Real estate information security is a big part of what I do for a living, consulting to MLSs around the country, so I'm sure I can provide some insight in this area. When it comes to real estate information, I divide the issue into three parts and use the analogy of a house to explain them.

First, there's the front door: login authentication - everyone knows where the front door is and how to go through it to get to the data. Two-factor authentication of some type - combined with robust reporting - is key. No security is perfect - it's always a balance of security and convenience; risk, cost, and effort.

Second, there's the back door: data distribution - if the front door is locked up tight but information is flying out the back door, out of control, that's a problem! Everyone knows about this door too, but it's very challenging to address the security of this door - it's not just a technical endeavor but involves policy and contracts as the starting point. I believe that the economic downturn and the resulting rush to syndicate listings has resulted in poor industry-wide strategy in this area. As a broker friend once said to me incredulously, "This is organized real estate?"

Third is the window: hacking - no one ever expects someone to break in through the window, but it happens in our industry - a lot. That keeps me on the road performing security assessments and otherwise helping organizations out - but it's always easier to deal with the issues before there has been an incident.  I wish more folks would call to get help with security before the animals were out of the barn...

Jim, the overall goal of strong authentication for real estate systems is to make it more difficult for people that are not supposed to have access to those system to get access to them. The MLS can not become a "public utility"! If your members don't understand the difference between the professional tools and professional-eyes-only information that is in the MLS system and an advertising site, you have your work cut out for you. I'm sure you realize that not only often sensitive commission and showing information is in the MLS, but increasingly also information about clients and, through integration with other systems such as transaction management systems and digital document management systems,  access to increasingly sensitive personal and  financial information - of the types covered by security breach  notification laws.

I can honestly talk for hours about security reporting ... I just don't think I can do it justice in this forum - but one thing is for sure, reporting alone doesn't get the security job done. Five years ago, intrusion detection systems (IDS) were all the rage, now everyone is talking about intrusion prevention systems (IPS).

I'm not against syndication, in terms of having efficient and accurate methods for putting listing data on the web, I just believe that our industry could be more strategic in where the information goes and under what conditions.

Evaluating the cost / risk / benefit of information security is something that every organization does, and will make business decisions about. It takes some doing - some real estate organizations have evaluated the problem for *years* before moving to secure their systems.

I know, you probably have many other questions and we could dive into any one aspect of what you have already asked much more extensively ... but this is a starting point.