What the NAR Says Every Realtor Must Do to Protect Client Data

By Cyber Safe Security

If you’re a REALTOR®, protecting your clients’ personal information isn’t optional — it’s part of your professional obligation. The National Association of REALTORS® (NAR) has made this clear through its Code of Ethics, its Data Security and Privacy Toolkit, and its official cybersecurity guidance. And with data privacy enforcement ramping up across the country, the stakes have never been higher.

Here’s what NAR says every REALTOR® must do — and why it matters for your business.

1. Understand That Confidentiality Is a Code of Ethics Requirement

This isn’t just best practice — it’s built into the foundation of being a REALTOR®. NAR’s Code of Ethics explicitly acknowledges every member’s obligation to preserve the confidentiality of personal information provided by clients, both during and after the termination of the business relationship.

That means your duty to protect client data doesn’t end at closing. Social Security numbers, bank account details, driver’s license numbers, and financial records remain your responsibility long after the deal is done.

What this looks like in practice:

Securing all client files, both digital and paper
Limiting who in your office has access to sensitive client information
Having a clear policy for how long client data is retained — and when it’s destroyed

2. Know the Laws That Apply to Your Business

NAR’s Data Security and Privacy Toolkit makes it clear: real estate professionals operate in a complex legal landscape with no single federal standard. Instead, state laws govern data security and privacy — and they vary significantly.

NAR warns that even if you’re based in a state without a comprehensive data privacy law, you can still be subject to another state’s law if you collect personal information from out-of-state clients. As more states enact comprehensive data privacy rules, this risk is growing.

What NAR recommends:

Stay current on your state’s laws regarding personally identifiable information (PII)
Work with a licensed attorney in your state to develop cybersecurity policies and materials
Review your policies regularly as laws change

3. Build a Written Information Security Program

NAR’s Data Security and Privacy Toolkit follows the FTC’s five key principles for protecting personal information — and one of the most important steps is creating a formal, written data security program for your business.

This doesn’t have to be complicated, but it does need to exist. NAR recommends your program address:

Take Stock — Conduct an inventory of all the sensitive information your business collects: where it comes from, how it’s received, how it’s stored, and who has access to it.
Scale Down — Only collect what you actually need. If you have information that’s no longer necessary, dispose of it securely.
Lock It — Implement reasonable safeguards to protect data in both digital and physical form.
Pitch It — Develop a document retention policy that specifies how long you keep data and how you properly destroy it when it’s no longer needed.
Plan Ahead — Have a written data breach response plan so you know exactly what to do if something goes wrong.

4. Secure How You Share Sensitive Information

One of the most targeted points in a real estate transaction is the communication of sensitive financial information — particularly wire instructions. NAR’s cybersecurity checklist specifically addresses this.

NAR’s direct guidance:

Use encrypted email, a transaction management platform, or a secure document-sharing program to share sensitive information — never standard unencrypted email alone
Carefully guard login credentials to email and all other services used in the transaction
Never communicate changes to wire instructions through email without independent phone verification
Regularly purge your email account and archive important emails in a secure location

This is where wire fraud and Business Email Compromise (BEC) attacks happen. Following NAR’s guidance on secure communication is one of the most effective defenses available.

5. Warn Your Clients — In Writing

NAR doesn’t just recommend protecting data internally. It also recommends that REALTORS® proactively disclose cybercrime risks to their clients. In collaboration with your attorney, NAR advises developing a written disclosure that warns clients about the possibility of transaction-related cybercrime — particularly wire fraud.

NAR has even created a Wire Fraud Email Notice Template that members can adapt and add to their email signature lines as an ongoing reminder.

Why this matters: Proactive disclosure protects your clients and helps protect you from liability if fraud occurs. It also positions you as a professional who takes data security seriously — which is increasingly a competitive differentiator.

6. Review Your Insurance Coverage

NAR’s cybersecurity checklist includes a step that many REALTORS® overlook entirely: reviewing your current insurance coverage for cyber-related incidents.

NAR recommends asking your insurance agent specifically about:

Cyber insurance policies
Social engineering fraud endorsements
Computer and electronic crime riders

Standard errors and omissions (E&O) policies typically do not cover wire fraud losses or data breaches. A separate cyber policy may be the only thing standing between your business and a financially devastating event.

7. Train Your Staff — And Keep Training Them

Having policies in place is only effective if the people in your office know them and follow them. NAR emphasizes that brokers have a responsibility to ensure that staff and licensees have reviewed and are actively following all implemented security policies.

Cybercriminals specifically target real estate offices because agents are busy, transactions move fast, and employees are often the weakest link. One well-timed phishing email to an untrained agent can compromise your entire office.

What good training covers:

How to recognize phishing emails and social engineering attempts
How to verify wire instructions before acting on them
What to do — and who to call — if they suspect a breach

The Bottom Line: Compliance Is No Longer Optional

NAR’s message is consistent and clear: real estate professionals collect and handle some of the most sensitive financial data in any consumer transaction, and with that comes real legal, ethical, and financial responsibility.

Data privacy enforcement is accelerating. More states are enacting comprehensive laws. And the penalties — financial and reputational — for a breach are severe.

The good news is that you don’t have to figure this out alone.

At Cyber Safe Security, we specialize in helping real estate offices, title companies, and mortgage brokers in Orlando and across Florida build practical, affordable cybersecurity programs that align with NAR guidance and state law requirements. From written security policies to 24/7 monitoring and staff training, we make compliance manageable — so you can focus on serving your clients with confidence.

Contact us today to schedule a free consultation.

Cyber Safe Security | Orlando, FL | cybersafesecurity.net

Sources: NAR Cybersecurity Checklist: Best Practices for Real Estate Professionals; NAR Data Security and Privacy Toolkit (Updated April 2022); NAR Principles: Data Privacy and Security; NAR Window to the Law: Enforcement of Data Privacy Laws (June 2023)