How to protect sensitive information

Protecting sensitive information means knowing what information is sensitive and where it is. If you don’t know these things, you will fail to protect it.

All of your real estate business information is confidential, but some of it is sensitive information that requires special protection. “Personal information” and “financial information” are part of the more general category of “sensitive information.”

Personal information in the business context may include:

  • An employee’s email address, cell phone records, information relating to their job performance, tax information, Social Insurance Number (SIN), as well as health-related information;
  • Member or client purchases, transactions, and complaints;
  • Property appraisal documents and the selling/purchase price are the property owner’s personal information. Photos of a property may also be considered to be in this category.

Financial information includes:

  • Bank account numbers, summaries, or balances;
  • Transaction histories;
  • Debt-related information;
  • Mortgage applications/renewals;
  • Tax returns;
  • Net worth;
  • Credit reports and scores.

Other sensitive information may include:

  • Web application usernames, email addresses, passwords, addresses, and phone numbers.

Each piece of information has a different level of care prescribed for it, depending on the business needs, client expectations of privacy regarding that information, and legislative and regulatory requirements.

Remember: it’s important to understand not only what is being protected but also where that information is. This is true inside both our own operations and those of third parties to whom we have delegated responsibility for protecting the information. Take a formal inventory. What information do you collect, transmit, and store? Where is it? Look for the information in all of its electronic locations (office/ home computers, portable electronic media, mobile devices, email, voicemail), as well as information in physical form (on paper in files, in work areas, on forms and notepads, and on the hard drives in today’s modern printers and fax machines). Is any of that information in the possession of third parties – for example, a broker back-office system hosted elsewhere? Whose information is at risk in each location? Will there be legal requirements or different privacy expectations based on a person or company’s province or country of residence?

Once you understand what information needs to be protected and where it is transmitted and stored inside your operation, you can then consider the appropriate level of access control and monitoring, and what physical, electronic, and legal safeguards need to be put in place wherever such information is transmitted and stored. These formalized policies and procedures for your business will help you protect the interests of your business and your clients.

This is the sixth in a series of short articles here on CREA Café intended to help make the subject of information security more accessible – and understandable. We hope you’ll help raise information security awareness by sharing the articles within your office and through your own online community, as well. For more information on information security best practices for REALTORS®, Brokers, and Boards and Associations, please visit REALTOR Link®.

The article above is for information purposes and is not legal advice or a substitute for legal counsel.

Matt Cohen, Clareity Consulting's Chief Technologist, has over 17 years of extensive real estate technology and business experience. Real estate software and technology providers look to Matt for assistance with product planning, software design, quality assurance, usability, and information security assessments. Matt has spoken at many industry events, has been published as an author in Stefan Swanepoel’s “Trends” report and a variety of magazines, and was listed as one of Inman’s 100 Most Influential Real Estate Leaders for 2013.


Leave a Reply

Your email address will not be published. Required fields are marked *


@crea_aci