Sue Treiman and Bill Morris in Board Operations on February 7, 2020
Cybersecurity experts agree that surprisingly few co-op and condo boards or their property managers treat personally identifiable information (PII) with the care it deserves. Social Security, bank account, and credit card numbers, plus email addresses and passwords, are all things criminals can exploit.
“I can unequivocally say people don’t appreciate how significantly a security breach can affect property, residents, and the board,” says Sandy Jacolow, who oversees technology initiatives at the Meridian Capital Group, a real estate brokerage and investment firm.
For those who still fail to grasp the significance of a data breach, Jay Hack, a banking lawyer at Gallet, Dreyer & Berkey, has a blunt piece of advice: “Wake up.”
The wake-up call will come in March 2020, when New York State’s Stop Hacks and Improve Electronic Data Security (SHIELD) law goes into effect. SHIELD requires all businesses handling personally identifiable information – including co-op and condo boards – to implement “reasonable” administrative, technical, and physical data safeguards. If they fail to comply and identities are compromised, they can face fines, investigations, and lawsuits. Under current laws, the maximum fine for failing to notify those affected by a data breach is $100,000; under SHIELD, the number will balloon to $250,000. And enforcement is expected to be more stringent.
“At a minimum, SHIELD makes data security a legal issue with liability and penalties for lack of protocol, non-compliance, and any breach,” says Jim Brune, chief executive at boardpackager.com, an internet-based provider of secure record-keeping.
“It is now a compliance issue – not just awareness,” says Zhixiong Chen, a professor of cybersecurity at Mercy College in Dobbs Ferry, New York “It means that co-op and condo boards have to work on best practices on data collection, storage, and retrieval. It is time to do reconnaissance on existing data storage, decide what kind of data are necessary for boards, and what kind of safeguards and auditing is needed. Boards can develop their own data protection and breach notification process, or they may seek solutions provided by various vendors using cloud to distribute or offload risks.”
Whichever course boards decide to pursue, they need to remember that, as of next month, data security is no longer optional; it will be required by state law.