You are here:  Home  >  Policy Three – Realtors

Policy Three – Realtors

Policy Three – Realtors and their secret stash of your information

Most people don’t bother to think about the information they give their realtor. This type of data is up there in the high impact category. The information gets passed around to multiple associated with real estate transactions. The liability a realtor or his/her associates have regarding a data breach are significant. This not only involves the realtor, but also title company, mortgage broker, and all entities involved. The legal ramifications of a breach could be catastrophic and can wreck your career and business.

The National Association of Realtors has excellent information on their website concerning the need protect your data and being diligent. We have pasted this information here. It can be found at https://www.nar.realtor/data-privacy-security.


Technology has dramatically increased the amount of consumer data collected and used by businesses. Several recent high-profile data breaches coupled with a high rate of identity theft crime has made data security and consumer privacy a hot issue for policymakers in Washington.


REALTORS® strongly support efforts to protect consumers' sensitive personal information. The REALTOR® code of Ethics and Standards of Practice explicitly acknowledge a REALTOR's® obligation to preserve the confidentiality of personal information provided by clients in the course of any agency or non-agency relationship—both during and after the termination of these business relationships. REALTORS® support for data protection measures is also bolstered by their day-to-day business activities where they see firsthand the damage that identity theft can do to a family's ability to rent an apartment or buy a home. This resource will provide REALTORS® with current information on policy efforts underway in Washington to regulate data security and consumer privacy.


Trust is at the heart of the real estate business. In this digital economy, trust has taken on new dimensions that impact how real estate professionals collect, share and, most importantly, protect the information they use in their businesses. Creating a data security program for your business means implementing and maintaining reasonable safeguards to protect the security, confidentiality, and integrity of data, including proper disposal of the data. A privacy policy is a document that discloses some or all of the ways your business collects, shares, protects, and destroys personal information. Often, a written data security program is an internal document provided to and implemented by employees, whereas a privacy policy is distributed more widely, such as on your organization’s website.

NAR aims to educate real estate associations, brokers, agents, and multiple listing services about the need for data security and privacy; and to assist them in complying with legal responsibilities. NAR offers a toolkit that provides information about state laws and pending federal regulations regarding data security and privacy protection that may affect your business. Regarding compliance, the toolkit includes various checklists of issues to consider when drafting a security program tailored to your business’s needs. There is no one-size-fits-all approach to security and compliance, but NAR aims to provide your real estate business with the tools necessary for developing a program that best suits your business.


What is the fundamental issue?

Public concern about the confidentiality of personal medical, financial and consumer data has put pressure on policy makers to increase regulation on the uses of this information. The recent popularity of marketers to use online advertising targeted to individual consumers has also concerned members of Congress. With the recent data breaches of large retailers, a number of privacy and data security bills have been introduced in Congress. Many of these measures will likely: apply privacy regulations to both online and offline data collection, storage and flow; require privacy notices and impose other information safeguards. 

I am a real estate professional. What does this mean for my business?

Real estate professionals collect, store and share a great deal of consumer information. Often, the collected data is of a sensitive financial nature. The current proposals for comprehensive privacy legislation would require nearly all real estate professionals and REALTOR® Associations to comply with the new rules. NAR is working to ensure that any future privacy law takes into account the burden on small businesses and is narrowly tailored to reduce its impact on members.

Of note is the recent trend in email fraud targeting homebuyers who are approaching closing. Fraudulent emails appearing to come from a trusted source (agent, title company) instruct the buyer to wire funds to a fraudulent account. This scam further heightens the need for REALTORS® and their clients to pay attention to data security.

NAR Policy:

NAR recognizes the importance of protecting client data entrusted to them and supports common sense data privacy and security safeguards that are effective but do not unduly burden our members’ ability to efficiently run their businesses. Proposed regulations must be narrowly tailored to avoid burdening businesses, especially small businesses that lack the resources available to larger entities.

NAR Data Privacy & Security Principles
REALTORS® recognize that as data collection continues to become a valuable asset for building relationships with their clients, so does their responsibility to be trusted custodians of that data. Consumers are demanding increased transparency and control of how their data is used. For this reason, REALTORS® endorse the following Data Privacy and Security principles:
Collection of Personal Information Should be Transparent
REALTORS® should recognize and respect the privacy expectations of their clients. They are encouraged to develop and implement privacy and data security policies and to communicate those policies clearly to their clients.

Use, Collection and Retention of Personally Identifiable Information
REALTORS® should collect and use information about individuals only where the REALTOR® reasonably believes it would be useful (and allowed by law) to administering their business and to provide products, services and other opportunities to consumers. REALTORS® should maintain appropriate policies for the, reasonable retention and proper destruction of collected personally identifiable information.

Data Security
REALTORS® should maintain reasonable security standards and procedures regarding access to client information.

Disclosure of Personally Identifiable Information to Third Parties
REALTORS® should not reveal personally identifiable data to unaffiliated third parties unless: 1) the information is provided to help complete a consumer initiated transaction 2) the consumer requests it; 3) the disclosure is required by/or allowed by law (i.e. investigation of fraudulent activity); or 4) the consumer has been informed about the possibility of such disclosure through a prior communication and is given the opportunity to decline (i.e. opt-out.)

Maintaining Consumer Privacy in Business Relationships with Third Parties
If a REALTOR® provides personally identifiable information to a third party on behalf of a consumer, the third party should adhere to privacy principles similar to the REALTOR® that provide for keeping such information confidential.

Single Federal Standard
NAR supports a single federal standard for data privacy and security laws in order to streamline and minimize the compliance burden.

Legislative/Regulatory Status/Outlook

NAR supports the approach taken by Senator Warner (D-VA) in his 2016 discussion draft. That draft bill:

  • Covers all entities handling sensitive information – there are no exemptions for banks, telcos, third parties, etc.
  • The scope of the bill is appropriate:
    •  A breach of security is the acquisition of data (not access or acquisition);
    • Sensitive account/personal information are narrowly defined terms (not expansive);
    • The trigger for notice is risk-based (requiring what is defined as financial harm).         
  • Has reasonable data security standards for non-banks;
  • Has enforcement by banking regulators for banks, and by FTC for non-banks;
  • Has equivalent enforcement by all banking regulators and the FTC, with requirement that the agencies coordinate on equivalent enforcement and penalties; and
  • Gives all covered entities the benefit of solid preemption of state and common law.

Finally, NAR has developed an educational toolkit for members and has developed an online training course available through REALTOR® University. To view the toolkit visit: www.nar.realtor/law-and-ethics/nars-data-security-and-privacy-toolkit