use professional-grade document and transaction management tools – not Dropbox! Make sure good information security practices are a part of your contracts for websites and software; this is a requirement in some states.

Create and protect strong passwords

Use passwords with letters, numbers, and punctuation – at least eight characters long – and use unique passwords for different applications. Ideally, change your passwords every 120-180 days. Also, never write passwords down (unless you lock up the paper very securely), change your passwords now and again, and don’t share your passwords. 

If you use a password management program or “remember password” features, be aware they aren’t ideal: if someone gets physical access to your device and/or learns your one master password, they’ll have access to all of your passwords. To protect your accounts, don’t forget to log out when you’re done using a computer, website, or other resource.

Configure computers for security and keep them updated

If you use a PC, test your settings and security patches using Windows Update, the Microsoft Baseline tool and Secunia PSI. If you have a Mac, there are no equivalents beyond the App Store updater – but Apple does have some configuration guides. Don’t slack off on installing security patches!

Configure mobile devices for security and keep them updated

At the very least, require a difficult to guess password to use the device, use the encryption features, and set Bluetooth to “hidden mode” or disabled when not in use. Be very careful to limit installation of third party “apps” to those created by reputable companies.

Install antivirus software

No antivirus software can protect you from all viruses, but it’s a good idea to install it as a reasonable precaution. On the PC, leading vendors are Microsoft, AVG, Avast!, ESET, McAfee, and Norton. On the Mac: Avast! or ESET. On Android: AVG, Trend Micro, and Kaspersky. On Symbian or Windows Mobile devices: Kaspersky. Sadly, there isn’t a reputable antivirus solution available for Apple iOS mobile devices yet.

Advertisement. Scroll to continue reading.

Use encryption

Encryption makes information that anyone can read into something that is unreadable unless one has the right “key.” This way, the information doesn’t fall into the wrong hands. Encrypted information may be stored on a hard drive or flash drives, attached to an email, or sent over the internet. Every type of computer, email program, file transfer program, and wireless router has its own method for implementing encryption – see this article about encryption for real estate professionals and/or “Google” for more information on your specific situation.

Establish policies and procedures

Policies define what behavior regarding the protection of sensitive information is expected and what behavior is not allowed. They eliminate the “ignorance” excuse — “I didn’t know that I had to shred files before getting rid of them!” — and negligence is well defined. Many draft policies are available online. Policy management must include at least employee and contractor education, monitoring, enforcement and regular re-evaluation and revision.

Set up a secure office network

The office should have a firewall, configured to only allow essential incoming and outgoing network traffic and to protect internal computers from those of visiting agents – and all of those from portable computers brought in by clients. Ideally the firewall should also allow for secure remote network access for key staff, have an intrusion prevention system, and also provide web filtering to help prevent visits to malicious websites. If wireless networking is provided, the access point should have a strong administrator password and use WPA2 encryption.

Create a Written Information Security Program (WISP)

Create a document formalizing how you are minimizing the risks:

  • Identify who at your company is responsible for information security
  • Identify reasonably foreseeable risks. Are you only collecting and keeping information you need? How will you prevent terminated employees from accessing sensitive information? Are you contracting for information security with technology vendors?
  • Develop policies for the location and both physical and electronic security of records
  • How are you monitoring compliance with the best practices you’ve outlined?

The following PDF is a fine example WISP provided by the state of Massachusetts.

Have a security audit performed

The only way to know if all reasonable steps are being taken is to have a professional security audit performed. Ideally third parties you work with (web site creators and hosts, document and transaction management system providers, statistics providers, broker back office system providers, etc.) have their own audits performed regularly at their own expense, and if they don’t, this is something to consider adding to your contracts. It’s understood that many small brokerages can’t afford to have someone like me provide an audit – but hopefully some of the steps outlined in this article will help them minimize the risks on their own.

Prepare for an incident

No matter what steps you take, it’s possible that an information security incident will occur. Be prepared with the appropriate law enforcement, financial institution, and local computer forensics expert phone numbers. Consider the messaging your company will use if an incident will occur. A sample is included in this PDF document at the end of the “Plan Ahead” section. Keep all this information somewhere printed out – you may not be able to access it on your computer when you need it!

Advertisement. Scroll to continue reading.

There is no such thing as eliminating all risk. Still, putting these policies and procedures in place at your company may prevent embarrassment, compromise, and financial loss. You do not want to be the broker with the TV cameras outside and a reporter waxing poetic about what you’ve let happen to your clients.

Written By

Matt Cohen has been with Clareity Consulting for over 17 years, consulting for many of the real estate industry’s top Associations, MLSs, franchises, large brokerages and technology companies. Many clients look to Matt for help with system selection and negotiation. Technology providers look to Matt for assistance with product planning, software design, quality assurance, usability, and information security assessments. Matt has spoken at many industry events, has been published as an author in Stefan Swanepoel’s “Trends” report and many other publications, and has been honored by Inman News, being listed as one of the 100 Most Influential Real Estate Leaders.


The Daily Intel
in your inbox

Subscribe and get news and EXCLUSIVE content to your email inbox.



Real Estate Brokerage

How you collect feedback can determine whether your service actually improves or not. #science

Real Estate Brokerage

It's not common to have an internal communication strategy in real estate, but your brokerage should. Here's how to set it up.

Real Estate Brokerage

While houses are selling quickly right now, there are some things that will almost definitely turn a home buyer off.


Not every real estate agent is amongst the pros just yet. Here are the 10 skills the most successful among us share.

The American Genius' real estate section is honest, up to the minute real estate industry news crafted for industry practitioners - we cut through the pay-to-play news fluff to bring you what's happening behind closed doors, what's meaningful to your practice, and what to expect in the future. We're your competitive advantage. The American Genius, LLC Copyright © 2005-2022