SEEMINGLY every week, another corporation, institution or government entity announces that it has been the victim of a data breach. Yet the September 2014 announcement of a breach at Essex Property Trust, a real estate investment trust (REIT) which owns and operates apartment buildings on the West Coast, may be the most noteworthy despite being the lowest profile. Moreover, it could be harbinger of problems for renters and landlords alike, as the data apartment owners possess is far more detailed and personal than that held by retailers.
What Data Do Apartment Owners Have and Where Does it Go?
Think back to the last time that you or someone you know rented an apartment and you may recall the wealth of information provided on the application for the credit check. Depending on the landlord, the information usually includes detailed personal information.
Like the urban legend of the ‘space pen’ developed to counter the effects of gravity and resolved by just using a pencil, I wouldn’t be surprised to learn that the most secure and cost effective defense against data breaches is to simply unplug the computers. Alas, there’s no going back to the electronic Stone Age, and apartment owners have evolved to better meet and serve their key customers – namely the under 34 years old cohort – by going online and mobile. By allowing for online applications and rental payments, the most confidential data that was previously stored locally has been digitized.
Why is this Valuable?
Depending on the data available, cyber criminals could look to utilize it in a few ways. The first would be so-called phishing attacks, whereby the criminals pretend to be the retailer or financial institution and attempt to lure consumers into providing more personal information or money. The second would be using stolen credit card numbers to make unauthorized purchases. And the third would be identity theft, when criminals have sufficient information to open new accounts in someone else’s name.
Isolated Incident or Precursor?
In addition to Essex’s breach, retailers including Home Depot, Neiman Marcus, Sears, Supervalu, and Target, and financial institutions such as Fidelity Investments and J.P Morgan have all reported breaches over the past few months with the effects ranging in breadth and depth. In the case of J.P. Morgan, 76 million households and 8 million small business accounts were affected, while the breach at Sony Pictures resulted in the release of corporate secrets, including future products, employee compensation and health-care records and other items.
The infiltrations have originated both domestically and abroad, led by individual hackers to government-sponsored programs and, depending on the target, have sought to harvest personal information or corporate secrets or disrupt operations. The threat has grown so large and consequences so real as to be emphasized by President Obama during his 2013 State of the Union Address. Tellingly, the CEO of FireEye (a provider of cyber security) was recently quoted as saying “97% of all companies are getting breached.” Data breaches and security are here to stay.
Who owns apartments and why may their systems be at risk?
This brings us to the ability of apartment owners generally, and apartment REITs’ specifically, to defend against breaches. In theory, REITs are better positioned relative to smaller owners, yet their budgets likely pale in comparison to that of the multi-national retailers and financial institutions that themselves cannot prevent breaches. We believe security and information technology expenditures have a fixed cost component and there is generally a linear relationship between the absolute budget and the robustness of the program. J.P. Morgan announced that it would likely double its spending on cyber security alone to $500 million over the next few years. In comparison, the average apartment REIT spends $35 million per year on general and administrative expenses and $365 million on all property operating expenses.
So what does this mean going forward?
For renters, the risks are unavoidable for the time being and the likelihood of an issue will depend on the efforts of their landlords. From a strategic perspective, I think senior management teams and boards of directors endeavor to follow best practices and will increase their focus on data security. Best practices and investments could be employed on a cooperative basis across the industry, thus increasing scalability.
The risk to leasing prospects is materially less than that to retailer sales because of REITs’ lower profile. However, there will likely be some pressure on operating margins given increases in preventative measures and insurance. The unanswered long-term question is what the contingent liabilities may be for costs associated with breaches that are not completely covered by insurance policies. (By Britton Cost)
Link: http://thewhyforum.com/articles/front-door-locks-won-t-keep-this-data-safe
20
