Security Management Of Letting Agent

Introduction

Behind the owner occupation, private rented industry has increased its dominance and market share in the UK over the past decades becoming the second largest tenure. Letting agents are appointed by landlord to find tenants and occasionally given responsibility to manage the property. Before letting a property such as a house, the agents normally may have to obtain and access potential tenants information that include financial records, addresses, contacts, and email), and, at times, police records, which are confidential information. In addition to clients’ security concerns, reports have emerged of letting agents being attacked physically or verbally or disappearing while showing a client around a property raising concerns around personal safety as well as within the entire industry. As such, this paper reviews critically the security management of the letting agents analysing in particularly the security policies, working practices, data protection, and legal regulatory requirement in the industry.

Security concern in real estate industry

According to the study conducted by Mani et al. (2014), the real estate industry is one of the many industries with low security structures in place in spite increasing heightening threats and vulnerability faced. In addition to physical threats, Dobrian (2015) argued that cyber security vulnerability emanating from email compromise (BEC), SMS fraud, Mortgage Closing Wire Scam, Ransomware, Generic Malware, and Cloud computing providers. Following potential held by Short Messaging Service (SMS) on connecting tenants and agents easing reaching out to potential tenants and management process coupled with being cost effective and efficient (consumer-targeted approach) where the agents can follow up with clients via text, has opened door to fraudsters who can communicate or track the whereabouts of clients. According to Panagopoulos & Vlamis (2009) and Campos (2018), the industry has, in recent time, integrated information system extensively that include storage and transfer of both costumers’ personal details and that of employees putting at risk privacy and individual security.

Investigating the information security in South Australian real estate industry, Mani et al. (2014) indicated that customers are always concerned on giving out their personal information that include copies of bank statements, home address, phone number, and Identification or Social Security number to the agencies but trusting their privacy and security would be infringed as result. The findings pointed the need for integrating structures and ensuring staff and consumers aware of the threat associated with online environment and complexities linked to it through promotion of culture information security and being aware of current cybercrimes. Brinkmann (2009) pointed that addressing the problem and protecting integrity and confidentiality of the customers and companies in the industry require taking into account people, process, and technology. According to Nelen (2008) and Grant (2015), organizations need to have in place prevention structures deterring unauthorised individuals from accessing its information and communication structures through integration of stronger hardware whether at cellular or online levels. Studies have proposed an inclusive incorporating the customers (tenants and potential customers) and letting agents in formulating policies and standards, designing, and implementing secure infrastructure in the industry (Grant, 2015; Brinkmann, 2009; Nelen, 2008).

Security Management of Letting Agent (SMS) Policies

Security issues brought by storage of sensitive data, data sharing, privilege information, and transactions have increasingly became a major concern on both public and business spectrum. Mobile malware installed by unauthorised persons into corporate IT systems can capture the information including enquiry or personal information sent through agent-tenant communication heightening identify or financial information theft. Currently, limited findings from scholars exist on the need or approach adopted to mitigate security threats associated with tenants-agent (landlord) SMS communication. Nevertheless, according to Souppaya and Scarfone (2013), responsibility of inherent security concerns that include confidentiality and integrity lies squarely on the organization entrusted by its customers and should be prioritised and acts as central to security practices. Research the effects of trust, security, and privacy in social networking, Shin (2010) noted that perceived security, trust, beliefs, and perceived privacy should be based on cognitive and affective attitudes of involved persons.

Although the study was based on healthcare sector, Huang et al. (2009) argued that security policies aligned to text messaging reflects the nature of service offered by the agency, its size, as well as reliance to this form of communication hence its formulation should be based on tenants concerns, needs, and beliefs. Before formulation of SMS security policies the agents should have clear and deep understanding of nature and environment in which the agency operates. In their research, Cushman et al. (2010) pointed that structures stipulating things and content communicated by text as well as penalties for not adhering to such are core the security measures. Although letting agency may have structure and comprehensive policies, the problem with monitoring and safeguarding features, which ensure agents do not text message out of the context or allowable, may severely limit ensure policies. Essentially, business entities need to ensure tenants agree to be receiving update from letting agents through texts message through either invite of including in lease agreement. According to Laudon & Traver (2016), organizations have to confirm success of the request or invite sent to tenants eliminates any risks that may occur in sending sensitive information to wrong individuals.

Working Practices

Study conducted investigating security challenges associated with texting personal information within different industries suggested such approaches as creation of private network allowing monitoring of user activity build with controls of retracting or deleting message remotely on stolen or lost cellular phones (Cushman et al., 2010; Huang, et al., 2009; Smith et al., 2011). Reamer (2013) proposed having a centralised network with authentication feature that require username and identification pin before sending or receiving messages as standard by the agency in order to enhance security. The letting agents should have working culture and standards that foster integrity and hold personal information that include financial records and addresses with confidentiality. Building from study on texting messaging in healthcare, Bélanger & Crossler (2011) and Drolet et al. (2017) held that physical, technical, and administrative of an organization goes a long way in determining the compliance of the security measures set in place.

Legal Regulatory Requirement

Broadly, regulations applicable in the European region require institutions and business entities to protect personal information that include identify and financial information with guidelines demanding implementation of risk management process and measures aimed at addressing identified threats in addition to assessment of security risks. Within European Union, laws have been enacted regulating ways in which business entities protect personal data. Formulated to replace Data Protection Directive coming into force in 2018, the General Data Protection Regulation (GDPR) was formulated with aim of creating more consistence in protecting consumers’ privacy and personal information (Voigt, & Von dem Bussche, 2017; Carey, 2018). Key elements of the regulation are stipulations requiring organizations to seeking consumers’ consent before processing data notify relevant individuals and authorities in the event of data breach. Additionally, it mandates firms to structure its platforms to handle safely information during transfer ensuring infrastructure and personnel maintain confidentiality and integrity. These principles are grounded on the fostering privacy as core element during designing and implementation of data collection process while ensuring the organizational activities and structures are embedded linking the data-holder and clients. As elaborated by Koops & Leenes (2014), in order to hold organizations accountable to any data breach or misuse of personal information demand setting in place measures and technical features as well as being in position to demonstrate approaches formulated and effectiveness when requested by regulatory bodies.

Building on the principles of the regulation, Bello et al. (2015) held the view that managing confidential data will influence significantly the individuals who are rely on the personal information to offer services because of the legal requirements around storage, transmission, and consent of such data as individual addresses, personal information, and financial records. Research on the place held by dynamic consent in the 21st century organizational operating environment where it centres personalised and privacy facilitating a platform where participants decisions are centred. In context of data protection and privacy whether at individual or group levels, Hallinan et al. (2012) considered relation of upholding data protection, group privacy, and security in ‘real’ world outlining that the process is not as easy as it seems where in addition to structure feature required, challenges related to internet regulation, data protection, and legal pluralism especially over transborder transfer it can be problematic monitoring.

Broadly, organizations such as those operating in the tenancy and property management industry handling personal records and information are required to obtain such information lawfully and subsequent manage it in a manner that protects it from misuse and exploitation while respecting the owners’ of the data. As such, in addition to consulting the tenants requesting personal data, the letting agents should be aware that such information are protected under law and are subject to facing penalties in the event that they misuse such as texting the tenants without consent or sharing with other parties. In essence, data protection demands rigorous regulations with standards on handling data and information, compelling accountability and transparency, fulfilment of individual rights, and subject to checks and balance. Although the concept of individual privacy varies widely across societies, it holds a socially-agreed aspect of respecting private and family life of an individual while data protection lie within processing data that can identify a person or can infringe on one’s privacy.

Dig deeper into Understanding Data and the Imperative of Data Security with our selection of articles.

References

Appari, A., & Johnson, M. E. (2010). Information security and privacy in healthcare: current state of research. International journal of Internet and enterprise management, 6(4), 279-314.
Bélanger, F., & Crossler, R. E. (2011). Privacy in the digital age: a review of information privacy research in information systems. MIS quarterly, 35(4), 1017-1042.
Bello G., A., Armarego, J., & Murray, D. (2015). Bring your own device organizational information security and privacy. ARPN Journal of Engineering and Applied Sciences, 10(3), 1279-1287.
Brinkmann, J. (2009). Putting ethics on the agenda for real estate agents. Journal of Business Ethics, 88(1), 65-82.
Carey, P. (2018). Data protection: a practical guide to UK and EU law. Oxford University Press, Inc..
Cushman, R., Froomkin, A. M., Cava, A., Abril, P., & Goodman, K. W. (2010). Ethical, legal and social issues for personal health records and applications. Journal of biomedical informatics, 43(5), S51-S55.
Dobrian, J. (2015). Are you sitting on a cyber security bombshell?. Journal of Property Management, 80(5), 8-12.
Drolet, B. C., Marwaha, J. S., Hyatt, B., Blazar, P. E., & Lifchez, S. D. (2017). Electronic communication of protected health information: privacy, security, and HIPAA compliance. The Journal of hand surgery, 42(6), 411-416.
Grant, J. (2015). Address Confidentiality and Real Property Records: Safeguarding Interests in Land While Protecting Battered Women. Minn. L. Rev., 100, 2577.
Hallinan, D., Friedewald, M., & McCarthy, P. (2012). Citizens' perceptions of data protection and privacy in Europe. Computer law & security review, 28(3), 263-272.
Huang, L. C., Chu, H. C., Lien, C. Y., Hsiao, C. H., & Kao, T. (2009). Privacy preservation and information security protection for patients’ portable electronic health records. Computers in Biology and Medicine, 39(9), 743-750.
Kaye, J., Whitley, E. A., Lund, D., Morrison, M., Teare, H., & Melham, K. (2015). Dynamic consent: a patient interface for twenty-first century research networks. European Journal of Human Genetics, 23(2), 141.
Koops, B. J., & Leenes, R. (2014). Privacy regulation cannot be hardcoded. A critical comment on the ‘privacy by design’provision in data-protection law. International Review of Law, Computers & Technology, 28(2), 159-171.
Kuner, C. (2013). Transborder data flow regulation and data privacy law. Oxford: Oxford University Press.
Laudon, K. C., & Traver, C. G. (2016). E-commerce: business, technology, society.
Mani, D., Raymond Choo, K.K. and Mubarak, S. (2014). Information security in the South Australian real estate industry: A study of 40 real estate organisations. Information Management & Computer Security, 22(1), pp.24-41.
Nelen, H. (2008). Real estate and serious forms of crime. International Journal of Social Economics, 35(10), 751-762.
Panagopoulos, Y., & Vlamis, P. (2009). Real estate information technology: bank lending, real estate bubbles, and Basel II. Journal of Real Estate Literature, 17(2), 293-310. Nappi-Choulet, I., & de Campos R., G. (2018). New Technology and New Data in Real Estate (No. eres2018_86). European Real Estate Society (ERES).
Reamer, F. G. (2013). Social work in a digital age: Ethical and risk management challenges. Social work, 58(2), 163-172.
Shin, D. H. (2010). The effects of trust, security, and privacy in social networking: A security-based approach to understand the pattern of adoption. Interacting with computers, 22(5), 428-438.
Smith, H. J., Dinev, T., & Xu, H. (2011). Information privacy research: an interdisciplinary review. MIS quarterly, 35(4), 989-1016.
Souppaya, M. and Scarfone, K. (2013). Guidelines for managing the security of mobile devices in the enterprise. NIST special publication, 800, p.124.
Voigt, P., & Von dem Bussche, A. (2017). The EU General Data Protection Regulation (GDPR). A Practical Guide, 1st Ed., Cham: Springer International Publishing.