The thieves managed to steal more than $2 million before they got caught. They did it through identify theft and financial fraud, with the help of insiders at a major New York City bank, a charity, a car dealership, and a property management company that services co-ops and condominiums. The 55 people who were eventually indicted ranged from bankers to Brooklyn street gang members to a compliance officer at the property management company. During the course of the investigation by the Manhattan district attorney’s office, two of the gang members were brutally murdered. Identity theft has begun to give Breaking Bad a run for its bloody money.
Surprisingly few co-op and condo boards or their property managers treat personally identifiable information (PII) with the care it deserves. Social Security, bank account, and credit card numbers, plus email addresses and passwords, are all things criminals can exploit.
“I can unequivocally say people don’t appreciate how significantly a security breach can affect property, residents, and the board,” says Sandy Jacolow, who oversees technology initiatives at a real estate brokerage and investment firm, the Meridian Capital Group.
For those who still fail to grasp the significance of a data breach, Jay Hack, a banking lawyer at Gallet, Dreyer & Berkey has a blunt piece of advice: “Wake up.”
Another New Law Is Coming
The wake-up call will come in March 2020, when New York State’s Stop Hacks and Improve Electronic Data Security (SHIELD) law goes into effect. SHIELD requires all businesses handling personally identifiable information – including co-op and condo boards – to implement reasonable administrative, technical, and physical data safeguards. If they fail to comply and identities are compromised, they can face fines, investigations, and lawsuits. Under current laws, the maximum fine for failing to notify those affected by a data breach is $100,000; under SHIELD, the number will balloon to $250,000. And enforcement is expected to be more stringent.
“At a minimum, SHIELD makes data security a legal issue with liability and penalties for lack of protocol, non-compliance, and any breach,” says Jim Brune, chief executive at boardpackager.com, an internet-based provider of secure record-keeping.
“It is now a compliance issue – not just awareness,” says Zhixiong Chen, a professor of cybersecurity at Mercy College in Dobbs Ferry. “It means that co-op and condo boards have to work on best practices on data collection, storage, and retrieval. It is time to do reconnaissance on existing data storage, decide what kind of data are necessary for boards, and what kind of safeguards and auditing is needed. Boards can develop their own data protection and breach notification process, or they may seek solutions provided by various vendors using cloud to distribute or offload risks.”
Step by Step
The first step boards and their management companies should take is a top-to-bottom assessment. “You have to know what you’re protecting and where your protected data is stored,” says Alan Winchester, head of the cybersecurity practice group at the law firm of Harris Beach. “Boards have to know if their management company uses a processor, a third-party service that holds their information.”
Many management companies use such third-party vendors to store and protect personal data. The Ferrara Management Group, for instance, has used Yardi Systems since Ferrara was founded in 2013. “All paper purchase applications are automatically uploaded into the system, and then the paper is shredded,” says Robert Ferrara, president. Equal care is taken with vendors’ W-9 tax forms and residents’ Social Security and bank account numbers, and other personal data. “Yardi has a secure website,” Ferrara says. “We haven’t seen any breaches against them.”
Another property manager, speaking on condition of anonymity, uses B.J. Murray management software with stringent security measures, including dual authentication that allows employees to access personal data only on office computers, using a user name and password plus a physical access key. Employees cannot access data outside the office. “You don’t know what employees have on their laptops and iPads,” says the president of the company, “that can get into a secure system. And if an employee goes onto a public WiFi network, that can be hacked.”
Ben Kirschenbaum, vice president and general counsel at FirstService Residential, restricts all PII-viewing to “a secure website that doesn’t leave anything on the [user’s] device.” Files cannot be copied to printers, outside computers, or thumb drives. When physical application packages are used, they arrive bound in shrink-wrap and are collected and cross-cut shredded after the meeting.
The mandated safeguards come in three forms: administrative, technical, and physical. Once the board has determined where its data is stored, the next step is to have an administrator – most likely an employee of the management company or a third-party vendor – coordinate the security program. This administrator or security officer must select service providers capable of securing data and make sure those security measures are required under contract. “The administrator has to identify foreseeable risks,” says Winchester, the Harris Beach lawyer. “Management companies need to train their employees on the procedures that protect the data. They might need to hire a security provider. This is new. New York State is saying that if you’re going to collect information, you have to take reasonable steps to protect it.”
Technical safeguards require the administrator to assess risks in network and software design, as well as risks in the processing, transmission, and storage of data. The administrator must detect and respond to attacks or system failures, and regularly test and monitor the effectiveness of controls. Technical safeguards include encryption, two-factor authentication, firewalls, and locking an account after repeated use of an errant password. “This is over most people’s heads,” Winchester says, “and most boards will probably need someone to help them do it.”
And finally, physical safeguards include preventing unauthorized people from accessing data, then erasing electronic data within a reasonable amount of time after it is no longer needed so that it can’t be read or reconstructed. Even copying machines come into play here. Many of today’s copiers have hard drives that store every scanned image – which become accessible if the copier is traded for a newer model.
Realizing this risk, Dawn Lombardo, the controller at the Ferrara Management Group, took preemptive steps. “We changed our copier three months ago,” Lombardo says. “Joe Rodriguez, my assistant and our IT guru, worked with someone from the manufacturer, Toshiba, who had software that wiped the hard drive before the copier left the building.”
Once the safeguards are in place, though, the work is not done. Jacolow of the Meridian Group says boards should be prepared to ask – and keep asking – tough questions. Are computer patches installed regularly? Are “penetration” tests conducted to check for weaknesses? Have potential security holes been found and repaired? How often can the board expect updates about the system’s health? In short, what happens at every level to ensure safety?
As Winchester puts it: “The board is going to want to see evidence from the management company that they’re doing what they say they’re doing.”
After a Breach
As we learned long ago from the movies, no system is truly fail-safe. Breaches will continue to occur. When a co-op’s or condo’s personal data is compromised, the SHIELD law demands prompt action and, as noted earlier, imposes stiff penalties for failure to notify people affected by a breach. And cyberinsurance, increasingly common for co-op and condo boards and virtually universal in management companies, should not be regarded as a get-out-of-jail card. Compliance with the law is essential. “If you break the law,” says one property manager, “insurance companies won’t cover you.”
Adds Hack, the banking attorney: “If the management company has done what it’s supposed to do and is breached despite appropriate efforts, there’s not a lot of risk of liability. But if they were sloppy, the board could be liable for all damages ‘proximately caused’ by the attack, plus, of course, the cost of removing any virus that has infected the system.”
Following a suspected incursion, the security officer must first locate and contain the incident. “Offer corrective measures to secure the breach, which include running virus and malware scans on all potentially affected computers,” advises Jacolow.
Edward Mackoul, president of Mackoul Risk Solutions, says many buyers of cyberinsurance are now adding ransom coverage. As criminals become more sophisticated, they’re able to wipe out backed-up data before locking down a computer and making a ransom demand. Since a $1,000 policy will buy $1 million worth of coverage, Mackoul says, “there’s no reason why every board shouldn’t have a cyberinsurance policy.”
The faster the compromised device or program is pinpointed and disconnected from other devices and networks, the less costly the remedy. A single ransomware attack, still rare in real estate, can cost a business “$30,000 to investigate, another $30,000 to get help walking through the laws and rules, and tens of thousands more to notify everyone and correct the issues,” according to Stephen Bedosky, vice president of York International, an insurance brokerage.
Once an attack is confirmed, victims must be notified. The message should explain exactly what happened, which files were compromised, how soon systems will be operational, and what corrective steps victims can take – with the board’s help. Normally, they are given access to an identity protection provider, as well as ongoing coaching to help rebuild their compromised identities.
“The simple advice for boards,” says Kirschenbaum of FirstService, “is to recognize your security needs, understand the sensitivity of the information, and pretend it’s your own PII that you have to protect.”