Keeping the Lights On: Cybersecurity & Data Privacy Concerns in the Commercial Real Estate Industry

Cybersecurity and data privacy matters impact everything around us, including our physical space. Commercial real estate space represents a large part of every city across the globe, whether it is owned or leased. What would happen if the buildings went dark? The elevators stopped going up and down? The heating or air conditioning went out? Tenants and their clients could not conduct business? With AI evolving at a rapid pace and all technology advancing, the commercial real estate industry is seeing substantial changes in design, construction, leasing, operations, and general building use. Commercial and corporate real estate professionals must quickly understand and integrate innovations if they want their buildings to meet the demands of 21st century occupants. Correspondingly, real estate professionals must also embrace strong cybersecurity and data privacy protections.

Here are the top five protection strategies to face technology in a smart and thoughtful manner.

1. Know yourself: What data do you have? As the owner or manager of a building, you hold information not just about your company, but also about your tenants and their customers. Tenants provide their banking information in order to pay rent. Particularly with smart buildings, are the tenants using shared amenities such as conference centers or Wi-Fi? How does the tenant’s network interact with the building? Is the building capturing images of those who badge in and out?
2. Location: Where is this data being stored and how is it protected? Is it encrypted in rest and in transit? Do the systems operate based on zero trust (where individuals are only given access to systems and information they need) or is it a permissive environment (where systems and data are open even to those who may not need them)? In particular, as more commercial real estate owners and developers are thinking about wireless networks and connectivity from the start of a project, offering connectivity is only a benefit to tenants if the right steps are taken up front. It should be clear where the data will reside and how it is protected at the infrastructure level.
3. Legal and contractual requirements: Do your contracts, subcontracts, and/or leases put any restrictions on the protection or use of any particular data or system? Owners and tenants have unique risks based on their particular business and needs. If you lease space to the government, there are likely specific provisions that will apply.
4. Have a plan: Do you have an incident response plan? Is it up to date? Every building has a fire plan, but does it also have a data “fire” plan? This process should include an assessment of what vulnerabilities you may have, associated protections, and potential backups. An incident response plan must also be easily accessible when needed–which means keeping more than just an electronic copy of it.
5. Test and evaluate: What protections do you have in place? How often do you test them? Are they working appropriately? Like annual testing of smoke detectors and fire alarms, protections should be reviewed regularly and evaluated for any potential changes. Testing and evaluating the protections are necessary to make sure things work the way they are supposed to and are troubleshooted where there may be issues.