Data breaches and cyberfraud are becoming increasingly common. A recent study by Javelin, a Greenwich Associates LLC company, found that 12.7 million adults in the U.S. became a victim of some form of identity fraud during 2014.
Unfortunately, the real estate industry is not immune to cybercrime. In fact, Arizona real estate transactions continue to be targeted by hackers perpetrating wire transfer fraud (read more here).
For these reasons, the National Association of REALTORS® recommends that REALTORS® “create, maintain and follow a comprehensive Data Security Program” and properly dispose of consumer information. But in doing so, REALTORS® must balance state imposed record keeping requirements with federal law, namely The Fair and Accurate Credit Transactions Act of 2003.
Arizona Record Keeping Requirements
Arizona state law mandates a number of record keeping requirements, including those imposed upon members of the real estate industry. For example:
- Each licensed employing broker must retain completed transaction and employee files for a period of at least five years from the date of the termination of the transaction or employment. See A.R.S. § 32.2151.01(A).
- Property management firms must keep a residential rental agreement and related residential rental agreement documents for one year from the expiration of the rental agreement or until the rental agreement and related documents are given to the owner at the termination of any property management agreement. See A.R.S. § 32.2175(A).
- Property management firms must keep all financial records pertaining to clients for at least three years from the date each document was executed, including bank statements, canceled checks or bank generated check images, deposit slips, bank receipts, receipts and disbursement journals, owner statements, client ledgers and applicable bills, invoices and statements. See A.R.S. § 32.2151.01(C).
While the Arizona Department of Real Estate audits compliance with state statutes, REALTORS® must also consider how to properly dispose of records once their retention obligations are at an end.
The Fair and Accurate Credit Transactions Act of 2003
The Fair and Accurate Credit Transactions Act of 2003 (FACTA), 15 U.S.C. § 1681, regulates the disposal of consumer credit information in an effort to reduce the risk of consumer fraud, including cyberfraud. Any business or individual who uses a consumer report for a business purpose is subject to the requirements imposed by FACTA and failure to comply can result in per-violation liability that may prove to be very expensive.
Under FACTA, any person or entity that maintains or otherwise possesses “consumer information” for a business purpose must properly dispose of such information by taking reasonable measures to protect against unauthorized access to or use of the information in connection with disposal. See 16 CFR 682.3(a).
Consumer information is defined as any record about an individual, whether in paper, electronic or other form, that is a consumer report or is derived from a consumer report. Consumer information also means a compilation of such records. See 16 CFR 682.1(b).
Real estate firms are governed by FACTA, along with lenders, brokers/agents, landlords, property managers, title agents, and short sale negotiators, all of whom maintain significant amounts of confidential third-party information. For example, short sale applications, rental applications, credit reports and leases all contain personal information of the nature targeted by cyber criminals.
So, what constitutes proper disposal? Generally speaking, the disposal rule mandates practices that are reasonable and appropriate to prevent unauthorized access or use of consumer information.
According to the Federal Trade Commission (FTC), the standard for proper disposal is flexible and allows those covered by FACTA to reasonably determine what measures are appropriate based, in part, on the sensitivity of the information, the costs of compliance, and advances in technology. While FACTA does not dictate specific disposal measures, the FTC provides examples of disposal methods that may prove appropriate, such as:
- Burning or shredding papers;
- Destroying or erasing electronic files so that the information cannot be reconstructed; and
- Retaining a document destruction contractor, after due diligence on the company is performed.1
Businesses and individuals governed by FACTA must also consider that it requires them to protect against unauthorized access to or use of confidential information in conjunction with its disposal. The FTC has emphasized that this requirement applies both during and after the disposal process and affects not only the processes and procedures employed, but also the personnel retained to implement them.
As recommended by the National Association of REALTORS®, brokers should consider establishing and implementing internal policies and procedures dictating how confidential information is handled, and the manner in which it is disposed. These guidelines should include such things as defining confidential information, explaining how the information will be stored and transmitted, setting timelines for retention and destruction, and outlining procedures by which consumer information, including that in digital form, will be purged.
Clearly, the threat of data breach and cybercrime has changed the landscape and as a result, the days of simply tossing files and reports in the garbage are over.
Scott M. Drucker, Esq., a licensed Arizona attorney, is General Counsel for the Arizona Association of REALTORS® serving as the primary legal advisor to the association. This article is of a general nature and reflects only the opinion of the author at the time it was drafted. It is not intended as definitive legal advice, and you should not act upon it without seeking independent legal counsel.
1The National Association for Information Destruction is a Phoenix-based trade group that certifies destruction contractors and dictates standards for the industry.