Confidentiality of Tenant Information
During the course of a rental transaction, a landlord may process many pieces of personally identifiable information (PII) from applicants and tenants.
Personally identifiable information can be defined as information that directly identifies an individual such as name, address, Social Security number, telephone number, email address, etc., or indirectly identifies specific individuals through a combination of data elements such as birth date, gender, race, personal characteristics, biometric data, geolocation data, or other descriptors.
Information permitting the physical or online contacting of a specific individual is the same as personally identifiable information. This information can be maintained in either paper, electronic or other media. Personal information does not include publicly available information that is from federal, state, or local government records and consumer information that is de-identified or aggregate consumer information.
Some states have consumer privacy laws that protect privacy rights of their residents. As example, the California Consumer Privacy Act (CCPA) defines personal information as “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Under the CCPA, personal information includes, but is not limited to:
- Name: full name, maiden name, mother’s maiden name, or alias;
- Personal identification numbers: social security number (SSN), passport number, driver’s license number, taxpayer identification number, patient identification number, financial account number, or credit card number;
- Personal address information: street address, or email address;
- Personal telephone numbers;
- Personal characteristics: photographic images (particularly of face or other identifying characteristics), fingerprints, or handwriting;
- Biometric data: retina scans, voice signatures, or facial geometry; and
- Information identifying personally owned property: VIN number or title number.
Nevada Revised Statutes Chapter 603A is a privacy law that defines personal information as a “natural person’s first name or first initial and last name in combination with any one or more of the following data elements, when the name and data elements are not encrypted” such as:
- Social security number;
- Driver’s license number or identification card number; and
- Account number, credit card number or debit card number, in combination with any required security code, access code or password that would permit access to the person’s financial account.
The application process and tenant screening practices are the common rental transactions that collect personally identifiable information used in the decisioning process for tenancy. However during the course of the tenancy, a landlord may become knowledgeable of additional personal information about the tenant and his household. This information must also be protected from loss and misuse.
The loss of personally identifiable information can result in substantial harm to individuals, including identity theft or other fraudulent use of the information. Landlords have the responsibility to protect confidential information from loss, misuse or inadvertent disclosure.
There are a number of privacy and data security considerations for a landlord in developing business policies to ensure compliance with various federal and state laws governing privacy and data security.
The collection of information is an important security consideration in developing practices for safeguarding sensitive information. A landlord should evaluate his current business practices to review the collection and use of personally identifiable information. The analysis provides data on the amount of information being collected and what use is made of that information. Historically landlords collected as much information as possible, some of it relevant to business decisioning, some of it “just in case.” Current policies have revised collection practices to focus on business necessity, i.e. the purpose of the data supported by applicability to rental practices and legal compliances. Limiting the amount of data collected to business necessity can reduce risks of potential liability for data breach, landlord negligence in handling sensitive information, or violation of applicable privacy and security regulations.
A landlord should consider developing a business privacy policy to disclose to applicants and tenants the collection, use, protection, and handling of personally identifiable information. The disclosure should detail the purpose of collecting personally identifiable information; what personal information is collected; what methods and sources are used to collect that information; how that personal information is used; what information is shared with third parties; and what security measures are in place to safely access and safeguard confidential information.
Keeping tenant information confidential requires best practices in rental operations including file organization and document controls. File organization of rental documents is best done in a manner that’s makes sense for business reporting, taxes, landlord-tenant statute requirements, fair housing requirements, and other compliance and regulatory purposes. Whether organized by rental property location or tenant name/unit number, all rental documents, paper, digital, or both, must be retained for as long as needed for business necessity and in accordance with document retention requirements by statute.
Physical security measures to safeguard confidential tenant information should include storage of documents under lock and key. Access to tenant documents should be restricted to individuals who have an identifiable business need to access a file. Documents containing personally identifiable information such as applications, leases, credit reports, etc. should not be left unattended and open to public view.
Security measures include digital security measures when using computers and electronic devices to conduct rental operations. Digital files stored on electronic devices must be securely protected by enabling firewalls, password protected Wi-Fi connections, strong password management, authentication procedures, data encryption, up-to-date operating systems and application software, anti-virus and anti-malware software, and management of cloud transfer, access, and storage. Studies have shown that half of all reported data breaches were as a result of improper storage and handling of sensitive data. Access to tenant files containing sensitive information must also be restricted to those individuals with an identifiable “need to know.”
When landlords use consumer reports to make tenant decisions, they must comply with the Fair Credit Reporting Act (FCRA). When a consumer report is no longer required for business necessity, landlords must securely dispose of the report and any information gathered from it according to the Disposing of Consumer Report Information Rule.
The Disposal Rule requires disposal practices that are reasonable and appropriate to prevent the unauthorized access to – or use of – information in a consumer report. For example, reasonable measures for disposing of consumer report information could include establishing and complying with policies to:
- burn, pulverize, or shred papers containing consumer report information so that the information cannot be read or reconstructed;
- destroy or erase electronic files or media containing consumer report information so that the information cannot be read or reconstructed;
- conduct due diligence and hire a document destruction contractor to dispose of material specifically identified as consumer report information consistent with the Rule
. Due diligence could include:
- reviewing an independent audit of a disposal company’s operations and/or its compliance with the Rule;
- obtaining information about the disposal company from several references;
- requiring that the disposal company be certified by a recognized trade association; and
- Reviewing and evaluating the disposal company’s information security policies or procedures.
Proper disposal and destruction of sensitive information obtained from sources other than those governed by FCRA requirements should use similar methods as those outlined in the Disposal Rule.