Jill Chodorov, a real estate agent with Long & Foster, writes an occasional column about local market trends and housing issues.
Homebuyers beware. If you are nervous about having your financial information hacked when purchasing linens for your new home at Target, have you considered how easily your private data can be lifted from your mortgage company or real estate broker during the home-buying process?
If you haven’t thought about it, maybe it is high time that you did.
In a recent study conducted by HALOCK Security Labs, a cyber security consulting firm based in Schaumburg, Ill., it was discovered that seven out of 10 mortgage companies allow information-sharing practices that put your personal and financial data at grave risk.
According to Terry Kurzynksi, founder and senior partner of HALOCK, “the entire [real estate industry] ecosystem is bad.” Kurzynski used Experian’s (one of the three major credit bureaus) recent involvement in an identity theft scheme affecting 500,000 Americans as an example.
Don Frommeyer, president of the National Association of Mortgage Brokers, disputes the findings of the survey. He said people in his industry are careful with buyers’ personal information and he doubts there’s a a problem in his industry. Still, he said, consumers should feel free to inquire about lenders’ policies on handling private data.
“It is a good idea to ask your lender how they will handle your personal information and what do they do with it once they have completed your loan,” Frommeyer said. “Everything in our industry has been on lock down in the last four to five years. I find it hard to believe that only 30 percent of mortgage lenders are taking security precautions.”
Kurzynski said he believes mortgage companies aren’t the worst offenders when it comes to being careless with consumers’ personal data. “If you think that is bad, I can guarantee it is far worse with your real estate broker,” he said.
One local real estate agent, who requested anonymity because she’s not authorized to speak on such issues about her broker, said people in her industry need to do more to protect consumers’ confidential information.
“I see clients’ personal financial information and contracts haphazardly lying around the office all the time,” the agent said. “My broker does not have any formal policies or training in place, at least none that I know of.”
Melanie Wyne, senior technology policy representative in the Government Affairs Division of the National Association of Realtors (NAR), said it adopted a set of best practices for the industry in 2009.
“I wouldn’t say there was a particular incident,” Wyne said regarding the reason for establishing these best practices. “As of today, 46 out of 50 states have data breach notification laws. Given these state level laws and the fact that a federal law is expected soon, we wanted our members to get ahead before the federal law is put in place. We want our members to be prepared.”
In 2011, NAR published the Data Security and Privacy Toolkit for its members to use as a guideline for best practices regarding information security.
“The first question we need to ask ourselves is do we even need to collect the information that we are collecting,” Wyne said. “A common practice among some agents is to collect drivers license information. But if you hold on to that information, it becomes a liability.”
“Brokers and their agents also need to understand how to properly dispose of information. You don’t just put loan documents in a trash can,” Wyne said.
Starting in May, NAR will offer its members an online training course on best practices, which will be good for continuing education credits.
Michael Moran, chief executive of the Greater Capital Association of Realtors, said that it has never received complaints from consumers about the security of their personal data. Asked if any policies or protocol have been put in place for its members, Moran said, “We have discussed it, but nothing has been done yet.”
“I would hope that agents are doing their best to protect their personal computers,” Moran added. “ I would assume brokers are sensitive to this, as most of this [data sharing] occurs on their servers.”
Some local brokers are taking this issue very seriously. Jason Sherman, co-chief executive of Real Living At Home, a small brokerage firm based in Chevy Chase, D.C., says he goes “above and beyond” to ensure his clients’ personal information is protected.
“It came naturally once we decided we wanted to provide a paperless service,” Sherman said in explaining why data security is so important to him and his firm. “The first question was what do I have to do to make sure our clients’ data is protected.”
“I am a lawyer, so I wanted to know how to handle our clients’ personal data legally,” Sherman added. “We talked to our legal counsel about what we needed to do. We talked to our server host to find out what they were doing to protect our data. And we train our agents that you don’t take information that you don’t need and you don’t keep information that you don’t need to keep.”
So what can consumers do?
Sherman suggested that home buyers and sellers not just hand over their information without inquiring why it’s needed and how it will be handled. “Don’t just ask a lender what is your [interest] rate, but also ask what they are doing to protect your personal information,” he said.
Kurzynski of HALOCK suggested that agents and mortgage officials share confidential information through what is known in the cyber security industry as a “secured transfer portal.”
“Lenders and agents can still use e-mail as a way to communicate with their clients. The client just clicks the link and uploads tax returns and other documents in an encrypted session,” Kurzynski said. “It is that easy.”
So why aren’t all lenders and brokers using secured transfer portals? “I just don’t have a good answer for that,” Kurzynski said. “When I ask lenders, off the record they say they don’t want anything extra to explain to the consumer or create any extra delays.”
But even that method isn’t a guarantee that the confidential information won’t fall into the wrong hands.
“Of course, your information is only as secure as how well it is handled after it is downloaded from the portal. That is another conversation,” Kurzynski said.
Kurzynski’s tip to consumers is to “push back.” Kurzynski suggested that “you tell your lender and broker that you need to know that your data is secure through the entire process.”
Courtney Noles, director of business development with Lore Systems, a Silver Spring-based company specializing in IT infrastructure, offered several tips to safeguard against financial data leakage and identify theft.
“When sharing personal information with a lender or real estate agent via e-mail, use an encrypted file and e-mail the password separately. An even more secure way would be to encrypt the file and text the password separately,” Noles said in an e-mail.
“When selecting a real estate agent,” Noles added, “stress the need for e-mail encryption if financial data is being sent over the Internet. If they do not know much about the topic, then it is likely that the broker they work for is not being careful with sensitive data. Continue to search for an appropriate partner for your home-buying process.”
Here are some more tips for homebuyers:
• Ask your real estate agent and lender if they have security software installed on their computers.
• Ask if their computer is password protected.
• Ask who will have access to your personal information and how will it be disposed of when the transaction is complete.
• Don’t send personal information over your laptop or phone on a public wireless network.
• Use encryption software when sending information over the Internet.
• Be alert to impersonators.
• Don’t send personal information to a lender you find online. Get a referral.
•Don’t overshare information on social networking sites about a home purchase.
“We don’t want our clients to worry about those things when doing business with us,” Sherman said. “But we live in a dangerous world. The consumer does have to be careful.”
Previous Jill Chodorov columns:
Jill Chodorov can be reached at email@example.com.