Grappling With Cyber Threats in a Smart Building Era

(Left to right) Guillermo Christensen, Frank Moerdel, Shahryar Shaghaghi, Kevin Yardi. 

The age of ubiquitous connectivity is forcing the real estate industry to rethink its business processes in the face of relentless cyber threats and a growing array of privacy regulations in the U.S. and abroad.

Questions of digital privacy have gained urgency following the implementation in May 2018 of the European Union’s General Data Protection Regulation (GDPR), which places strict requirements on any company that processes the data of individuals in Europe, regardless of where the firm is based. The U.S. is rolling out comparable measures on a state level, such as the California Consumer Privacy Act.

Real estate companies are scrambling to understand the complicated new rules. “No one should ever talk about something being compliant with GDPR because your companies, your systems change every day,” said Guillermo Christensen, a partner at law firm Ice Miller, in a panel at this year’s Realcomm conference in Nashville, Tenn. “Someone is changing something in your systems right now, which could make you not compliant,” he added.

READ ALSO: The Move to a Data-Driven Business Model

In one of its first decisions under GDPR, France’s data protection authority fined real estate services provider Sergic €400,000 (roughly $447,000) for failing to protect user data on its rental application website. “It’s a lot cheaper to spend about $20,000 and get a good web developer to look at your code and keep looking at your code,” noted Christensen, a cybersecurity expert and former CIA intelligence officer. “That’s the upside of GDPR. People are going to spend a little bit more time to do things right, which they should be doing already.”

High-tech vulnerabilities

Security risks are also multiplying as commercial properties become even more networked. Frank Moerdel, director of IT at real estate investment and management firm Jamestown, raised the concern that landlords could abuse wirelessly connected smart locks and other devices to spy on their tenants.

“That’s what you always have to think about: Which kind of data am I collecting there, who do I trust, who do I give this data to and what for?” Moerdel noted in the panel. “And the third party I gave the data to, they need to be audited.”

Hacking creates vulnerabilities for entire buildings, too. “An area that’s been of great concern for me are the ways you can manipulate a building or even manipulate someone’s confidence in the building,” commented Andrew Sutton, an attorney at Brown Rudnick LLP, who moderated the panel. “For example, the ability to shut down a skyscraper on a particular day because you just suggest that the building has been hacked.”

Kevin Yardi, vice president of global solutions at real estate software firm Yardi Systems, added that the ever-closer relationship between property owners and managers and the lives of building users is creating a web of connectivity that could get “scary.” To underline the point that smart machines bring risks as well as opportunities, Yardi related how his recently purchased Tesla inexplicably swerved during a drive to work in Santa Barbara. The car indicated it had auto-corrected for him, but Yardi said he was driving fine.

“Do I own this thing or is it operating me?” he wondered.