BEST PRACTICEElite AgentOPINION

The importance of your client’s data – has your agency been breached?

Client data and the protection of it is a hot topic at the moment, and just as companies like the currently besieged Optus collect and are responsible for the safety of thousands of client’s data, so too are real estate agencies.

As a business, obtaining your clients’ personal information can be invaluable. It gives you critical insight into your customers, and allows you to develop marketing strategies and build your agency moving forward.

Why privacy matters

To your clients, their personal information is just that – personal, and they want it protected.  That’s why your privacy practices matter.

They matter to your clients, and they should matter to you, because data breaches can have serious consequences, both for your clients and your agency. 

There can be massive financial consequences if you are found to be in breach of the Privacy Act, with a possible fine of $2.1 million for each breach.

In addition to the financial implications, a data breach, if not handled correctly, has the potential to damage your business, both in terms of immediate client numbers, reputation and future business.

Data breaches can be caused by a range of different factors, such as vulnerabilities in your system, hacking from outside sources, or even mismanagement of your privacy practices. 

To avoid this, it is important agency owners and staff members make informed and considered decisions regarding client data and the processes employed to collect, store, and use personal information.

When it comes to your privacy practices there are several factors you need to consider, including:

  • Increasing client confidence in your agency and improving your reputation through proper management of your privacy practices.
  • Avoiding the most common privacy issue – email scammers. Are you aware of email scammers, how they work, the damage they can wreak, and how you can avoid them?
  • Compliance with the privacy laws to avoid hefty fines, locking up confidential paperwork, keeping private calls private and plenty more. 

In the majority of cases, data breaches aren’t done on purpose. 

Often it’s not even about taking shortcuts. Lack of understanding, lack of knowledge, lack of foolproof process and even third parties are often to blame. 

One mortgage broker client of mine inadvertently caused a large data breach when online forms that clients filled in to apply for a mortgage – including names, address, identity documents, bank account details and pay slips – were not secured behind a security wall.

In another case, a CRM data migration of 14,000 individuals was accidentally sent to an external person overseas. In this case it wasn’t super sensitive information but, as fines are per breach, this had the potential to cost the client billions of dollars.

What to do if your client data is breached

  1. Lock the breach down

Time is of the essence here, so as soon as you become aware of a breach you should do all you can to stop or correct it.

In the case of the mortgage broker client, they simply removed public access to the page the data was on.

But the CRM migration breach was a little trickier to solve, with the client sending a private detective to knock on the email recipient’s door overseas, asking them to delete the email and sign a statutory declaration to say the data had been deleted and would not be used.

  1. Notify the privacy commissioner and your clients

Next you need to assess whether the data breach is likely to cause serious harm to the affected individuals.

If it is, and you haven’t been able to lock the breach down, you need to notify the privacy commissioner and every affected person.

The law says you need to notify them in the way you’d normally communicate with them, which is usually via email. If you can’t notify each individual then you need to advertise the data breach in a publication that circulates in the area where people’s information was breached.

The items that need to be included in your notifications include:

  • the nature of the breach
  • how the breach occurred
  • the information affected
  • actions the affected parties could take to protect themselves (such as contacting their bank to change account passwords)
  • how they can contact you if they have any questions.

The time frame you need to work in is swift. In between finding out about the breach and notifying everyone, you only have 30 days. 

  1. Prepare scripts

We help our clients prepare scripts and, if they’re a large agency, have their communications team ready so when people ring in, they know what to say and how to help. 

With smaller agencies we supply their frontline staff with those scripts. 

This is an important part of the process because you want to be able to calm your clients down, reassure them that you have the situation under control and instill confidence in them. 

Where to now

The moral of the story? Understand data protocols, and develop a data breach response plan, to allow swift action and avoid financial and legal consequences.  

I’ve helped numerous clients with data breaches but because we’ve done the right thing and locked the breach down, advised the individuals, and advised the commissioner, none of my clients have been fined. 

Client data is one of the most effective ways to grow your agency, network, and brand. However, the larger your client data the greater the possibility of a data breach.

A data breach can cause serious damage to your reputation and business operations.

There are some questions you should ask yourself:

  • Do your clients know about your privacy practices? 
  • Are they confident with letting you collect and store their personal information? 
  • Are you aware that in the case of a breach you may be required to notify the affected individual and OAIC under the Notifiable Data Breaches Scheme?

Sometimes, all it takes is one scam email or hacking of your systems to bring your entire agency down. 

So, get on top of your privacy framework before it becomes a problem.

At O*NO Legal, we have a range of DIY guided privacy templates and packages available to ensure you do your agency privacy the right way – including a data breach response plan, privacy collection notices, privacy handbook, and privacy policy. Grab your templates here

Show More

Kristen Porter

Kristen Porter is a legal practitioner specialising in real estate, property management and privacy laws. She is the founding Director of O*NO Legal The Real Estate Agents' Lawyer.

Partner Content

This post is promoted by Elite Agent on behalf of one of our commercial partners (advertisers). For all partnership enquiries email advertise@eliteagent.com