In the midst of the coronavirus pandemic when more condo and coop board business is being conducted electronically than ever before, the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) will go into effect on March 21, 2020.
The SHIELD Act mandates organizations and businesses implement and maintain an information security protocol to safeguard the security, confidentiality, and integrity of New York state residents’ private information. While there are more flexible standards for small businesses with fewer than 50 employees that generate less than $3 million per year in gross revenue, small businesses are still required to implement a reasonable security program appropriate for the size and complexity of their business that collects private information on New York state residents, which includes cooperatives, condominiums and managing agents.
The SHIELD Act expanded the definition of “personal information” to include not only identifying information such as an individual’s name and address but biometric information and an individual’s user name, email address, or identification number in combination with a password. If a data breach occurs, the SHIELD Act also requires a business to communicate directly with the people who have been affected by the breach and also to inform public authorities. The SHIELD Act has increased the the maximum fine for failing to notify those affected by a data breach from a maximum of $150,000 to $250,000.
Application packages related to the transfer, lease, or mortgage of a unit in a cooperative or condominium contain a significant amount of sensitive personal information such as credit reports, financial statements, tax returns, and driver’s licenses. Personal information about building employees must also be safeguarded. Such employee personal information includes, but is not limited to, an employee ID number, fingerprints, access codes, social security numbers, phone numbers, or a username or email address in combination with a password or security question and answer that would allow access to an online account information. Accordingly, boards and managing agents need to review what procedures they have in place to safeguard such information from a potential cybersecurity breach.
The best way to ensure compliance with the SHIELD Act is for boards to develop a written cybersecurity plan and breach notification process and follow it. Alternatively, boards should consult with counsel to determine whether they should engage a vendor specializing in cybersecurity solutions to divert their risks to a third-party. At a minimum, the following recommendations should be implemented into the cybersecurity plan:
- Managing agents should redact protected data before it is circulated to the board for review.
- Limit personal information that is circulated to the board for its review, if any.
- Private personal information viewed by a board member, superintendent, or other building employee on his or her private computer should be immediately deleted following review. No downloading of such information.
- Implement a web-based document and information management system, such as BuildingLink, that will store personal information about a building’s residents and employees without the need for management and the building’s employees to store such information locally on their computers.
- Develop strict guidelines restricting building employees, such as the superintendent, resident manager or concierge, from using the building’s computers for personal use including logging on to their personal email accounts.
- Add a provision to a building’s management agreement requiring the managing agent be compliant with the SHIELD Act and ensuring that a cybersecurity plan is in place for the condominium or cooperative.
The SHIELD Act does not create any private right of action for violations. However, it is expected that the attorney general’s enforcement is expected to be more rigorous following March 21, 2020.