Your records may mostly be electronic these days, but you still need to keep safe, comprehensive records for all of your rental units.
When applying to rent an apartment, potential tenants entrust landlords with a lot of personal information. They provide a social security number. They authorize you to perform a credit check and a background check. They offer proof of income in the form of paystubs, bank statements or benefits letters. It’s your job to ensure those records are handled properly, and stored or destroyed safely.
The state of Massachusetts agrees. State code 201 CMR 17, Standards for the Protection of Personal Information of Residents of the Commonwealth, details exactly how paper and electronic records containing personal information must be handled. These are “minimum standards,” and you may wish to do more.
These laws apply to anyone who handles a Massachusetts resident’s personal information. Even if your applicant is from out of state, once they rent your unit, they’re Massachusetts residents, so follow the law for all applicants.
What is Personal Information?
According to 201 CMR 17, personal information is a Massachusetts resident’s first and last name (or first initial and last name) in conjunction with any of the following pieces of data:
- Social Security number;
- driver’s license or state-issued identification card number; or
- a financial account or credit/debit card number, regardless of whether you have passwords or personal identification numbers (PINs) to access the account.
Personal information does not include anything you can legally obtain from publicly available information, including any federal, state or government records that are legally publicly available.
As a landlord, you will likely have all that information about your tenant, and then some.
What Does Safe and Comprehensive Recordkeeping Mean for Landlords?
Keeping tenant-related records secure is important, of course, but so is making sure that you have all the information you’re supposed to. In Massachusetts, you are required to keep the following records:
- rental agreement/lease;
- applicant qualifier for all applications (including rejected applications);
- rent roll (document that allows you to see what rents are due and what rents have been collected);
- prior statements reflecting security deposit withholdings;
- all correspondence, including date and times of phone calls and records of texts and emails; and
- your written information security plan (see below).
This information is important to have for all tenants, even prospective ones. For instance, a potential renter is entitled to see the statement of withholding from the previous tenant’s security deposit upon request, so it’s important to have that on hand.
How Long Should I Store Information?
A common question is, how long do I need to keep tenant (and potential tenant) information? Some may say five or seven years. But the truth is, you need to hang onto those records for an indefinite period of time.
You never know when a potential, current or former tenant could come back to you with a dispute. For example, the statute of limitations for a tenant to bring a lawsuit against a landlord under the Consumer Protection Act is four years.
Then there are tax audits to consider. The IRS states they don’t “usually” go back more than six years if they audit you. You can see how quickly all that information can add up over the years, especially if you have many rental units. It’s a best practice to electronically store records indefinitely. Scan and electronically back up any paper records you may have and store them securely and indefinitely as well.
Join AAOA for Free!
All types of rental property owners welcome
How Do I Keep Tenant Information Secure?
For the information you must retain, 201 CMR 17 requires you develop and follow a written information security plan (WISP). This plan should detail exactly how you will be safekeeping your tenants’ records. We have an example of one of these WISP forms as part of our membership content; you may download it and tailor it to your needs.
What Should My Information Security Plan Include?
Some things to consider: who has access to these records? Paper records should be kept in locked cabinets in a secure location. However, you may find that very few of your records are physical anymore. Most of your data may be electronic.
Electronic records should not simply be stored on a laptop, which could be lost or stolen, compromising your tenants’ privacy. Instead, electronic data should be encrypted. Encryption essentially “codes” this information in such a way that it cannot be interpreted without the correct security protocols being applied.
Your security plan should also detail how you are keeping on top of changes in technology and recordkeeping laws; our form proposes one hour of review or training annually for you and anyone else who may be working with your landlord records. If you are storing records on a computer with internet access (almost a foregone conclusion these days), make sure you have firewall protection and that your security settings are current (don’t ignore system updates).
Finally, your computer that holds others’ personal information should always be password protected (and don’t write your password down and keep it by the computer).
If your properties are handled by a rental property manager or management company, make sure they have their own measures in place for keeping personal data secure.
Secure recordkeeping is serious business. Every year, companies are sued for preventable data breaches. In March, a Mansfield company that offers background checks had four class action lawsuits filed against it for alleged negligence surrounding private information. In 2011, someone stole an unencrypted laptop issued by the property management company Maloney Properties. The laptop, which had been left overnight in an employee’s car, contained personal information for hundreds of Massachusetts residents. Attorney General Martha Coakley fined Maloney Properties Inc. $15,000, even though the company said it had no evidence that the information was accessed or used. And, in 2017, Massachusetts was the first state to sue Equifax after a hacking incident exposed millions of people’s personal information.