Protecting tenant screening information requires a multi-layered approach that controls who can access the data, encrypts sensitive details, verifies all requests before sharing, and ensures proper disposal when the information is no longer needed. Tenant screening reports contain some of the most sensitive personal information available—social security numbers, credit scores, criminal history, and eviction records—making them high-value targets for identity thieves and fraudsters. In 2023, a property management company in Ohio mistakenly emailed tenant screening reports to the wrong recipient, exposing the personal information of over 300 tenants before the error was discovered. This incident, which is far from unique, illustrates how quickly sensitive screening data can be compromised through inadequate controls.
The stakes for inadequate protection are significant. Stolen tenant screening information can be used to commit identity fraud, obtain credit in someone else’s name, or simply sold on the dark web. Beyond the immediate harm to tenants, landlords and property managers who fail to protect this data face potential liability, regulatory fines, and reputational damage. The challenge is that tenant screening information must be accessible enough for legitimate business purposes—landlords need to review reports, share findings with co-owners, and respond to tenant inquiries—while remaining secure enough to prevent unauthorized access and theft.
Table of Contents
- WHAT TENANT SCREENING DATA IS AT RISK AND WHO NEEDS IT?
- ENCRYPTION AND DATA STORAGE VULNERABILITIES
- CONTROLLING ACCESS AND VERIFYING REQUESTS FOR INFORMATION
- SECURE TRANSMISSION AND HANDLING PRACTICES
- COMMON VULNERABILITIES IN TENANT SCREENING DATA HANDLING
- TENANT RIGHTS AND LEGAL OBLIGATIONS
- EMERGING THREATS AND THE SHIFT TOWARD PASSWORDLESS SECURITY
- Conclusion
WHAT TENANT SCREENING DATA IS AT RISK AND WHO NEEDS IT?
Tenant screening information encompasses far more than just a credit report. A complete screening package typically includes a credit report, criminal background check, eviction history, employment verification, and rental payment history from previous landlords. This data is gathered and compiled by tenant screening companies, which act as intermediaries between landlords and the various databases and repositories that contain tenant information. Once compiled, the report is sensitive enough that federal law regulates its handling under the Fair Credit Reporting Act (FCRA), which means landlords have specific legal obligations around how they use, share, and store this information.
The people who legitimately need access to tenant screening information are more limited than many assume. The landlord and property management company conducting the screening obviously need it, as do co-owners or partners in the rental property business. In some cases, a leasing agent or property manager handling tenant communications may need to reference specific details. However, accountants, maintenance staff, contractors, and administrative assistants typically do not need full access to screening reports, yet many organizations share this information too broadly. A common mistake is storing all tenant screening reports in a shared folder that everyone in the office can access, rather than restricting access to the specific individuals who actually review and make decisions based on the information.

ENCRYPTION AND DATA STORAGE VULNERABILITIES
The most common way tenant screening information is compromised is through poor storage practices. Many landlords and property managers still keep physical copies of screening reports in unlocked filing cabinets, leave printed reports visible on desks, or store digital copies in unencrypted folders on network drives or personal computers. If a tenant screening report is stored as an unencrypted PDF on a work laptop, anyone who gains access to that laptop—whether through theft, hacking, or physical access—can view all the personal information within it. Encryption scrambles the data so it’s unreadable without the correct password or decryption key, but encryption is only effective if applied consistently. The limitation of encryption is that it protects data when it’s stored or in transit, but not while it’s being actively used.
An unencrypted email containing a tenant screening report is theoretically encrypted in transit by the email provider’s servers, but the moment it’s downloaded and opened, it becomes vulnerable again. This is why many tenant screening companies recommend using secure file transfer systems rather than email for sharing sensitive reports. Additionally, encryption keys themselves must be managed carefully. If the encryption key is stored in the same location as the encrypted data, or if it’s written down on a sticky note, the encryption provides false security. Organizations that implement encryption without also implementing proper key management often discover they’ve created a false sense of security while making their data harder to access legitimately.
CONTROLLING ACCESS AND VERIFYING REQUESTS FOR INFORMATION
Limiting who can access tenant screening information is foundational to protecting it. This begins with a clear written policy that specifies exactly which roles and individuals within your organization have access to full screening reports. A property manager responsible for day-to-day operations might need access, while the bookkeeper calculating rental income does not. Once access is restricted, it should be logged—whenever someone accesses a file containing screening information, that access should be recorded so you can later identify if someone accessed information they shouldn’t have or if an unusual pattern of access suggests a breach. The second critical control is verifying all requests for information before sharing it.
Tenant screening reports should never be shared with third parties without first verifying who is requesting the information and confirming they have a legitimate need. A tenant requesting their own screening report is straightforward—they have the right to see it, though often they should be directed to request it from the screening company itself rather than you. But if a prospective landlord or employer requests a former tenant’s screening information, you need to verify that the request is legitimate and that the tenant has authorized it. Many scams begin with a phone call or email impersonating a legitimate business, asking for screening information. A simple verification step—calling the known phone number of the requesting business or asking for written authorization from the tenant—can prevent exposure of sensitive information to fraudsters.

SECURE TRANSMISSION AND HANDLING PRACTICES
When tenant screening information must be shared, the method of transmission matters significantly. Email is convenient but inherently insecure—once sent, you have no control over where that information goes or how long it remains accessible. Many email accounts have been hacked, compromised accounts can be accessed for years without the owner knowing, and accidental email recipients can easily forward sensitive information to others. Secure file transfer services, by contrast, allow you to control who can access a file, set expiration dates for access, track who has downloaded the file, and revoke access at any time. Some services require the recipient to authenticate with a password or two-factor code, adding another layer of security.
The tradeoff with secure file transfer is that it requires more setup and is less convenient than email. Recipients must navigate to a link, possibly create an account, and authenticate before accessing the information. This friction sometimes leads people to fall back on email as a workaround, defeating the security measures altogether. Some organizations solve this by making secure file transfer the default for initial requests and screening reports, while using email only for internal discussion of screening results that doesn’t include the full report itself. This approach balances security with practicality. Additionally, when handling physical copies of screening reports—the original documents received from the screening company or printouts—they should be stored in a locked cabinet, not left on desks or in common areas, and should be shredded rather than simply discarded when no longer needed.
COMMON VULNERABILITIES IN TENANT SCREENING DATA HANDLING
One of the most overlooked vulnerabilities is the retention and deletion of old screening reports. Many organizations keep tenant screening reports indefinitely, storing years of files on old computers, backup drives, or cloud services. Older systems are more likely to be breached, forgotten about until they’re already compromised, or accessed by new employees who don’t know the information is supposed to be confidential. A clear data retention policy—for example, storing screening reports for only two years after a tenant moves out—reduces the amount of vulnerable data in your possession and simplifies compliance with privacy regulations. The limitation here is that short retention periods can be inconvenient if you need to reference information from a tenant’s screening years later, such as to verify their rental history if they apply to rent again. You’ll need to weigh this convenience against the security benefit of keeping less sensitive data around.
Another common vulnerability is the use of weak or shared passwords to access systems containing screening information. If your tenant management software or cloud storage account is protected by a password that multiple staff members know and share, a compromise of that password means the system has been compromised to everyone who uses that password. Shared passwords also eliminate accountability—if information is misused, you can’t determine who did it. Modern practice calls for individual accounts for each staff member, with strong, unique passwords, and multi-factor authentication enabled so that even if a password is compromised, an attacker cannot access the system. Many smaller landlord operations resist this level of security as unnecessary complexity, but this is precisely the gap that makes them attractive targets. A breach affecting a small property management company affects far fewer people than a breach at a major corporation, so breach recovery is often faster, and attackers know that smaller organizations are less likely to have strong defenses or notice intrusions quickly.

TENANT RIGHTS AND LEGAL OBLIGATIONS
Tenants have specific rights regarding their own screening information under the Fair Credit Reporting Act. They have the right to request a copy of their screening report from the company that conducted it and from you as the landlord using it. They also have the right to dispute information in the report if they believe it’s inaccurate. As a landlord, you have an obligation to inform tenants that a screening report was used in the rental decision and to provide information about the company that conducted the screening. If a tenant is denied housing based on the screening, you must provide them with a copy of the report and a clear statement of the reason for denial.
Violating these FCRA requirements can result in both regulatory penalties and civil liability. More broadly, state and local data privacy laws increasingly require notification of breaches, and some jurisdictions have specific requirements for how rental screening information must be handled. For example, some states require that screening information be destroyed within a certain timeframe, while others allow longer retention. Ignorance of these requirements is not a legal defense. Landlords and property managers should review the specific requirements in their state and locality and ensure their data handling practices comply.
EMERGING THREATS AND THE SHIFT TOWARD PASSWORDLESS SECURITY
Tenant screening information is increasingly being targeted by sophisticated cybercriminals because it contains multiple data points that can be combined for identity theft—a name, address, social security number, employment history, and financial information. As the value of this data increases, the methods used to steal it grow more sophisticated. Phishing attacks targeting property managers and landlords are becoming more common, with scammers posing as vendors, co-owners, or screening companies to trick staff into sending sensitive files. Similarly, the growing sophistication of ransomware attacks—where criminals encrypt an organization’s files and demand payment for the decryption key—poses an increasing threat to anyone storing large collections of sensitive tenant data.
The direction of security best practices is moving toward passwordless authentication, biometric verification, and continuous monitoring to detect unusual access patterns. These advanced measures require investment and ongoing management but provide stronger protection than traditional password-based systems. For many small and mid-sized landlord operations, the practical starting point is addressing the most basic vulnerabilities—restricting access, enabling encryption, verifying requests, and implementing a clear data retention and deletion policy. These foundational measures address the majority of real-world breach scenarios without requiring extensive technical infrastructure.
Conclusion
Protecting tenant screening information is not a one-time fix but an ongoing commitment to limiting access, encrypting data, verifying requests, and maintaining clear policies around handling and disposal. The most effective approach combines technical controls—encryption, secure file transfer, access logging—with organizational practices and staff training. Tenant screening reports contain information sensitive enough that it’s a target for identity theft and fraud, yet common enough in property management that it’s easy to become complacent about protecting it. A single incident of exposed screening information can harm tenants, expose landlords to liability, and damage reputation in a competitive rental market.
The practical path forward is to start by auditing how screening information is currently stored and shared, identifying the largest vulnerabilities, and implementing controls to address them. This might begin with restricting access to necessary staff, moving away from email for sharing reports, and establishing a clear policy for how long screening information is retained. These steps don’t require expensive technology—they require clear thinking about the data you possess, why you possess it, and who genuinely needs to see it. Tenant screening information, handled carefully, is a legitimate business tool. Handled carelessly, it’s a liability waiting to be discovered.
