Is Your Company Compliant with Data Laws?

The Real Estate Espresso Podcast

Is Your Company Compliant with Data Laws?

Spotify Google Podcast Apple Podcast Subscribe via RSS Leave a Review

Is Your Company Compliant with Data Laws?

Welcome to the Real Estate Espresso podcast, your morning shot of what’s new in the world of real estate investing. I’m your host, Victor Menasce.

Now, on today’s show we’re talking about new data compliance regulations.

As real estate investors, we’re in business. That means we’re in business first and real estate second. All of the rules that apply in business apply to a real estate business as well.

We all know the basic principle that ignorance of the law is not an excuse for not following the law. And there’s so many regulations and so many new regulations that as countries mature, the patchwork of legislation becomes more and more complex and often incomprehensible. There’s numerous examples of laws that contradict one another.

Well, today we’re going to talk about data security in the context of artificial intelligence. If I walked up to virtually any real estate investor on the street and asked a simple question, chances are I would not get a good answer. The question would be…

I expect that most people would claim complete ignorance of the rules, let alone have any idea whether they’re in compliance or not. There’s no way you’re going to check whether a cloud-hosted software application is compliant if you don’t even know to ask the question.

The problem is that when you sign up for a particular service online, do you have any idea where the data is hosted? Where’s that data center that’s processing your requests? What other applications might be integrated with this application and where are those hosted?

Let me give you a simple example: if you’re using Spotify for your podcast, is the podcast hosted in Sweden, where the company’s headquartered, or maybe in the US, where you live?

If you’re using an AI tool like Mistral, which ~privacy~~📝privacy, data and sovereignty laws would you need to comply with?

If you’re using Deep Seek for an AI search, is the data being sent to China?

If you’re traveling for work, and you’re on the beach in Mexico, which laws come into play? Are you violating the privacy of your clients if you take your computer with you on vacation outside of the country?

If the server hosting your data is outside the country, are you in violation of the law?

What if your business information system contains personal client records, like social security numbers, or banking information or passport ~What~~📝information? What steps do you need to take to safeguard that data?

Now, in cases of data breaches, many courts have a history of looking at the steps you took to safeguard client data. If you took all the prudent steps, including multifactor authentication and data firewalls and encryption of sensitive data, then the courts have a track record generally of letting holders of the data off the hook. But if it can be shown that you did nothing besides maybe a simple eight-character password to prevent hackers from accessing client data, you could face some very severe penalties.

Now, just as an example, my wife’s company website was redesigned and launched last week. Within a day there were thousands of examples of the website facing assault from hackers. Now, fortunately the website contains no client information, but the email system was clogged with thousands of fraudulent messages between Saturday at midnight and Sunday afternoon. The vulnerability was a total rookie mistake and it sounds strange to blame the victim of the assault. The website was repaired, the vulnerability was patched up.

It’s an example of the kinds of events that are happening every second of every day on the internet. It’s not that hackers are sitting in rows of cubicles in India or Russia, or North Korea trying to hack your systems. These hacks are usually the result of autonomous agents that have been programmed to find vulnerabilities.

There’s two main approaches to ensure that you’re compliant. One is to conduct a security audit of your company. And the second is to restrict your systems to use only those platforms that are already demonstrated to be compliant with the relevant standards or regulations.

It’s not enough to assume that software is compliant. Some systems state publicly that they’re compliant with the various global standards. But if you dig a little deeper, you’ll discover that they’re actually not. For example, a system might be compliant, but the way you’re using it and integrating it with other systems makes it non-compliant.

For example, let’s imagine that you’re using an AI chat interface. How do you know that you are not training a language model with confidential information that really needs to be protected?

Just in the past week, I’ve found numerous examples of documents and reports that are hidden behind a paywall and really should only be readable with a subscription to that service. Yet somehow, only days after publication, the major AI tools know all about the contents of these reports and they can construct a detailed summary of the contents. What was intended to be proprietary, confidential and protected isn’t really, because somehow an AI engine managed to learn all about it.

This is an example of one of the many ways that data privacy can be compromised in the world of AI. You don’t even need to be a victim of hacking to violate these laws. The technology is new, the cases are untested and it’s time to become aware. At least conduct a preliminary audit and set up some governance with a security specialist.

As you think about that, have an awesome rest of your day. Go make some great things happen. And we’ll talk again.

Stay connected and discover more about my work in real estate and by visiting and following me on various platforms: