We all use web-based tools today and much of our work is in the cloud, some cloud, somewhere. It’s so common that we rarely think about it anymore. But when it comes to the sensitive consumer information we’re entrusted with by our customers, we have to carefully consider which tools we use and how we use them.
When a real estate broker buys enterprise software licenses from industry technology firms, agents can expect to be protected by the service level agreements that are generally the result of a long due diligence process. The vendor will have provided the results of its third-party audits and client references to support the fact that it takes the risk of inappropriate access seriously and has many safeguards in place to guard against it. But what about more common tools that many of your customers are using today.
Techcrunch reports that Google now has over 1 billion monthly users of its gmail software — and Microsoft, Yahoo!, Zoho and Apple also offer consumer’s e-mail addresses. Intuit says that 29 million small businesses are using its Quickbooks accounting software, and new cloud-based accounting software like Mint and Yodleee are becoming more popular. Sending sensitive information across and between these networks is not secure unless the user takes certain steps to ensure that it is – and maybe not even then.
David Hoelzer put it quite well in his recent (June 2016) White Paper, entitled Understanding Security Regulations in the Financial Services Industry, when he wrote:
“Compliance requires that risk assessments account for the personally identifiable information (PII) being processed, stored and accessed within the applications. Assessments must then generate reasonable controls to mitigate risks, along with documented policies and procedures, training of developers handling consumer PII, and validation of application security and detection capabilities. Looking at risk from the point of view of the consumer allows security and risk management teams to better inform the operations group of how regulators view the organization.”
The first and best rule for protecting the consumer’s PII is to abstain from using web-based consumer-facing communication tools to share information. This can be challenging in a world where getting the consumer engaged as rapidly as possible drives agents to e-mail communication. Instead, agents are urged to seek out their own real estate company’s established consumer contact policies and abide by them. These policies will doubtless drive agents to the proper tools for use in gathering the required consumer information.