What real estate can learn from Zappos cyber attack

Department of Justice LogoZappos, a division of Amazon focused on online shoe sales announced that their customer database of 24 million customer records was hacked over the weekend. Fortunately, the credit card database was not accessed.

This is a huge problem for Zappos. They will now need to go through a process of getting all 24 million customers to update their password, and notify each user that their username and password have been stolen.

The implications of this hacker stealing this information is far reaching. Many consumers use a familiar username and password for accessing commonly used websites. If you have ever set up an account on Zappos – you may have a problem if you did not use a unique password. Be sure to pick a new commonly used password and update it everywhere.

Agents, brokers, and MLSs collect a lot of “personally identifiable information” on consumers and store that information on cell phones, laptops, and in databases.  If you loose your cell phone or laptop or get hacked yourself, you are legally responsible to follow the Incident Response Procedures for Data Breaches Involving Personally Identifiable Information.

What is Personally Identifiable Information and what to do in the event of a breach.

Personally Identifiable Information includes First or Last Name, Country, State, or City of Residence, Age, Gender, Race, Workplace or School, Grades, salary or job position.

Here is a general outline of what you do if you loose information.

  1. Report the Actual or Suspected Data Breach to the Department of Justice.
  2. The Department of Justice will rate the severity of the incident, its potential harm to consumers.
  3. Companies follow the advise of the Department of Justice which may involve
    1. Notification to Customers
    2. Notification of Law Enforcement
    3. Notification of Banks
    4. Set up a help line
    5. Credit Monitoring
    6. Complete a Federal Trade Commission ID Threat Affidavit

For a complete understanding of the nightmare that will result from getting hacked, you can read this 23 page document from the DOJ here (https://docs.google.com/viewer?url=http://www.justice.gov/opcl/breach-procedures.pdf&pli=1)

Steps to avoid these issues:

  1. Secure all devices and software with passwords
  2. Require that passwords be 8 digits or more, case sensitive and alpha-numeric
  3. Use secure online solutions for customer data base management (CRM Solutions Here)
  4. Use online document solutions (Document Management Solutions Here).
  5. Have your corporate attorney insure that you have placed the correct disclaimers limiting your responsibility on your website and in your representation agreements with consumers.
  6. Include information about securing consumer information in your agent contractor agreements and employee handbook.
  7. Train employees and contractors on keeping data safe.


  1. Michael Audet January 17, 2012 at 3:21 am - Reply

    Great article and advice. I recently went through this problem with a company that involved “my” confidential information and the steps they had to take were quite involved, including providing me with free credit monitoring. This actually alerted me to the fact that someone had subscribed to Internet services using my name and ID for almost 10 years and was only caught when they didn’t pay their last bill…pretty weird right? I had to jump through a few hoops to get that cleaned up but the point is, companies need to understand this is a real danger and anything they can do to insure it won’t happen is good advice.

  2. Steve Wede January 17, 2012 at 3:33 pm - Reply

    Some very good information! Proper disclaimers and Terms of Use/Service are essential to help limit your liability. A Terms of Use/Service should include, in part, use restrictions, a liability disclaimer, and a section on maintaining the confidentiality of usernames and passwords.

    Also, the beginning of the new year is a good time to take a look at your Employee Handbook and update those policies regarding the use of mobile devices inside and outside of the office. Depending on the situation, you might not want an employee snapping pictures around the office, or plugging their mobile device into their desktop computer “just to charge it.” Also, more information than ever is being carried around in your pocket and a lot that information can be very sensitive information. Now is a good time to take a look at how that information secured and accessed.

Leave A Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.