REAL ESTATE: Effective data privacy: Improving customer trust in the COVID-19 era

This content originally appeared on Realcomm.com. 

In an era of digital interconnectivity, commercial real estate (CRE) companies are rushing to deliver personalized tenant and occupier experiences via connected technology solutions. At the same time, the COVID-19 crisis has created an unprecedented disruption in workplace models, procedures and locations. In response to the pandemic, building owners are implementing remote-work technologies and processes to prepare for a future where working from home will be commonplace. They are also implementing new technologies necessary to reopen office buildings after the pandemic subsides and tools to help monitor the health of employees, visitors and customers.

During implementation, however, businesses may unwittingly create a jumble of digital assets that generate a tsunami of data about individuals, operations and facilities management, to name a few. Connected technologies also redouble the number of devices and network endpoints, which can expand the attack surface and create new entry points for malicious actors. And in response to COVID-19, CRE firms are adding technologies like temperature monitors, contact-tracing apps and location tracking that not only create new endpoint vulnerabilities but also potentially jeopardize sensitive personal information and health data.

It’s a problem that is particularly acute for CRE, a sector that has been transformed by both technology and COVID-19, but often lacks the tools and processes to safeguard information. Compared with highly regulated sectors like financial services, CRE companies typically have modest experience implementing up-to-date security and privacy safeguards.

Compounding matters, some CRE vendors have pushed new technologies into the connected ecosystem without first implementing proper security and privacy safeguards. This may be particularly true of devices and apps that are rushed to market to help combat COVID-19.

The result? Skyrocketing risks to unsecured devices, data, networks and privacy – both those of CRE companies and their downstream business partners and consumers. It’s no wonder that forward-thinking CRE executives now identify cybersecurity compromises as a critical enterprise-wide risk – one that carries potentially disastrous repercussions. While the impacts are primarily financial and operational, a highly public data compromise can severely damage corporate reputations. Today’s consumers are more aware of data collection and sharing practices, and often perceive privacy violations as a breach of trust and ethics – and a reason to reconsider their relationship with the business.

The impact of COVID-19

Building owners face new data-privacy challenges arising from COVID-19. Many CRE firms are implementing tools and processes designed to create a safe, healthy work environment and monitor the wellbeing of the workforce.

Some building owners are deploying radar sensors to monitor employee temperatures to facilitate reopening of buildings and to anticipate possible mandates to share health data with government agencies like the Centers for Disease Control and Prevention. Protected health information represents a significant risk because it is highly personal and regulated by the Health Information Privacy and Portability Act. Similarly, contact tracing or location apps will need to safeguard personal data.

The relationship between data privacy and ethics is essential to maintaining trust among customers and business partners. Good ethical policies dictate that organizations communicate, in plain English, what personal data is being collected, stored and shared, and for what specific purposes; organizations must carefully balance the ethical use of data and requirements imposed by governments related to national health. Protections will require updated data management processes.

The primacy of privacy

Beyond rising cyberattack risks and new vulnerabilities introduced by COVID-19, CRE companies face increased scrutiny by government regulators, which are requiring tighter data-privacy regulations. Most notable is the EU’s General Data Protection Regulation the sweeping data-privacy law that aims to protect the personal data of EU citizens by giving them more control over how their information is used.

Closer to home, the new California Consumer Privacy Act requires that organizations fully disclose the collection and use of sensitive personal data. Businesses must be prepared to demonstrate that they have implemented “reasonable security” and processes to protect consumer information, respond to inquiries about use of personal data, and delete data on demand. Maine and Nevada have also enacted data-privacy laws, with legislation pending in a handful of other states.

These heightened rules present a fresh challenge for CRE because the industry is largely unregulated and has not been required to implement specific security controls and prove compliance. Regulation entails an unfamiliar set of processes that will likely confound CRE companies.

Another imperative is an up-to-date data management plan that enables owners to identify and map sensitive data to understand where it resides, how it is transmitted and with whom it is shared. Organizations that share data with third parties should have contractual agreements in place that spell out the partners’ cybersecurity and privacy capabilities and obligations, as well as with what entities they can or cannot share data. Also critical is stipulating who is responsible for the loss of sensitive information resulting from a data breach.

CRE firms must understand that the notion of privacy is not constant across borders; it is both a cultural and legislative chameleon. A nation’s stance on privacy is shaped by individual expectations and government regulations, as well as market and societal norms. Also, COVID-19 is likely to continue to rewrite the rules of data privacy and regulation in ways that are not yet known.

Phases of the Privacy lifecycle:

• Policy and regulation awareness
• Data management
• Strategy and architecture
• Prioritization and implementation
• Operations
• Continuous improvement

Best practices for privacy

An effective data-privacy strategy cannot be founded on a check-the-box compilation of technology controls and tools. What’s needed is a holistic approach that combines a precise mix of technologies, processes and people skills to meet current and future data-privacy threats. CRE companies should assess their current capabilities against these best practices:

• Data governance: Manages collection, storage, retention and destruction of data for specific business purposes.
• Data classification: Classifies data based on timing and its current state, and tags relevant data for analytics and proper application of relevant controls.
• Data minimization: Curbs the potential for privacy violations by limiting the collection of personal data.
• Role-based access control: Limits user-access rights to the minimum permissions employees need to perform their work.
• Health data governance: Contact tracing provides information related to individuals’ location, which is correlated with data of other individuals to help understand health risk factors.
• Regulatory compliance: Manages all evolving regulations regarding health data tracking requirements, as well as existing compliance mandates.
• Network segmentation: Divides networks into smaller zones that contain data with similar privacy requirements and allows IT to incorporate specific security controls.
• Centralized device management: A managed secure layer, often implemented in the cloud, that enables businesses to create common controls and processes for remote access to corporate networks.
• Third-party assessment: Ensures that third-party vendors agree to protect your confidential information and have a capable cybersecurity and privacy program in place to do so.
• Employee training: Establishes a privacy awareness and training program to educate users on current cybersecurity threats, data-management practices and good cybersecurity hygiene.

Addressing human factors

Data privacy is an inherently personal discipline that should reflect the human values of tenants and occupiers. That’s where “Privacy by Design” comes in. This user-centric model emphasizes individual rights to privacy, with protection of personal data the default setting for all systems and business practices. Risk is considered at the earliest stages of development, and privacy is embedded into the very fabric of IT, business processes and culture.

Privacy by Design addresses data privacy as a shared ethical value, much like businesses have adopted sustainability as a pillar of corporate responsibility. Organizations that embrace Privacy by Design will be better prepared to build a customer-focused business based on transparency, trust, and the ability to protect personal data. It’s essential to respect customer privacy while delivering a convenient, customized experience. Programs that saddle users with onerous privacy controls can make services and products frustratingly difficult to use.

A proactive approach to privacy

In a data-driven ecosystem, keeping the bad guys at bay will require that CRE companies proactively assume responsibility for data security and privacy. They must carefully assess and address their individual threat landscape, attack vectors and business processes. Also critical is regular employee training on data-privacy risks and responsibilities. What employees and stakeholders don’t know can indeed hurt the business.