State's New SHIELD Law Tightens Security of Personal Data

New York State's new Stop Hacks and Improve Electronic Data Security (SHIELD) law goes into effect this month. If a co-op or condo's personally identifiable information – Social Security and bank account numbers, email addresses and passwords, and more – is compromised, the SHIELD law demands prompt action and imposes stiff penalties for failure to notify people affected by a breach. And cyberinsurance, increasingly common for co-op and condo boards and virtually universal in management companies, should not be regarded as a get-out-of-jail card. Compliance with the law is essential. “If you break the law,” says one property manager, “insurance companies won’t cover you.”

Adds Jay Hack, a banking attorney at Gallet Dreyer & Berkey: “If the management company has done what it’s supposed to do and is breached despite appropriate efforts, there’s not a lot of risk of liability. But if they were sloppy, the board could be liable for all damages ‘proximately caused’ by the attack – plus, of course, the cost of removing any virus that has infected the system.”

Following a suspected incursion, the security officer must first locate and contain the incident. “Offer corrective measures to secure the breach, which include running virus and malware scans on all potentially affected computers,” advises Sandy Jacolow, who oversees technology initiatives at the brokerage and investment firm, the Meridian Capital Group.

Edward Mackoul, president of Mackoul Risk Solutions, says many buyers of cyberinsurance are now adding ransom coverage. As criminals become more sophisticated, they’re able to wipe out backed-up data before locking down a computer and making a ransom demand. Since a $1,000 policy will buy $1 million worth of coverage, Mackoul says, “there’s no reason why every board shouldn’t have a cyberinsurance policy.”

The faster the compromised device or program is pinpointed and disconnected from other devices and networks, the less costly the remedy. A single ransomware attack, still rare in real estate, can cost a business “$30,000 to investigate, another $30,000 to get help walking through the laws and rules, and tens of thousands more to notify everyone and correct the issues,” according to Stephen Bedosky, vice president of York International, an insurance brokerage.

Once an attack is confirmed, victims must be notified. The message should explain exactly what happened, which files were compromised, how soon systems will be operational, and what corrective steps victims can take – with the board’s help. Normally, they are given access to an identity protection provider, as well as ongoing coaching to help rebuild their compromised identities.

“The simple advice for boards,” says Ben Kirschenbaum vice president and general counsel at FirstService Residential, “is to recognize your security needs, understand the sensitivity of the information, and pretend it’s your own personal data that you have to protect.”