Are You Taking the Proper Measures to Protect Your Digital Assets and the People Associated With Them?
They have all implemented data access security utilizing two-factor authentication. Why, you ask? Because this form of data security supports their initiatives to implement “best practices” or “take reasonable steps” to protect access to their user’s personal information from cyber-villains.
Everything these villains might want to know about someone is generally hosted somewhere in their user profile(s). Name, address, phone numbers, date of birth, email addresses, characteristics and interests, employment history, etc. are all personal profile staples. This data is considered ‘Personal Information’ and comprises everything a villain needs to know about someone to commit nefarious deeds and gain additional access to even more personal information.
Most people assume, or would like to believe, the companies they engage with can be entrusted with their personal information or ‘secret identity’. They expect their personal data to be treated as a valuable asset and want their value to extend beyond a customer list, marketing program or data mining effort.
All companies now have a legal responsibility to protect the personal information their subscribers have provided them. The US government mandates companies implement “reasonable and accepted best practices” to protect the personal information they collect.
To date, 46 states have enacted a Data Breach Notification Law. Under these laws, a breach is defined as a single unauthorized access to a database containing personal information. This means a single compromised user ID and password, whether willingly shared/borrowed or intentionally hacked, constitutes a breach. Reasonable steps must be taken to avoid such an occurrence. If a breach does occur, every individual with personal information stored within the breached database must be notified of the breach in writing. This is not only costly to implement, it can challenge the integrity of a company and have significant financial ramifications. Each state defines ‘Personal Information’ differently. (Please refer to this chart and consult an attorney in your area for more specific details.)
Within our industry, we may feel these rules don’t apply or that we’re immune to such obligations because listing data is plastered all over the Internet. But the fact remains, the responsibility of the MLS goes well beyond protecting subscriber’s personal information and the sanctioned public display of listing information. The MLS community must also consider:
- Subscription revenue loss associated with shared access
- Consumer (buyer/seller) data stored in the MLS system’s CRM and Client Gateway modules
- Listing data not intended for public consumption (e.g. sensitive showing instructions such as alarm/gate/CBS codes, kids home alone, or when the house is vacant)
- Compensation details
In many cases this is simply scratching the surface of what may be exposed. Introduce transaction management, online bill pay and document storage into the MLS services and exposure swells further.
The fact is, laws or not, the need for secured access is an obvious and necessary requirement to conduct business in today’s world. For businesses that ‘fly under the radar’ thinking they won’t get caught it’s more a question of when than if. The important thing to remember is you don’t have to be a superhero to mitigate your risk. Companies large and small are adopting best practices to protect access to their digital assets and those of their consumers and subscribers. So we ask again: Are you taking the proper measures to protect your digital assets and the people associated with them?
Lets start with some simple internal questions to get in the right frame of mind: Who is your organization? What service do you provide? Who do you provide these services to? What value do you deliver to your customer?
I am aware most of you have already completed this exercise in some secluded strategic planning session for your business. But, as you ponder or answer these questions, dig deeper. Does your customer know these answers? Is your customer aware of the full breadth of the services you offer? Is your customer aware of the value you are delivering? If they were aware of these benefits would it help you retain existing customers and secure new ones?
Over the years, our collective industry services have evolved. Whether you are an agent, a broker selling property/retaining agents, or an MLS, all these questions apply. Do you communicate your value to your customer? Does your customer know what products and services they are receiving in exchange for their investment in you?
Does your business continue to rely on emails, letters and flyers? Do you simply chalk up a 2% email “viewed” rate to the conditioned “RDR” response (short for REALTORS don’t read)? Or do you want to reinvent the way your value can be communicated or presented to your customer?
Personally, my parents have always told me to be humble. However, humble does not always apply when it comes to my business. In business, I want to tell the world what we do, why we do it and who we do it for. I want to communicate what value I can deliver and why. I want to win over my customers. I want them to believe as I do.
I think many of you feel the same way about your business, so why not reinvent the way you communicate your value to your customers and prospects?
We believe your customer deserves to be presented with your value on a daily basis in a non-invasive manner. Your customers access your MLS data an average of 2-5 times per day. Why not furnish them with all you offer through a custom landing page. You may be surprised with the results. Clareity customers currently using the SSO Portal have experienced:
- Increased Adoption / Usage of all Services – as the user is presented with all the service options upon login we generally see a 10% to 12% increase in adoption
- Improved End User Experience – one login to all solutions improves efficiency and ease of use
- Content driven down through broker/Associations/MLS Site – messaging is clear, concise and consistent as it is delivered to a customer across all services and through all access points
- Demonstrated value proposition to end users – the customer understands what services your business is offering
If you are looking to increase not only value perception, but redefine and deliver real value contact Clareity today to see how we can help.
Merriam-Webster’s dictionary defines “value” as: 1: a fair return or equivalent in goods, services, or money for something exchanged 2: the monetary worth of something: market price 3: relative worth, utility, or importance (a good value at the price).
I am a paid subscriber to a number of websites (e.g., ESPN.com, Scouts.com and Ducks Unlimited). All of these subscription services have employees who provide specialized content, tools, data, expertise and analysis that I find valuable. Where this differs from MLS subscribers paying to access the MLS is compensation. Not one of these services holds me to a professional standard or generates income for me. This makes the MLS service, and the data within, significantly more valuable and worthy of even greater protection. The MLS likewise provides specialized content, applications, support and business tools, but it also facilitates shared compensation between professionals whose livelihoods depend on the integrity of the information. If these services did not provide significant value, subscribers would not experience: 2. the monetary worth of something: market price.
In my eyes, Scout for SAFEMLS mitigates the revenue risk associated with people attempting to bypass license agreements, therefore subsidizing the service for those paying for the access. On countless occasions, Clareity Security has provided case studies demonstrating the success of Scout by capturing a portion of this “lost” revenue while also deterring and removing these “thieves.” Here is an excerpt from Clareity’s most recent case study:
Many of our customers have applied Clareity Security’s suggested best practices for the Scout service (and others that we reviewed are now implementing said practices). A recent review of twelve Clareity Security customers showed sharing decreased by almost 18%, unauthorized users decreased over 22%, and active accounts increased by almost 2%. This increase may seem modest but during the same timeframe membership in the National Association of REALTORS® has dropped 1.75%. It is obvious that these numbers would greatly impact any MLS organization both from a revenue opportunity and a cost of operation perspective. A shared account will not only cause revenue deprivation but also adds to the cost of providing service to your paying members. Not to mention your data being compromised by unauthorized users who are not bound by the standards of your Terms of Service agreement!
Yet some remain unconvinced of the value of Scout. As Stephen Colbert states, “I am not a fan of facts. You see, facts can change, but my opinion will never change, no matter what the facts.” Perhaps the numbers won’t convince everyone there is a problem. Some know there is a problem, but choose to look the other way? Then there are elements of risk and problems that may not be so easy to see.
For example, last week Ray Ewing, CEO of SANDICOR MLS, which provides MLS Services to 20,000 real estate professionals throughout the San Diego, California market area, shared the following two stories with me:
There is an agent lead generation and marketing company that we will refer to as “Company X.” Company X regularly prompts agents for their ID and password for their MLS service. Most users do not even think twice about this and quickly provide that information. Then Company X, utilizing the agents credentials, downloads the expired MLS listings along with more complementing data and feeds it back to the agent with a marketing package. Company X is not even a subscriber of SANDICOR! By utilizing Scout, Ray Ewing and his staff have been able to identify this unauthorized use and vetted Company X to confirm this abuse.
Additionally, using the tools available in Scout, Ray and his team were able to identify a user who was exploiting an automated login to run query scripts against the system for data. According to Ray, these queries would at times get stuck and continue to run, impacting the MLS system’s performance. Armed with the information provided by Scout, SANDICOR was able to add language to their LCA stating that users were not allowed to use an automated login and would be redirected to use RETS. The scariest part about this is after doing some research, Ray discovered this user was accessing more than just SANDICOR data.
We spend a lot of time talking about Scout’s ability to increase membership by forcing system abusers to pay for service, but there is a bigger picture here. There is more than meets the eye when protecting the value of paid services. No matter how you define value, if a service has a paid subscriber base and is allowing that value to be shared, stolen, or even hijacked for someone else’s profit or gain, then that service is diminishing its own value.
So I ask again, how do you define value?
In a recent blog post, Amy Geddes presented a case study demonstrating some of the ways we can measure the success of Scout for SAFEMLS based on the first forty days of remediation and averaged across multiple customers. While we believe these results demonstrate our product is successful, apparently it lead others to ask, “How do those measurements for success look at the individual MLS level?”. Well, we are glad you asked.
Enter RealTracs.com, as an example. Realtracs.com is a Nashville based regional MLS that feels Scout for SAFEMLS has delivered success. As many are aware RealTracs.com develops, supports and maintains their own MLS system. In 2011 they modified their billing model from broker-based to agent-based and implemented Scout for SAFEMLS to compliment this effort.
Scout for SAFEMLS creates a secure login environment. Additionally, Scout for SAFEMLS adds revenue assurance through the analyzing of shared accounts and the SAFEMLS Remediation Manager. This service empowered RealTracs.com to monitor and take action against account sharing and abuse through the remediation process.
At a time when the economy is challenged and the real estate market is down, many have chosen to cut office overhead and/or avoid MLS fees by account sharing. RealTracs.com was able to significantly grow their member base by almost 10%. In addition to the demonstrable increase in active MLS users, RealTracs.com experienced a sharp decline of 54% in account sharing and non-paying (unauthorized) users accessing the MLS, and a decrease in account abuse of over 65% (the number of users abusing an account). For MLS organizations like RealTracs.com (who develop, support and host their system), this carries a clear cost savings and direct return on their Scout for SAFEMLS investment. By reducing the volume of users and the unique IP addresses accessing the MLS (and securing access to only those members paying their dues), RealTracs.com saves on hardware expenses and other costs associated with hosting their MLS system.
When speaking with another MLS customer, Clareity Security was informed of interesting results based on that customer’s internal data. They discovered that when a brokers’ office has had agents enter into remediation they are 34% more likely to add the agent as a new subscriber/member to the MLS within 30 days, than those that do not have agents in remediation.
Is this success measured at the individual MLS level? We at Clareity Security believe so, and more importantly, so do our customers. Subscriber growth and retention are key components in the MLS business model but it is just one piece of our measured success story. What about the story behind the numbers? Sure we can measure decreases in unauthorized account use and account sharing. While these factor largely into converting unauthorized users into new subscribers (when utilizing remediation best practices), a decrease in these two components also means an increase in security of your subscribers’ data and listings. When unauthorized users enter into your system they may not be doing so with malicious intent, but they are still accessing information that is controlled by your license agreement and these users have not agreed to your terms. Therefore, they can break your rules without fear of recourse. By not subscribing appropriately, they are in essence stealing from you, your paying subscribers and the consumers who provide the information (but that’s another story).