A breach of 111,000 Social Security numbers carries direct financial exposure through active class-action litigation, potential state attorney general enforcement action, and federal investigation interest — all running simultaneously. Real estate companies holding tenant PII face the same regulatory and legal liability as financial institutions when sensitive identity data is compromised, without historically investing in equivalent security controls. Reputational damage compounds the financial risk: tenants have limited ability to change their Social Security numbers, making long-term identity fraud liability difficult to quantify and easy for plaintiffs' attorneys to argue.
You Are Affected If
Your organization operates in property management, real estate investment, or residential leasing and stores tenant SSNs, income verification data, or background check records
Remote access to your property management platform or internal file shares is not protected by multi-factor authentication
Your organization has not performed a data minimization review to confirm SSN retention is limited to legally required purposes and timeframes
Contractor or vendor accounts with access to PII repositories are not regularly reviewed, rotated, or offboarded promptly
Your incident response plan does not include a ransomware-specific playbook with defined notification timelines for state attorneys general and affected individuals
Board Talking Points
A ransomware group stole Social Security numbers for 111,000 people from a real estate company, triggering a federal class-action lawsuit and state attorney general action simultaneously — this is the litigation model now targeting property management firms holding tenant PII.
We should conduct an immediate review of where tenant Social Security numbers are stored, who can access them, and whether multi-factor authentication is enforced on every path to those systems — completed within 30 days.
Companies that do not act before an incident face the same converging pressures JRK now faces: active litigation, regulatory scrutiny, and federal investigation interest with no clear resolution timeline.
GLBA — Tenant background screening and income verification processes may bring property management companies under FTC Safeguards Rule jurisdiction, which mandates written information security programs for covered financial data including SSNs
State Data Breach Notification Laws — Exposure of Social Security numbers for 111,000 individuals triggers mandatory notification obligations in every U.S. state; Connecticut AG engagement confirms enforcement is active
FTC Act Section 5 — Inadequate security controls protecting sensitive PII may constitute an unfair or deceptive trade practice under FTC authority, consistent with prior FTC enforcement actions in analogous breach contexts
