State's New SHIELD Law to Tighten Cybersecurity

New York State’s Stop Hacks and Improve Electronic Data Security (SHIELD) law goes into effect in March. The law requires all businesses handling personally identifiable information (PII) – including co-op and condo boards – to implement reasonable administrative, technical, and physical data safeguards. If they fail to comply and identities are compromised, they can face fines, investigations and lawsuits. And enforcement is expected to be stringent.

The first step boards and their management companies should take is a top-to-bottom assessment. “You have to know what you’re protecting and where your protected data is stored,” says Alan Winchester, head of the cybersecurity practice group at the law firm Harris Beach. “Boards have to know if their management company uses a processor, a third-party service that holds their information.”

Many management companies use such third-party vendors to store and protect personal data. The Ferrara Management Group, for instance, has used Yardi Systems since Ferrara was founded in 2013. “All paper purchase applications are automatically uploaded into the system, and then the paper is shredded,” says Robert Ferrara, president. Equal care is taken with vendors’ W-9 tax forms and residents’ Social Security, bank account numbers and other personal data. “Yardi has a secure website,” Ferrara says. “We haven’t seen any breaches against them.”

Another property manager, speaking on condition of anonymity, uses B.J. Murray management software with stringent security measures, including dual authentication that allows employees to access personal data only on office computers, using a user name and password plus a physical access key. Employees cannot access data outside the office. “You don’t know what employees have on their laptops and iPads that can get into a secure system,” says the president of the management company. "And if an employee goes onto a public WiFi network, that can be hacked.”

Ben Kirschenbaum, vice president and general counsel at FirstService Residential, restricts all PII-viewing to “a secure website that doesn’t leave anything on the [user’s] device.” Files cannot be copied to printers, outside computers, or thumb drives. When physical application packages are used, they arrive bound in shrink-wrap and are collected and cross-cut shredded after the meeting.

The mandated safeguards come in three forms: administrative, technical, and physical. Once the board has determined where its data is stored, the next step is to have an administrator – most likely an employee of the management company or a third-party vendor – coordinate the security program. This administrator or security officer must select service providers capable of securing data and make sure those security measures are required under contract. “The administrator has to identify foreseeable risks,” says Winchester, the Harris Beach lawyer. “Management companies need to train their employees on the procedures that protect the data. They might need to hire a security provider. This is new. New York State is saying that if you’re going to collect information, you have to take reasonable steps to protect it.”

Technical safeguards require the administrator to assess risks in network and software design, as well as risks in the processing, transmission, and storage of data. The administrator must detect and respond to attacks or system failures, and regularly test and monitor the effectiveness of controls. Technical safeguards include encryption, two-factor authentication, firewalls, and locking an account after repeated use of an errant password. “This is over most people’s heads,” Winchester says, “and most boards will probably need someone to help them do it.”

And finally, physical safeguards include preventing unauthorized people from accessing data, then erasing electronic data within a reasonable amount of time after it is no longer needed so that it can’t be read or reconstructed. Even copying machines come into play here. Many of today’s copiers have hard drives that store every scanned image – which become accessible if the copier is traded for a newer model.