Data privacy is a hot topic today, and security breaches often make headlines. Associations often collect and maintain personally identifiable information (PII) such as Social Security numbers, health information, and credit card information. Any organization that stores and maintains PII should develop and implement a comprehensive data security policy addressing how the business collects, shares, protects, and destroys that information.
State laws define PII in different ways, though most state laws provide that an individual’s first name or initial and last name, when held in conjunction with one or more of the following items of information, constitutes PII:
- Social Security number
- Driver’s license or state ID card number
- Financial account, credit card, or debit card number in combination with a security code, access code, or password that permits access to the individual’s account
Some state law definitions are broader, however. For example, the California Consumer Privacy Act broadly defines “personal information” as “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
This covers a person’s real name, address, email address, Social Security number, driver’s license or state ID, biometric information, credit card and bank account information, medical information, and even internet activity such as a browser history. Confirming how the laws applicable to your association define PII will help you get a handle on what PII you have in your association data.
Which Laws Are Applicable?
A familiarity with the data security and privacy laws applicable to the REALTOR® association is key to drafting a legally compliant data security policy. While federal data security requirements are not applicable to associations, all 50 states and Washington, D.C., have enacted security breach notification laws, and many states have enacted laws governing the disposal of PII.
Three states—California, Colorado, and Virginia—have passed comprehensive data privacy legislation, which provides consumers with a set of rights related to their PII. Keep in mind that many state data security and privacy laws apply to any business that does business with, or maintains the PII of, that state’s residents. If your association does business with or maintains PII for out-of-state residents, it may be subject to those states’ laws in addition to those of its home state.
Your Data Security Policy
Once your association is familiar with the applicable data security laws, the next step is to create a legally compliant data security policy. The Federal Trade Commission recommends the following five key principles in building a policy:
- Take stock. Audit what types of PII your organization maintains and why, who has access to PII, how PII is collected, and how PII is disposed.
- Scale down. Don’t collect unnecessary PII, and only keep PII for as long as is necessary.
- Lock it. Establish a protection plan for any PII the association collects, including physical and electronic security. Investigate the security practices of any third-party vendors with which the association engages.
- Pitch it. Develop a document retention policy that provides for proper disposal of collected PII. Simply deleting files from a computer is usually not enough to make a file inaccessible or irretrievable.
- Plan ahead. Develop a policy that addresses what to do in the event of a security breach. Remember that your association’s security breach policy must comply with the state laws to which it is subject.
Data Privacy and COVID-19
With limited exceptions, the Americans with Disabilities Act requires employers to keep all employee medical information confidential, including an employee’s diagnosis or treatment, whether an employee is on leave due to COVID-19, and an employee’s vaccination status. All confidential medical information should be stored separately from an employee’s personnel file. Some states offer guidance about maintaining employee vaccination records, so check with your state authorities for further guidance.
Be sure to check out NAR’s Data Privacy Toolkit. It features numerous resources, including checklists, a sample written data security program, best practices for drafting a data security breach notification, and model privacy policies.