Data breach notifications: A guide for CRE businesses

Cybersecurity is a critical concern for businesses of all sizes, from small startups to large corporations. Protecting your organization and its data from online threats is a major challenge. Yet when it comes to protecting themselves and their assets, many teams fail to fix the roof when the sun is shining.

In 2024, the average data breach cost businesses $4.88m — 10% more than the previous year, according to research by IBM. The study estimates that organizations could save themselves $2.2m per incident by investing in cybersecurity and AI-led data protection mechanisms.

Large-scale data breaches can happen to organizations of all sizes and industries. Yet you may wonder how this topic affects commercial real estate (CRE) companies. As smart building platforms become increasingly advanced and more CRE businesses utilize data solutions to drive operational efficiency, they possess more and more data about their customers and tenants.

Prioritizing cybersecurity in the age of smart buildings and GDPR compliance

The EU’s General Data Protection Regulation (GDPR) reinforces the need for all organizations to manage client data responsibly. In the event of a data breach, businesses must provide formal notice to everyone involved within 72 hours of the event.

Although GDPR rules have been in place since 2018, there is still much for CRE businesses to understand if ESG compliance is taken seriously. This article will explain data breaches in the industry and why your organization should be aware of its responsibilities with data breach notifications.

Understanding data breaches in commercial real estate

The wealth of advanced technology in modern commercial buildings creates a vast array of data for which your organization takes responsibility, from digital twins to cloud-based IoT integrations that support building management systems (BMS). The influx of CRE-friendly technology creates an ever-expanding list of data points that cyber-criminals and hackers could target.

For most CRE organizations, tenant data must be carefully protected to meet GDPR regulations. This will include financial data such as bank and credit details for tenancy deposits and leases and personal occupancy usage statistics collected from the various data points within your building.

Data breaches and consequences of attacks

While your organization can take steps to prevent data breaches, eliminating the risk entirely is impossible. A PwC report into cybercrime shows a 9% increase in 2024 in the number of global businesses that have experienced a data breach of $1m or more.

A data breach occurs when an individual or organization gains unauthorized access to sensitive information about you and/or your clients and customers. This information can include personal data, financial records, medical records, or any other confidential data. This can happen in a variety of ways, including:

• Cyberattacks: Malware, phishing, and ransomware attacks are common forms of security breach.
• Human error: Employee mistakes, such as accidental disclosure or weak password practices, can lead to breaches.
• Third-party vulnerabilities: Third-party vendor data protection or software weaknesses can expose sensitive data.
• Physical security breaches: Unauthorized access to physical premises or devices can lead to data theft.

Consequences of breaches and ESG impact

A data breach can be ill-afforded for CRE businesses that operate on razor-thin profit margins. Not only do ransomware attacks directly hit real estate organizations in the pocket, but the payouts in legal fees and regulatory repercussions can make data breaches extremely costly. In 2023, the EU imposed around €2.1 billion in fines for GDPR data breaches, with more than half (€1.2 billion) directed towards Meta for violations in Ireland.

In addition to the fiscal penalties, data breaches can cause reputational and operational damage. According to IBM research, they can take an average of eight months to recover from fully, and giving notice to a customer base that their data has been compromised because of your negligence is not a good look.

Yet there is another, more compelling reason why CRE businesses should prioritize data security. Such an emphasis is placed on organizational progress towards environmental, social and corporate governance (ESG) goals, with many companies establishing ESG frameworks in the interests of transparency and driving meaningful change in their industry.

Data protection is a fundamental aspect of good corporate governance; an organization that is unable to secure its clients’ important personal and financial information safely will lose the trust of its customers and investors. So preventing data breaches is ultimately in the interest of overall ESG performance.

Your organizational responsibilities for data breach notifications

When data breaches do unfortunately occur, your CRE business (in Europe and the U.S. at least), has an obligation to report the infraction as soon as possible to all relevant parties. If financial information has been exposed, clients and customers can immediately notify their bank and take sufficient steps to protect their identity and assets.

Data breach notifications and GDPR

For European entities, the requirement to give notice falls under Article 33 of GDPR, which states that “In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach” to their national data protection authority.

Article 34 adds that notice must also be given to the subject of the data breach as soon as possible. So if it’s clear that your organization’s data breach has revealed sensitive client or customer information, you have to notify them without delay. Since 2018, law firm DLA Piper estimates that organizations across Europe have reported more than 160,000 data breach notifications, increasing annually by around 12%.

Data breach notifications in the U.S.

In contrast to Europe, the U.S. has no federal law mandating data breach notifications. Instead, all 50 states have enacted individual legislation to protect personal information of clients and customers, creating a patchwork landscape in which businesses are subject to different notification timelines depending on where the breach occurred.

Notable U.S. States with Data Breach Notification Laws:

• California: One of the strictest laws, requiring notification within 45 days of discovery.
• Massachusetts: Notification within 30 days and includes specific requirements for certain breaches.
• New York: Notification within 30 days and has additional requirements for breaches involving certain data types.
• Texas: Notification within 60 days and has specific requirements for medical information breaches.

Proactive data security practices for your CRE business

One of the most common arguments against a lack of investment in cybersecurity is “it won’t happen to us.” Yet data breaches continue to increase in scale and complexity for businesses in all industries, with over 1 billion personal records stolen in 2024 alone.

For a real estate organization, the consequence of property-specific data getting into the wrong hands could be catastrophic, predominantly if your business operates a facility of significant value or importance. Investing in data protection is vitally important for organizations in every sector, not least property.

Data protection strategies for property-specific businesses

Implementing an iron-clad data protection strategy can be challenging. Still, as part of your organizational risk assessment, you should know all your legal responsibilities for personal and client data. This should also include a data audit to identify everything your organization collects and stores, including tenant-sensitive information.

Your organization should then implement comprehensive security and data protection policies across your business to minimize the risk of breaches. This should also extend to all third-party vendor contracts you sign to manage external access to protected data within your business.

With ever-advancing BMS technology, your facilities managers should undertake regular security awareness training to educate them about common threats, best practices, and the importance of data protection.

BMS systems in particular, are high-value targets for cyber-attacks due to their significance and integration with critical infrastructure such as HVAC and fire safety systems. Your organization should invest in data encryption and multi-factor authentication for staff in order to manage access control to these vital systems.

With ProptechOS, the customer owns all data

There is no doubt that data breaches and cyber attacks are becoming more prevalent in the commercial world. Like all other operational risks to your business, these threats must be carefully managed.

We designed ProptechOS and our integrated suite of CRE management software to align all real estate data available in a common format regardless of underlying system. Instead of multiple integrations and multiple weaknesses for cyber threats, our system backed by RealEstateCore connects the dots for your business, creating a single secure platform to manage your smart building infrastructure.

In contrast to other software analytic companies, your organization and its tenants retain ownership of all data. For ultimate transparency, we ensure that all data is fully accessible to you at all times. Our privacy-first approach to proptech sets us apart from our competitors, making ProptechOS a safe pair of hands with your data.

As a CRE business with multiple assets, protecting critical building infrastructure and your customers’ data is both a legal obligation and an important commitment to the social and corporate governance aspects of an ESG policy. With a commitment to invest in data protection measures and a comprehensive, safety-first approach to cyber, your CRE organization can integrate proptech into your operations securely and with a long-term plan for the future.