Published in MANN REPORT
President and CEO,
Matthew Adam Properties, Inc.
We read about it daily. Whether it’s a political campaign, bank, corporation, department store or municipal government, computer hacking is a major crime issue. To combat its growth and force corporations to take appropriate steps to protect their data and that of individuals, New York State passed the Stop Hacks and Improve Electronic Data Security (SHIELD) law which went into effect March 1, 2020. With the laser-like focus on the outbreak and spread of Covid-19, attention to this law has been pushed down in our priorities, though it is in effect.
Included in the corporations covered are co-ops and condos which are now subjected to stricter penalties and fines. It is incumbent on every board and management company in the city to actively take steps to comply. This includes establishing procedures to protect the data, selecting an administrator to oversee and implement the program — whether it is the managing agent or an outside service — and reviewing insurance policies to be certain there is sufficient cybersecurity coverage. At Matthew Adam Properties, we work with third-party vendors to administer the cybersecurity of the buildings we manage.
As we have learned, even the most sophisticated computer systems are vulnerable to attacks. Having a basic security program and firewall doesn’t do the trick.
The law requires all businesses handling personally identifiable information to implement reasonable administrative, technical, and physical data safeguards. Failure to comply and if information is compromised can lead to fines, investigations, and lawsuits. Previously, the maximum fine for failing to notify those affected by a data breach was $100,000; under the new law the number balloon to $250,000. And enforcement is expected to be more stringent.
Until now, real estate systems have not been prime targets of hackers. But the systems of co-ops and condos can be a rich loadstone for criminals with detailed information including social security numbers, bank accounts as well as credit history and financial statements. Included in the information to be protected are security codes, access codes, usernames and passwords and even bio-metric information such as fingerprints, voice prints or ocular images. In effect, any information that would permit criminals to gain access to individual accounts or information.
The first step to comply is to review what data is stored, what procedures are in place to safeguard it (are there hard copies that must be destroyed?) and what safeguards are needed.
The Shield law mandates the implementation of a data security program and requires the business (co-op or condo) to include measures such as risk assessments, workforce training and incident response planning and testing.
Steps should be taken to limit the access to data to office computers and not having information on laptops or tablets that can be taken offsite and used in public WIFI areas.
Other areas in the security program include establishing technical safeguards to assess networks, software design, information processing, transmission and storage and measures to detect, prevent and respond to incursions. Businesses of fewer than 50 employees and less than $3 million in gross revenues in the last three fiscal years or less than $5 million in total assets may scale their program based on the size and complexity, the scope of activities and the nature of the information collected.
If the information is disclosed either intentionally or unintentionally, the organization must provide expeditious notices to any individuals affected. This can be done through written or electronic (such as email) notice, or via phone.
With the possibility of expensive litigation and costs if there is a breach, boards should explore adding cybersecurity insurance, which can drastically reduce exposure. Such insurance, which is not expensive, can cover hiring an attorney to defend against lawsuits as well as costs to notify potentially affected parties.
Other expenses that can be covered include crisis management to set up a call center to provide information on specific questions, paying the cost for credit monitoring for those affected, and public relations to assist the co-op, condo or management company to rebuild its reputation. The insurance will also help cover the cost of fines. Compliance with the law is essential, without this insurance companies may not cover the losses.
As technology becomes increasingly complex and criminals more sophisticated in their ability to hack systems, it is essential that boards not only follow the dictates of the new law, but also explore what additional steps may be necessary to protect the valuable information the co-op or condo possesses.