Cybersecurity Considerations in Real Estate Transactions

By NJSBA Staff posted 06-05-2019 09:31

Editor’s Note: The following article by Michelle Schaap was published as part of the Real Property Trust and Estate Law Section Newsletter Vol. 32, No. 1, which was distributed to members of the Real Property Trust and Estate Law Section. To learn more about joining a section of the New Jersey State Bar Association, email us at [email protected]

Cybersecurity is a critical consideration for any and all transactions that involve the transfer of financial and/or confidential, proprietary information. Once a project is financed, or purchased, a developer will also need to address how the drawings for the project are secured. If the project will include software and/or artificial intelligence in its operation, the developer will need to undertake due diligence on the security features of these systems. Finally, in its role as an employer and/or landlord, a real estate developer must consider its statutory obligations to protect sensitive data.

Project Transaction
A company’s acquisition, sale or lease of property may be part of a larger transaction, which could have positive or negative connotations for parties beyond the real estate component. While the ultimate transaction closing may be of public record (by the recording of a deed or lease), keeping this information confidential until the time of the closing may be critical to either or both parties to the transaction, and is likely a requirement in the deal documents.

If a business is planning to close its operations in a specific location, advance notice of the pending sale of the offices may create issues for that company (including without limitations triggering morale concerns, let alone Worker Adjustment and Retraining Notification (WARN) Act notice obligations, for its employees). Conversely, if an enterprise is expanding into a new market, the company may want to keep this information confidential until it is prepared to announce the move publicly.

Were either side of the transaction, or its advisors, to experience a cybersecurity ‘event,’ the use of this confidential information by a third party could materially adversely impact either or both parties to the transaction in a variety of ways, including stock values (if it is publicly traded) and customer relationships, where an office closing had not been announced. A breach may also reflect a broader security issue, which could impact a larger overriding transaction, such as a merger.

Further, where payment instructions are transmitted electronically, cybersecurity is paramount. There have been several cases involving the loss of closing proceeds due to false wiring instructions after the original electronic transmission of correct wiring instructions. Using unsecure means to transmit or confirm wiring instructions opens the door to a bad actor accessing credentials or information, and then sending new instructions that ‘appear’ to be authentic. Too often, people accept such changed information without verifying the source by telephone, thus allowing millions of dollars to be stolen through reliance upon misinformation.

If, indeed, the real estate transaction is part of larger transaction, and one of the parties has a security breach, the same would likely need to be disclosed to the other party, which could significantly impact the deal terms and purchase price. If a breach were not disclosed prior to closing, the compromised party is likely in breach of representations and warranties in the agreement.

Project Plans
Designs and drawings for a project should be properly secured, both at rest and when transmitted between and among project team members. If plans for a new project are shared over an unsecure site or file share resource, plans could be compromised. Such a breach could lead to any number of dangerous consequences, including sabotage or break-ins at the building through known points of attack, or alteration of the plans, creating project delays, unconstructable drawings or structurally unsound structures.

If the project is being constructed for a business in, for example, the healthcare or financial services industry, consideration should be given to secure physical environments in the design and construction of the project.

Project Systems
If the project is to be constructed with ‘smart systems’ (whether for elevator operations, HVAC monitoring and maintenance or otherwise), the vendors for these products, and the software itself, must be properly vetted for security considerations. If security systems will be installed, developers should ask whether the systems were developed with privacy in mind. If systems are to be maintained and/or monitored remotely, consideration must be given as to who will control the access credentials to these systems. Many systems have default passwords that are readily available on the internet; if a developer is unaware of these settings on its newly installed
systems, then it will be leaving the proverbial backdoor open to any savvy bad actor.

If buildings will have ‘smart’ operating systems, the real estate developer must also consider
redundancies and back-up systems if the primary system is compromised. Further, protocols will need to be established for applying patches and new releases during the lifetime of the subject system. When systems are retired, if they stored data, the responsible project owner will need to first securely dispose of or destroy that data.

Project Participant as the Controller of Personal Data
The foregoing discussion does not touch on statutory obligations associated with data protection. In New Jersey, there is legislation pending that, once adopted, will require any business (regardless of the industry) to adopt and enforce written ‘reasonable’ measures to secure personally identifiable, sensitive information maintained by the business.1 Under current New Jersey law,2 if a party that holds personal data (e.g., name plus Social Security number, or other certain data) experiences a data breach, that party must provide notice to the impacted persons. If third parties will have access to the developer’s sensitive data, the developer should vet the practices of those third parties (and under the pending New Jersey legislation the developer will be required to undertake this due diligence).

In short, cyber and data concerns permeate all business, whether brick and mortar or on line. A real estate developer, or any other business person, who ignores cyber and data security consideration will be at risk for compromise, in the deal negotiation, in the construction phase, operationally and as a controller of sensitive data.

1. S. 2692/A. 1766 (2018).
2. N.J. Stat. § 56:8-163.

Michelle Schaap is a member with Chiesa Shahinian & Giantomasi, PC.