Q. My co-op building’s property management company has an alarmingly bad habit of NOT taking all necessary precautions to protect highly sensitive and confidential shareholder information, like the information contained in sales closing documents, refinance applications, etc.—documents that clearly bear the shareholders’ or potential buyers’ proprietary, personal, identifying confidential information (DOB, SS#, driver’s license number, bank information, mortgage loan amount and loan number, etc.).
In most instances, these confidential documents were also not redacted before they were sent to public email addresses. This has been going on for two decades now!
I have brought this very serious privacy violation to the attention of my co-op board and the property management company as they have a fiduciary responsibility to protect shareholders from such risk exposure when handling sensitive and confidential information. I have also requested that a secure cyber portal be established and made accessible only to our property management company, and only via password, for the explicit delivery, exchange, review, and approval of confidential financial and sensitive information.
I have also requested that the management company remedy past and future cyber security confidentiality violations by providing shareholders with a lifetime identity theft package at their expense. However, the property management company is only willing to provide one year of identity theft coverage, citing this is the “industry standard” in these situations. I strongly disagree, as I don’t think this offer is going to be sufficient enough to thoroughly protect a shareholder from identity theft risks for years to come.
I am seeking a legal expert opinion about this matter and feedback concerning if the provision of one year of identity-theft coverage is indeed the accepted and established “industry standard.” Finally, what should be the expectation of accountability on the part of both the co-op board and the property management company in this situation?
—Looking for Data Security
A. “There are two principal statutes in New York that establish data security obligations,” says Jay L. Hack, Esq., senior partner at the firm of Gallet, Dreyer & Berkey, LLP in Manhattan and head of the firm’s financial institutions practice. “First, there is the Security Breach Notification Act, adopted in 2005, which requires that companies that hold protected computerized data notify the subjects of the data if someone has improperly accessed the data. In 2019, in recognition of the limited protection offered by the 2005 statute, the legislature adopted the Stop Hacks and Improve Electronic Data Security (SHIELD) Act, which imposed an affirmative obligation to implement data security programs on companies that collect information on New York residents.
“Not all information is protected by these laws. The law only protects ‘private information,’ which generally includes (i) a number or code that can be used to access a financial account, (ii) biometric data that is used to ascertain the individual’s identity; or (iii) a username or email address plus a password or security question and answer that would permit access to an online account. The fact that John offered to buy Unit 5A for $950,000 is not, by itself, a fact that the law protects, even though it may be a secret. Trade secrets, annual income levels, mortgage loan amounts, and similar information are not protected, even though the subject of the information may want to keep it secret.
“Since the SHIELD Act became effective in 2020, any person or business that owns computerized data which includes private information of a resident of New York must have reasonable safeguards to protect the security, confidentiality, and integrity of the information. The safeguards should include administrative, technical, and physical safeguards to protect the information.
“However, the SHIELD Act does not create a ‘private right of action’ that allows private citizens to sue for a violation of the law. Although the New York Attorney General has the right to enforce the law and assert a claim against a company that does not maintain appropriate information security safeguards, private individuals do not have a claim under the SHIELD Act merely because safeguards are not maintained. A private individual may have a claim if he or she can prove actual damage, but even that is debatable. For example, a resident of a co-op or condominium cannot force a managing agent or the board to provide identity theft protection simply to remedy prior weak information security procedures.
“Even though there is no private right of action for violating the SHIELD Act, we strongly recommend that all companies that have private information implement a best practices program to maintain a good reputation, maintain customer relationships, preserve goodwill, and promote good relations. The wrongful release of protected information can easily destroy decades of goodwill. The recommendations we have provided include, among others:
• Consult with your information technology professionals to develop a risk-based assessment of what data you maintain and how it may be exposed to wrongful release.
• A company cannot be sued for the wrongful release of data that it did not have in the first place. Companies should only collect information that they really need. Does the company really need a complete tax return? If not, why ask for a tax return and keep it in a file just waiting to be stolen?
• Information should be available to, and distributed only to, people who need to know the information. Do co-op board members really need an unredacted application with the applicant’s social security number and credit card number? No. Distributing that information is a mistake.
• Should unencrypted personal data be distributed so that it is kept on unsecure cell phones or laptops? Of course not. Ten years ago, encryption and self-destruct software were not conveniently available, or were too slow. However, that is no longer the case. Secure portals are available that allow board members access to information when they need it, but that do not allow the information to be saved onto unsecure mobile devices. Managing agents should investigate the extent to which such systems can be implemented in a cost-effective manner to protect all clients.
• Companies should all adopt a formal document retention and destruction policy that requires the secure disposal of documents and electronic information once they are no longer legally required to be retained. Excess information and documents should be destroyed on a regular basis in accordance with that policy. The destruction policy should be content-neutral and should be implemented consistently so that no one can argue that it was a ruse to destroy compromising information.”