Cybersecurity Protocol Checklist

Catalog every laptop, leasing-office iPad, self-showing tablet (Tenant Turner, Showdigs, Rently), and on-call phone that opens AppFolio, Buildium, or Yardi or stores screening reports. Personal devices used for work email count — they're the most common gap.

Tour prospects, contractors waiting in the lobby, and self-showing visitors should never share the network with the workstation running the PMS. Confirm the SSID for staff is WPA2/WPA3 with a rotating credential and the guest SSID has client isolation enabled.

AppFolio, Buildium, and Yardi run in the browser, so an outdated Chrome or Edge is the realistic attack surface, not the OS. Confirm Windows Update / macOS updates and browser auto-update are on for every machine in the inventory above.

BitLocker on Windows, FileVault on macOS. A leasing laptop with downloaded screening reports (consumer reports under FCRA) and ID scans is a reportable breach if lost unencrypted.

AppFolio, Buildium, Yardi, and your screening provider all support MFA. Owner-payout fraud and rent-diversion fraud almost always start with a stolen PMS password — MFA on accounting and principal accounts is the single highest-leverage control here.

Leasing agents do not need the owner-banking screen. Maintenance does not need screening reports. Accounting does not need smart-lock admin. Map each PMS role to a job function and remove the defaults that grant more.

Confirm every staff departure this quarter had PMS, email, smart-lock codes (Latch, RemoteLock, August), and self-showing tech access revoked within one business day. A leasing agent who left Friday cannot have access Monday — this is the single most common audit finding.

TransUnion SmartMove, Experian RentBureau, and RentPrep outputs are FCRA consumer reports. They live in encrypted storage in the tenant file — not in the leasing inbox, not on a desktop folder, not in shared Dropbox without per-folder access controls.

The FACTA Disposal Rule requires shredding paper consumer reports and securely wiping electronic copies once retention ends. Confirm with counsel how long your firm holds reports for denied applicants vs. signed leases — most firms land at 2-5 years post-decision.

AppFolio and Buildium back up the SaaS side. What you need to verify is the local export — rent roll, owner statements, tenant ledgers, vendor 1099 data — and that you can actually restore from it. Pull last month's backup and open it.

The plan must list state breach-notification timelines for every state where you operate (most are 30-60 days; some require AG notice above a threshold). Name who calls counsel, who calls the cyber insurance carrier, who notifies residents and owners.

Walk through a simulated PMS lockout with the operations lead, accounting, and IT. Rent collection halts, the tenant portal is offline, and an owner is asking why the disbursement didn't run. Document the gaps and update the plan.

If an incident occurred this quarter, determine whether SSN, DOB, financial account numbers, driver's license images, or screening reports were accessed. The answer drives state breach-notification obligations — answer conservatively with counsel.

Notification content, timing, and AG-copy thresholds vary by state. Coordinate with counsel before any letter goes out — pre-mature or off-template notifications create their own liability. Capture proof of mailing for every affected resident and owner.

The standard scam is a fake owner email asking accounting to redirect the next disbursement to a new bank account. Train accounting that any banking-change request is verified by phone using the number on the W-9 in the file — never the number in the email signature.

Use KnowBe4, Hoxhunt, or your IT provider's tool. Capture the click rate per office and per role. Repeat clickers get a one-on-one debrief, not a punitive note — the goal is reporting behavior, not zero clicks.

A one-click Report Phish button in Outlook or Gmail routing to IT. Staff need to know reports go to IT (not their direct manager) and that false alarms carry zero penalty — under-reporting is the failure mode, not over-reporting.

Tier 1 — handles SSN, financial accounts, or screening reports (PMS, screening provider, payment processor, e-sign). Tier 2 — handles names and contact only (listing syndication, marketing). Tier 3 — no resident data (office supplies, IT hardware). The tier sets the review depth for the rest of this section.

AppFolio, Buildium, Yardi, TransUnion SmartMove, and Stripe publish SOC 2 Type II reports under NDA. Request annually, scan for exceptions in the access-control and incident-response sections, and note any carve-outs that affect your data.

Any plumber, electrician, or make-ready vendor with a tenant-portal login or work-order-system access needs MFA enabled, a signed NDA covering resident data, and a current general liability + workers comp COI naming the property as additional insured.

Pull the contract renewal calendar. For Tier 1 vendors, do not auto-renew without a refreshed security questionnaire and confirmation that the SOC 2 scope still covers your data flows.