Are MLSs Data Brokers? New Legislation Could Be Disruptive To Industry

While trying to get identity theft under control, the House Energy and Commerce Committee leaders have recently made a number of changes to the Data Accountability and Trust Act (DATA) that the Subcommittee on Commerce, Trade and Consumer Protection approved in November (H.R. 4127).

"Identity theft is not much different than burglary, and often it looks like the crooks are walking into places where the doors and windows have been left open," said U.S. Rep. Joe Barton, R-Texas, chairman of the Energy and Commerce Committee. "Worse yet, months can pass before the identity theft victim even hears about it, and then the damage may take years to repair."

"Under current law, anyone has a near-perfect right to package your personal information and do almost anything they want with it," Barton continued. "They can change it, share it, rent it or sell it. The constraints are so flimsy they're laughable. Our goal in developing this legislation is to encourage a culture of strong data security."

Needless to say, there are some serious implications for the MLS industry.

According to an article on LinusElectrons.com , the manager's amendment would:

• Narrow the definition of data brokers to include only those entities that sell noncustomer data to nonaffiliated third parties, ensuring mailing lists and others aren't inadvertently affected by the law. The FTC would also be granted the authority to deem in compliance with H.R. 4127 those companies already meeting the Fair Credit Reporting Act, Gramm-Leach Bliley Act or the Health Insurance Portability and Accountability Act (HIPPA) requirements.

  Require data brokers to establish reasonable procedures to verify the accuracy of information that they collect and maintain.

• Change the threshold for consumer notification from "significant risk of identity theft" to "reasonable risk of identity theft to the individual to whom the personal information relates, fraud or other unlawful conduct."

• Require data brokers to regularly monitor security systems for breaches.

• Prohibit data brokers from obtaining information on someone by impersonating that person -- also known as "pretexting."

• Allow consumers annual access to records maintained on them by data brokers as well as the right to have inaccurate information corrected or labeled as disputed.

• Require the FTC to notify the Secretary of Health and Human Services if it determines that a data breach includes individually identifiable health information.

• Afford the FTC the flexibility to recognize future methods or technology to safeguard data, not just today's existing encryption capabilities. Exempts from notification requirements data protected by encryption or other approved methods or technology.

• Allow the FTC one year to promulgate rules required by H.R. 4127.

• Require the FTC to study the maintenance of obsolete paper records containing personal information; the language also authorizes the agency to adopt rules to address any shortcomings in existing law.

• Provide for enforcement of H.R. 4127 by both the FTC and state attorneys general.

• Require a telecommunications carrier, cable operator or other information transmitter that becomes aware of a security breach to report it.

The site says the underlying DATA Act would:

• Direct the FTC to create rules setting rigorous national standards for data brokers to protect personal information.

• Require data brokers to have a security policy that explains the "collection, use, sale, other dissemination, and security" of the data they hold.

• Require entities to appoint and identify a person in the organization that is responsible for information security.

• Require any entity that experiences a breach of security to notify all those in the United States whose information was acquired by an unauthorized person as a result of the breach. Conspicuous notice on the breached entity's website is also required. The FTC must also be notified.

• Provide for an FTC or independent audit of an information broker's security practices following a breach of security.

• Permit the FTC to conduct or require audits for a period of five years after the breach, or until the commission determines security practices are in compliance with the act and are adequate to prevent further breaches.

We have argued that MLSs as a class don't meet the test of a data broker," says data security consultant J.R. Horton, "However, some do license data for commercial purposes. The FTC will decide ... (politics).

Horton says the FTC will decide if MLSs should be put under such data security controls. "Controls similar to what healthcare went through (with HIPAA) will be very disruptive for real estate brokerage and MLSs. The liability provisions of the Senate legislation ($11M) would accelerate the massive MLS consolidation that is being widely forecast."

He continues, "MLSs think they are part of the real estate business -- actually they serve the real estate industry, but they are part of the information services business. The legislative agenda of the information services business is driven by -- technology, communications, banking and other industries."

That could mean more consolidation and much higher data management fees for brokers and agents who use MLSs.

Post to Social Media: