There are two separate issues that need to be addressed when discussing security for customers’ personal information in the self-storage business. The first is how tenant’s information is protected when held by the operator and the second involves what responsibilities an operator has relating to records stored by a tenant in their rented storage unit.
As for the first, most Operators are working very hard to secure the customer information they use for their businesses such as social security numbers and home addresses. However, in order to succeed, Operators must first understand how personal information flows into, through, and out of their business, including who gets the information, how it is used, where it is stored, and who has access to the information from both inside and outside the business. There should be a security plan in place, not only as to how paper documents are kept but also how electronic data is stored. Operators should consider using methods of encryption, verifying secure connections for their online transactions, enhancing their password management protections, installing stronger firewalls, and developing employee training on the issue of data breach and identity theft. Certainly, when it comes to online financial transactions (credit or debit card payments), facilities need to work with their merchant services providers to make sure their systems are PCI-compliant and otherwise meet the federal requirements to protect their customers’ private information. Lastly, Operators should have a clear plan of how personal records are to be disposed of, including the destruction of old computers and the shredding of paper files.
As for a tenant’s own unit, typically if an individual tenant defaults on their rent and their property is sold via the landlord’s lien rights, that individual tenant loses any expectation of privacy they may have had regarding the property (and records) that they stored. In other words, if they don’t pay their rent and their property is sold, they are assuming the risk that any private information contained in their property could be compromised. This specific issue has been addressed in some states and those states have issued specific protections for facility operators. For example, in Tennessee the legislature allows this language to be included in the lease:
THE OWNER IS NOT LIABLE FOR IDENTITY THEFT OR OTHER HARM RESULTING FROM THE MISUSE OF INFORMATION CONTAINED IN A DOCUMENT OR ELECTRONIC STORAGE MEDIA (I) THAT ARE PART OF THE OCCUPANT’S PERSONAL PROPERTY SOLD OR OTHERWISE DISPOSED; AND (II) OF WHICH THE OWNER DID NOT HAVE ACTUAL KNOWLEDGE.
If the tenant is a business and they default, it is more likely than not that those records (of third-party customers, clients, or patients) will not be sold. Again, in some states the issue of business records stored at self-storage facilities has been considered and, as a result, commercial occupants are now required to disclose what they are storing. For example, in Nevada leases must contain the following notice:
STORING PROTECTED DOCUMENTS, FILES, OR ELECTRONIC DATA: If you are subject to mandatory licensing, registration, permitting, or other professional or occupational regulation by a government agency, board, or commission and the Protected Property to be stored is related to that profession or occupation, you are to provide written notice to that agency, board, or commission. It must state that you are storing Protected Property and identify the general type of Protected Property being stored at the facility. You will provide us with a copy of any written notice provided to any such agency, board, or commission. You MUST provide complete contact information for an alternate person if we are unable to reach you.
Certainly, no amount of effort will guarantee the protection of customer information. These privacy and identity issues have started to appear more often and seem to be inviting an increased risk of liability for storage operators. Part of the solution might simply be a greater investment in technology and training to prevent identity theft, but that doesn’t protect operators from all criminal activity. Regardless of the steps taken and legislative protections in place, this area seems to be at the brink of growth to impact future business liabilities.
Thanks to Bob Baccus for asking this question! Until next month, happy storing!