The New York State SHIELD Act Becomes Effective March 21: Is Your Board in Compliance?

Cozen O'Connor
Contact

Cozen O'Connor

In the midst of the coronavirus pandemic when more condo and coop board business is being conducted electronically than ever before, the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) will go into effect on March 21, 2020.

The SHIELD Act mandates organizations and businesses implement and maintain an information security protocol to safeguard the security, confidentiality, and integrity of New York state residents’ private information. While there are more flexible standards for small businesses with fewer than 50 employees that generate less than $3 million per year in gross revenue, small businesses are still required to implement a reasonable security program appropriate for the size and complexity of their business that collects private information on New York state residents, which includes cooperatives, condominiums and managing agents.

The SHIELD Act expanded the definition of “personal information” to include not only identifying information such as an individual’s name and address but biometric information and an individual’s user name, email address, or identification number in combination with a password. If a data breach occurs, the SHIELD Act also requires a business to communicate directly with the people who have been affected by the breach and also to inform public authorities. The SHIELD Act has increased the the maximum fine for failing to notify those affected by a data breach from a maximum of $150,000 to $250,000.

Application packages related to the transfer, lease, or mortgage of a unit in a cooperative or condominium contain a significant amount of sensitive personal information such as credit reports, financial statements, tax returns, and driver’s licenses. Personal information about building employees must also be safeguarded. Such employee personal information includes, but is not limited to, an employee ID number, fingerprints, access codes, social security numbers, phone numbers, or a username or email address in combination with a password or security question and answer that would allow access to an online account information. Accordingly, boards and managing agents need to review what procedures they have in place to safeguard such information from a potential cybersecurity breach.

The best way to ensure compliance with the SHIELD Act is for boards to develop a written cybersecurity plan and breach notification process and follow it. Alternatively, boards should consult with counsel to determine whether they should engage a vendor specializing in cybersecurity solutions to divert their risks to a third-party. At a minimum, the following recommendations should be implemented into the cybersecurity plan:

  1. Managing agents should redact protected data before it is circulated to the board for review.
  2. Limit personal information that is circulated to the board for its review, if any.
  3. Private personal information viewed by a board member, superintendent, or other building employee on his or her private computer should be immediately deleted following review. No downloading of such information.
  4. Implement a web-based document and information management system, such as BuildingLink, that will store personal information about a building’s residents and employees without the need for management and the building’s employees to store such information locally on their computers.
  5. Develop strict guidelines restricting building employees, such as the superintendent, resident manager or concierge, from using the building’s computers for personal use including logging on to their personal email accounts.
  6. Add a provision to a building’s management agreement requiring the managing agent be compliant with the SHIELD Act and ensuring that a cybersecurity plan is in place for the condominium or cooperative.

The SHIELD Act does not create any private right of action for violations. However, it is expected that the attorney general’s enforcement is expected to be more rigorous following March 21, 2020.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Cozen O'Connor | Attorney Advertising

Written by:

Cozen O'Connor
Contact
more
less

Cozen O'Connor on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.