The recent ransomware attack on Cloudstar, a major cloud hosting platform used by thousands of title companies and mortgage lenders, should have the attention of all Michigan Realtors. This may be one of the most damaging cybercrimes in history as millions of consumers have had their personal and financial information stolen. Realtors have significant legal and ethical duties to safeguard their clients’ personal and financial information and these duties extend to responsibly sharing this information with title companies and lenders.
Cloudstar’s Ransomware Attack
Cloudstar suffered a major ransomware attack on Friday, July 16th, 2021, and, while the specifics of the attack have not been made publicly available, we do know that ransomware was deployed across the entire Cloudstar network. Ransomware is a type of malicious software that encrypts data on a computer system. The victim cannot access the data, or sometimes their entire software system, while under attack. If the ransom is not paid, the victim’s data may be automatically deleted after a set time, or in some instances, the data is posted or sold on nefarious websites (often referred to as the “Dark Web”).
Realtor Duties and Obligations
Under the National Association of Realtors Code of Ethics, Realtors are fiduciaries. The Code places protecting a client’s information throughout the transaction as one of the primary duties of a real estate agent*. Realtors are thus ethically bound to ensure the safety and security of a client’s personal information.
Realtors also have potential liability under the Michigan Identity Theft Protection Act**, which imposes stringent notification obligations if the cybercrime is likely to cause substantial loss or injury to a client or result in identity theft. The notification responsibilities are fairly onerous and can result in civil penalties of $250 per person, up to a maximum of $250,000 if notice is not given.
Realtor Consumer Notifications
Both listing and selling agents need to notify their clients if the client’s personal information has been compromised during a cybercrime event involving a title company or lender. Under Michigan law, a Realtor must notify their client if the client’s name and any one of the following has been exposed during a cybercrime: (1) a social security number; (2) a driver’s license number (often displayed in the photocopy of a picture ID); (3) a bank account number (on the bottom of an EMD check); or (4) a credit card number (to pay for an HOA statement). Depending on how many of these identifiers are in a client’s file, a Realtor needs to assess if there is a risk of identity theft or a potential “substantial loss or injury” to the client and then make notifications based on this assessment.
Additionally, beyond any notification obligation that may go overlooked and result in a financial penalty, a Realtor may have serious ethical and reputational injury if they have shared any of this data with a third party that does not have robust cybersecurity practices in place.
Protect Yourself & Protect Your Clients
A primary concern for a Realtor should be ensuring that the companies they work with are diligently working to protect their client’s data. For example, during a “split closing”, the title company that disburses funds will have a client’s social security number, bank account number, and a copy of their driver’s license. Should the listing agent know about the cybersecurity practices of the title company handling the disbursement? Similarly, as a selling agent, the title company that works up the loan package will have vast amounts of material that need to be safeguarded. Should the selling agent know about the cybersecurity practices of the lender? The answer to both questions is an absolute yes as so much of a client’s personal information is in the hands of the title company and/or lender.
All Realtors have an ethical obligation to know the cybersecurity practices of all parties in a real estate transaction who will come into possession of a client’s personal information.
Cybercrimes are only going to become more common in coming years. Realtors should be sure to partner with title agencies and lenders who are aware of this and proactively taking steps to mitigate this threat. All Realtors should do their due diligence to ensure any company they send title work to has stringent protocol for protecting a client’s personal and financial information, that the company partners with cybersecurity vendors to protect any internal systems, and that the company is aware of any legal and ethical obligations for notifying their clients of a cybersecurity attack. Stay safe out there!
*”An agent is obligated to safeguard his principal’s confidence and secrets.” (FN); “An agent is obligated to account for all money or property belonging to his principal that is entrusted to him.” (FN)
**MCL Section 445.62 et seq.