Few multiple listing services enforce password policies protecting real estate clients’ sensitive data from unauthorized access and few require strong passwords, respondents to an industry survey said, according to the data security company that conducted the survey.
“Respondents believe few MLSs enforce password policies that strongly protect MLS databases from unauthorized access,” RSA Security Wednesday said of its May real estate industry survey. “More than half of those surveyed say their MLS does not require strong passwords (e.g., passwords containing letters, numbers and symbols, or passwords more than 15 characters long).”
The survey was conducted online between May 5 and May 9, with 546 industry professionals – 54 percent of whom were real estate agents, 20 percent of whom were real estate brokers, 16 percent of whom were association executives, staff or board members – participating, the Bedford, Mass.-based company said.
Property addresses, showing instructions and the seller’s name are some of the sensitive details that are often stored in the MLS database, survey respondents said.
The security of online information became a hot-button issue in 2005 when shareholders launched a class-action lawsuit against ChoicePoint and top executives after it was revealed that identity thieves had accessed individual’s sensitive information collected by the company.
Concern over identity theft continued to soar after news of information theft from LexisNexis and others surfaced. Late last year, the nonprofit Identity Theft Resource Center in San Diego reported 110 security breaches affecting 56.3 million individuals in the United States.
There is not a single way to protect real estate property listings information — rather, there are several ways, industry experts say. And multiple listing services should fortify their defenses on several fronts and prepare for offensive strikes, too, if they are to successfully combat data thievery and misuse, say legal experts.
In light of this information, the news from RSA’s survey is troubling. In the study, 59 percent of the respondents said their MLS does not require password changes — a generally accepted industry standard.
“It is a standard that passwords are changed periodically. Every company has its own standard as to when passwords are changed, but clearly, having the same password for months and months at a time is not a good security practice,” said Russ Cofano, real estate attorney and consultant.
A key vulnerability in data security for MLSs is password sharing, industry experts say. In the survey, 34 percent of all respondents said they knew of MLS members who shared login information with non-members, and 54 percent of MLS executives, staff and board members said they were aware of such sharing.
“It’s not just MLSs. It’s called the insider threat. In many cases, it’s more extreme than threats from outside. Corporations lose millions and millions of dollars due to insider leaks,” said Cofano.
Additionally, 37 percent of MLS respondents said they knew of instances where MLS members shared login information with clients, so that clients could search listings on their own. In contrast, 17 percent of agents said they knew of such sharing.
Unauthorized selling of MLS listing data to third parties such as moving companies was reported by 20 percent of those surveyed.
Among the respondents who identified themselves as MLS executives, staff and board members, 60 percent said they believed steps taken to secure listing data were less than adequate.
“This is cause for concern,” said Cofano of the survey’s results. “At the end of the day, while not all information that’s held within the MLS can be deemed sensitive, there certainly is some you want to protect with reasonable security. So having basic security practices in addition to higher-level security practices makes sense.
“If you take into account that there are hundreds of MLSs across the country, they have just not spent the money and resources to address this issue. Some have, and some are using best practices. But I would say the majority have not,” the attorney said.