Dealing With Customer Data Security And The Risk Of Identity Theft
There are two separate issues that need to be addressed when discussing security for customers’ personal information in the self-storage business. The first is how tenant’s information is protected when held by the operator and the second involves what responsibilities an operator has relating to records stored by a tenant in their rented storage unit.
As for the first, most
Operators are working very hard to secure the customer information they use for
their businesses such as social security numbers and home addresses. However,
in order to succeed, Operators must first understand how personal information
flows into, through, and out of their business, including who gets the
information, how it is used, where it is stored, and who has access to the
information from both inside and outside the business. There should be a
security plan in place, not only as to how paper documents are kept but also
how electronic data is stored. Operators should consider using methods of
encryption, verifying secure connections for their online transactions,
enhancing their password management protections, installing stronger firewalls,
and developing employee training on the issue of data breach and identity
theft. Certainly, when it comes to online financial transactions (credit or
debit card payments), facilities need to work with their merchant services
providers to make sure their systems are PCI-compliant and otherwise meet the
federal requirements to protect their customers’ private information. Lastly,
Operators should have a clear plan of how personal records are to be disposed
of, including the destruction of old computers and the shredding of paper
As for a tenant’s own unit,
typically if an individual tenant defaults on their rent and their property is
sold via the landlord’s lien rights, that individual tenant loses any
expectation of privacy they may have had regarding the property (and records)
that they stored. In other words, if they don’t pay their rent and their
property is sold, they are assuming the risk that any private information
contained in their property could be compromised. This specific issue has been
addressed in some states and those states have issued specific protections for
facility operators. For example, in Tennessee the legislature allows this
language to be included in the lease:
THE OWNER IS NOT LIABLE FOR IDENTITY THEFT OR OTHER HARM RESULTING FROM THE MISUSE OF INFORMATION CONTAINED IN A DOCUMENT OR ELECTRONIC STORAGE MEDIA (I) THAT ARE PART OF THE OCCUPANT’S PERSONAL PROPERTY SOLD OR OTHERWISE DISPOSED; AND (II) OF WHICH THE OWNER DID NOT HAVE ACTUAL KNOWLEDGE.
If the tenant is a business
and they default, it is more likely than not that those records (of third-party
customers, clients, or patients) will not be sold. Again, in some states the
issue of business records stored at self-storage facilities has been considered
and, as a result, commercial occupants are now required to disclose what they
are storing. For example, in Nevada leases must contain the following notice:
STORING PROTECTED DOCUMENTS, FILES, OR ELECTRONIC DATA: If you are subject to mandatory licensing, registration, permitting, or other professional or occupational regulation by a government agency, board, or commission and the Protected Property to be stored is related to that profession or occupation, you are to provide written notice to that agency, board, or commission. It must state that you are storing Protected Property and identify the general type of Protected Property being stored at the facility. You will provide us with a copy of any written notice provided to any such agency, board, or commission. You MUST provide complete contact information for an alternate person if we are unable to reach you.
Certainly, no amount of
effort will guarantee the protection of customer information. These privacy and
identity issues have started to appear more often and seem to be inviting an
increased risk of liability for storage operators. Part of the solution might
simply be a greater investment in technology and training to prevent identity
theft, but that doesn’t protect operators from all criminal activity.
Regardless of the steps taken and legislative protections in place, this area
seems to be at the brink of growth to impact future business liabilities.
Thanks to Bob Baccus for
asking this question! Until next month, happy storing!