Your co-op or condo unit houses more than your material possessions. The management office also typically contains detailed information about you—including your social security number, credit card number, emergency information, phone number and many other important documents relevant to your security.
And that information is worth a lot of money to hackers—or anyone interested in using the content of your private files to their advantage.
Locking it Down
With more and more information and day-to-day business functions being handled online, the safety and security of users' personal data and privacy has become a major concern for everyone—and that includes property managers and board members.
And while identity theft is a growing business, New York has enacted laws to make sure your information doesn’t leave the management company’s computers or offices. In September 2006, New York Governor George Pataki created the New York Social Security Number Protection Law, which places limits on the use of social security numbers—and imposes strict penalties on any company that doesn’t protect the social security numbers that they’re responsible for safeguarding.
Laws such as The New York Social Security Protection law were enacted to protect you, and they’re applied to all non-governmental bodies—including individuals, corporations, and partnerships. Before you hire a management company for your co-op or condo, you should figure out a plan of action to protect your building’s personal information, and make sure you know the 411 on how and why this information can be stolen.
The New York Social Security Number Protection Law hasn’t completely wiped out identity theft as criminals will always be out there.
“It’s my understanding that there are people who still sell Social Security numbers, credit card numbers and other personal information that they hack off the computer,” says Stephen Elbaz, president of Esquire Management Corporation in Brooklyn, a management company specializing in co-ops and condos in Brooklyn, Manhattan and Queens. “They can buy those numbers for 50 cents each, and the online theft of personal information is causing bank losses in the billions per year.”
In 2008, a whopping 134 million credit card numbers were stolen via Heartland Payment Systems, when hackers injected spyware onto their data systems to monitor their credit card transactions.
Just as recently as March 2011, 40 million employee records were stolen from RSA Security when an e-mail containing malware was sent to some employees. It installed a remote tool that gave the hacker access to the security company’s computers, and they got access to all the data.
And in April 2011, 77 million PlayStation Network accounts were hacked, giving unprecedented access to unencrypted credit card numbers, full names, passwords, addresses, e-mails and purchase history.
“It’s a huge problem,” says John O’Keefe, CEO of ITelagen, an information technology and security company based in Jersey City that helps management companies, buildings and other large corporations protect their data. “Back in 2002, before I started this company, I was CEO of a software company. Our internal website was hacked, and they put up a terrorism page. It was eye opening for me and the company back then.”
Protecting the Personal
While O’Keefe’s website was hacked due to anti-American sentiment, there could a huge range of reasons why people attack company’s computers, O’Keefe says.
Sometimes, it’s to get access to social security numbers, credit card numbers and other personal information. But more than 50 percent of the hackers are from China, the Middle East and other areas around the world, he says, and they use smaller company’s computer systems as platforms to hack into bigger companies.
“A lot of times, they’re just trying to bring systems down,” O’Keefe says.
The big issue for property management companies and co-op and condo boards is to simply keep everyone’s information safe. But sometimes, it’s harder than it sounds. It requires passwords, locked safes and other measures to keep the rest of the world out.
Elbaz says his property management firm has password-protected computers to make it as difficult as possible for hackers to get in. In addition, all of their physical files are kept in locked cabinets, and only a few people have access to it.
“Not only does this prevent hackers and crooks, but it also prevents any person in the management company from getting the information as well,” says Elbaz, who isn’t willing to take any risks, even amongst his own employees.
He tries to limit the number of people who know the passwords and who have the keys to the physical material. For example, the only person who has access to the payroll records, complete with social security numbers and addresses, is the human resources person, Elbaz says.
Other building management companies try to protect themselves by refusing to hold onto any important information.
Martin Laderman, CEO of MEM Property Management Corporation in Jersey City takes security one step further. He says he doesn’t store any of the owner’s social security numbers in his office or even on his computer. He passes it all over to the banks, and makes sure that no trace of it is left with his company.
“The only thing we have is the unit owner’s license plate numbers, copies of the leases and emergency contact numbers,” Laderman says. He keeps that information on the computers, which are protected by multiple firewalls.
For the vendor’s information, Laderman says, he only keeps tax ID numbers, and the only people who can access those numbers is one account head and himself.
When the owners have to register their cars with the building so they can park in the garage, he asks for a copy of their driver’s licenses, but he tells the owners that they can scratch out their driver’s license number.
“We just need proof that they live there,” he says. “If we take a phone bill from them, they can block out all their private information. We just need the bill to prove that they live there.”
Sometimes, however, a property management company needs to transfer all of the owner’s information between offices when a building switches to a new management company. Getting the information to the new office without an outside hacker tapping into the private info is key.
Elbaz says he safeguards the information by waiting for the new management firm to physically pick up the boxes of records instead of shipping them.
Since Laderman stores the direct debit and other information with the bank, he leaves it up to the bank to do the transferring if they need to switch banks at all. The rest of the information, such as the blocked out phone bills, are useless to outsiders, he says.
Once the information gets to the new company—or even if it’s staying with the old management firm, it’s important to get qualified people to safeguard it, Laderman says. His company uses a professional information technology firm to protect his company. “It’s not cheap but it’s the cost of doing business, like a telephone,” he says. “That’s our infrastructure, so we don’t play games with that.”
He uses ITelegen, which offers different protection packages, depending on the size of the company and their needs.
Laderman says he uses ITelegen to set up multiple firewalls, and to monitor the infrastructure 24 hours a day, seven days a week. He also has on-site backups and off-site backups in case of a fire or other tragedy.
Itelagen’s O’Keefe says that a basic security device for a small company doesn’t have to be expensive. The first thing he does when he’s hired by a management firm or other company is to set up basic security to protect them, such as a strong firewall. Basic firewalls to protect their computers from hackers and other issues, costs between $400 to $500, he says.
Sometimes, however, regardless of the best security systems and the best information technology teams, private information does get stolen.
At that point, there are a few things that could happen.
This summer, the Dutch government was hacked despite being guarded by DigiNotar, a U.S.-owned, Netherlands-based a company providing digital security. The Dutch government had to shut down its computers and temporarily return to using paper documents and fax machines.
In June, hackers managed to get access to 1.5 percent of 24 million American credit-card accounts, which led to about $2.7 million in losses for 3,400 people.
At that point, says Elbaz, it’s time to “Sue, sue, sue.”
And while suing has become a standard rule of thumb these days, Laderman says it’s easier to simply refuse any information so you can’t be held responsible.
“We know that accidents happen,” he says. “That’s why we don’t ask for that information, and we don’t want it. It doesn’t even come into play. We do have a concern about privacy, and you don’t want your neighbors to know about your information either. Even if a buyer calls, and asks what’s due for the sellers, we don’t give out that information. All the information that we have will go directly to the unit owner. And we don’t e-mail it to them either—you have to be careful about e-mailing.”
Danielle Braff is a freelance writer and a frequent contributor to The Cooperator.