Real Estate Horizons

Data breach and cyber security incident exposure in the European real estate industry

By Christian Tinnefeld

Over the past decade, the number of cyber attacks and data breaches has been rising globally, with public announcements of new security incidents on an almost daily basis.

Booming proptech services and digital innovation in smart home products and intelligent building concepts open numerous opportunities to reduce costs, increase efficiency and gain new market share for property owners, managers, developers, and real estate insurance companies.

Likewise, the use of internet of things (IoT) services, connected devices, the opportunity to have remote access to facilities and to steer smart technology deployed in buildings creates the risk of abuse, service interruption, accidental or unlawful destruction, loss, alteration or access to personal data and business information stored or otherwise processed by these new digital real estate gadgets.

But even the more traditional means of processing personal information could be affected, such as CCTV recordings in shopping malls, hotel guest databases and CRM systems, company websites or email exchange servers for business communication with vendors and customers are suitable targets for cyber-attackers.

Regulatory requirements and enforcement in the EU

While data breaches are a global phenomenon, imposing technical challenges on companies on a worldwide scale, recent legislation established particular hurdles for real estate companies in Europe. With the General Data Protection Regulation (EU) 2016/679 on the protection of personal data and on the free movement of such data (GDPR) coming into effect in May 2018, data controllers have to notify the data protection authorities (DPA) of any data breach within 72 hours after having become aware of it.

This short timeframe does not leave much time for a reasonable business decision unless the company is well prepared with a diligent incident response plan. This three-day deadline introduced by the GDPR is even more relevant, since non-compliance with the notification obligation can trigger considerable fines up to EUR10 million or up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher, as well as other sanctions.

Recent enforcement by DPAs all over Europe show that those companies that are unprepared to respond to a cyber security incident in time run a realistic risk of being subject to administrative proceedings and enforcement actions by DPAs regardless of which European member state the incident is taking place.

For example, in the UK a hotel group was ordered by the Information Commissioner's Office (ICO) to pay a EUR110 million fine in 2018 for being hacked and having exposed hundreds of millions of datasets of its guests. In June 2019, the French supervisory authority (CNIL) sanctioned a company specializing in real estate for not having applied reasonable IT security and access control to its company website and the confidential information uploaded by its customers. The Dutch and German DPAs have also established rules and models for calculating fines for GDPR infringements.

Risk mitigation

Since data breaches can lead to long-standing reputational damage for companies and cause severe financial losses by regulatory fines and remediation costs, companies in the real estate industry should take different steps to mitigate the risks associated with the digital innovation of the business.

Firstly, they should perform a technical due diligence of their IoT services, connected devices, and smart technology used in their properties, services, and products.

Secondly, they should review the commercial contracts with all IT service providers, hardware retailers, and system integrators for security standards applied, notification obligations imposed, and support services agreed in case of an IT security incident.

Thirdly, and based on the findings of the first two steps, reasonably invest in state-of-the-art cyber security technologies to prevent and detect security threats and incidents and test the availability and resilience of their digital infrastructure, and form an incidents response team responsible for taking appropriate steps in the event of a data breach.

An investment in digital devices and smart technology should always go hand-in-hand with an investment in appropriate cyber security and digital protection.

Originally published in the EG Global Cities Guide: click here to open.