Skip to content
concept data house with lock

Document Management Tips to Avoid Costly Real Estate Lawsuits

Failure to keep a client’s information secure is one of the top claims made against real estate agents today. The average direct cost for a data breach is $3,000,000 with an additional $1,300,000 average in cost of lost business after the fact.

  • And this is NOT just an issue for real estate brokers to be concerned about.  EVERY agent can be an individual target for a hacker.

The most common types of data and security breaches stem from the physical theft of information or a hack. The type of information that is stolen includes social security numbers, names and addresses, bank account numbers, pin codes, and other financial information.

With every transaction, it is your responsibility as the real estate agent requesting sensitive client information to keep that client information from being compromised through loss, misuse, destruction or theft. If a client’s identity is stolen or their financial information compromised while in your possession, they can sue you and your brokerage for the information leak or funds lost. And while having a secure server and security software are often the most common first steps in security practices to guard against a data loss, there are significantly more actions you can take to help avoid a data breach and subsequent real estate lawsuit. Here’s how:

Best Practices for Safe Handling of Electronic Data

  • Avoid the use of flash drives to store client information. These are too easily lost or corrupted by viruses.  (And NEVER use a flash drive at all unless you know exactly where it came from.  This is a common hacking vehicle, and tainted flash drives are frequently dropped off at real estate offices as “freebies.”)
  • Utilize password-protected files when transferring or emailing documents to a client or other parties involved in the transaction. These require the recipient to use a pre-established number or the last 4 of their social security number to unlock and open confidential documents they receive.
  • Establish a validation practice of both email and voice/phone call confirmation to approve fund or wire transfers. Relying solely on email can present openings for hackers to easily falsify email transfer requests.
  • When establishing an electronic records-keeping management system, consult a professional who can ensure correct installation as well as education of users of the chosen system. Make sure that firewalls and virus protection software are up to date and review that software on a semi-annual basis.
  • Set up automatic file backup systems so that information is not lost if a system is hacked or corrupted by a virus if an attempt is made to steal information.
  • Use the designated record keeping systems. Data should be kept in designated record-keeping software or secure network drives. A team member’s personal computer or device is not included in this, especially an unlocked device that is mobile and could be the target of theft.
  • Keep records and file management clean. Delete or destroy all out of date documents to ensure that the designated record-keeping system is functioning at it’s best and not bogged down by unnecessary data.
  • Set up all electronic access points (computers, phones, tablets) to be locked with login and password access protection. These devices should remain locked when not in use. Also ensure that all website or software portals that you might use to share, send or store files have time out/lock features to secure access if there is no activity after a few minutes.

Discretion and Safe Handling Practices of Physical Data

The foundation for good document handling best practices is professionalism, knowledge and discretion. These are some of the most common document security actions a real estate agent can implement:

  • Cover sensitive documents when in the presence of others, and never leave documents unsecured if you have to leave the room (such as printed client documents in a folder or briefcase).
  • Locking your computer access when you step away from your desk. Employ the adage, “Control Alt Delete Before You Leave Your Seat” if you have to.
  • Use and regularly update your computer security software, especially in the event you are uploading documents through website portals and email to send or share client information.
  • Back information up. Unlike electronic data, physical data can be subject to wear and tear. A flood, fire, or mold can destroy a physical piece of information. If the document can be duplicated in an electronic format, take steps to do so, such as scanning the document to save it
  • Physical data must be stored in a secured area. Windows, doors, and cabinets should be locked at all times. The people who have access to these areas must be listed and this list kept to an absolute minimum. Visiting clients should not be left unsupervised in areas where confidential client data is stored.
  • Clear labeling of physical documentation can help to prevent interoffice loss.
  • Clutter can cause document loss. Destroy obsolete physical data regularly. Document shredding services can do this for you on site or you can shred and dispose of the documents yourself. (If you’re working from a home office, be sure you have a shredder.)  Keep a record of which documents were destroyed and when.
  • Review safety, security, and physical document best practices annually or bi-annually.

While nothing can guarantee that you won’t ever face a claim resulting from document mismanagement, you can take steps to be ready for it. CRES offers Data Breach coverage and Extended Cyber Liability coverage just for this reason. CRES E&O policies come standard with Data Breach notification coverage. Additional cyber liability coverage can be purchased in two separate forms, one for up to $10 million, and one for more than $10 million.

What should you do if you become aware or are notified of a data or security breach?

In the wake of a data breach there are important steps you must take:

      1. Investigate the breach: Before you can report a data breach, you need to gather all of the facts. What was taken? When? Do you know by whom? Does this person or persons still have access to additional data? How many individuals were affected?
      2. Assemble a response team: Any and all persons who can assist in the termination and investigation of the breach need to be included. This may include the CEO, agents who may have in-depth knowledge of the data, or technical specialists.
      3. Contact law enforcement: If the theft was of physical data and there has been a break-in, call your local police department. If the data breach was entirely electronic, contact the FBI’s Cyber Crime division.
      4. Contact CRES Legal Advisory Services: We will be able to answer your questions and provide information on what next steps you may need to take that are specific to the crime.
      5. Notify your clients: Once you report a data breach to CRES, we will help you begin the process of notifying your clients according to your state law. For example, in the state of California, a data breach notification must include:
        • What Happened?
        • What Information Was Involved?
        • What Are We Doing?
        • What Can You Do?
        • Other Information:
        • For More Information:

        Within these headings, the notice must provide

        • The name and contact information of the person or business providing the notice
        • A list of the types of personal information that are reasonably believed to have been the subject of the breach
        • The date or dates (estimated if necessary) of the breach(es)
        • A general description of the breach incident
        • Whether the notice was delayed because of a law enforcement investigation
        • The toll free numbers and addresses of the major credit reporting agencies if the breach included social security or driver’s license information
        • If the person or business providing the notification was the source of the breach, an offer to provide identity theft protection and mitigation services, if any, shall be provided for a period of not less than 12 months if the data breach included both social security numbers and driver’s license numbers

For more information on how to protect yourself from a data breach, go to

What best practices have you implemented to keep client information secure in an effort to avoid a real estate lawsuit? Tell us in the comments below.

Back To Top