The SHIELD Act What Boards & Property Managers Need to Know

Last summer, Governor Cuomo signed into law the Stop Hacks and Improve Electronic Data Security (SHIELD) Act, which requires all businesses and organizations in possession of electronic personal information about any resident of New York State to safeguard that information by March 21, 2020; the Act also expands requirements for reporting data breaches. 

Attorney Jay L. Hack of the Manhattan law firm Gallet Dreyer & Berkey, LLP regularly advises clients facing these issues, and says that co-ops and certain incorporated condominiums qualify as ‘businesses’ covered by this law, as well as its predecessors, the General Business Law and the State Technology Law. (Hack says that it could be argued that unincorporated condominiums are not covered, but certainly their managing agents are—and as custodians of the condo’s data, they must comply.)

The existing provisions under these laws already require organizations to protect certain types of personal information, but the SHIELD Act expands on those to include not only identifying information like name and address, but also “private” information such as biometric data; health information protected by the Health Insurance Portability and Accountability Act (HIPAA); and any account number, email address, or identification number and associated password, access code, security question and answer, or other secured access information.   

The Act also expands on the definition of a “breach.” Whereas previous laws determined that the unauthorized acquisition of protected data is considered a breach, the new law defines a breach as unauthorized access to the data, regardless of whether any information was in fact acquired. In this new definition, computerized private information that is viewed by or communicated to an unauthorized person or system is considered a breach, and must be reported. This amendment went into effect in October of 2019.

Ensuring Compliance

Compliance with the SHIELD Act requires implementation of a data security program that includes administrative, technical, and physical safeguards that according to the Act, “[should be] appropriate for the size and complexity of the business, the nature and scope of the business’s activities, and the sensitivity of the personal information the business collects from or about consumers.”

Obviously, the application packages that co-ops (and to some degree, condos) require from prospective buyers include a great deal of private information, so boards and managing agents must take a critical look at how they collect, store, and purge that data. “I really think that everybody should do a risk assessment,” advises Hack. “Look at what you collect, look at the size of your business, look at the nature of your network. Look at who’s got access to your network.”

In fact, Hack goes so far as to suggest that co-ops stop collecting such sensitive information altogether. “Board packages should not have the credit report and tax returns in it,” he says. “Those are available from the managing agent. If someone really wants to go look at it...have a data room -- either physical or virtual. We do this in securities due diligence all the time; you can go look at the stuff, but you can’t copy or print it out.” But, he says, the fundamental question is, “Do you really need to ask for it in the first place?”

For example, “Why do you need a copy of their driver’s license?” Hack asks rhetorically. “Because you want to see how old they are and discriminate on the basis of age? Because you want to see their race and commit race discrimination?” He’s being facetious to make a point, but it’s a real problem he sees across industries. “Does big data exist because there’s a reason for it,” he asks, “or does big data exist because it’s just too easy to collect it?” 

Hack sums up his recommendations for residential boards as follows:

  1. Don’t collect protected data you don’t need. If you do not have it, it can’t be stolen from you.

  • Have a formal written policy on data disposal—and then follow it. Securely destroy or delete data you no longer need in conformance with the policy. (You don’t want to be in a situation in which someone argues that you went out of your way to destroy data as part of a cover-up.)

  • Distribute protected data ONLY on a need-to-know basis. Does every director really need to know the social security number of an applicant to buy a unit? Does every director need a copy of the tax return?

  • Conduct a risk assessment of your business and determine your cybersecurity risks based on the nature of what you do, the nature of the data you collect, and the nature of your computer systems. Once you know the risks, take appropriate action to mitigate those risks. 

  • Put it in writing—you should have a written cybersecurity plan.

  • Breach Notifications

    SHIELD specifically states that “Any person or business owning or licensing computerized data that includes private information shall disclose any breach of the security of the system following discovery or notification of the breach...to any resident of New York state whose private information was, or is reasonably believed to have been, accessed or acquired by a person without valid authorization. The disclosure shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement … or any measures necessary to determine the scope of the breach and restore the integrity of the system.” 

    There is an exception if the exposure of private information happened because of “an inadvertent disclosure by persons authorized to access private information,” and it is reasonably determined that such exposure is not likely to result in misuse of the information, or in financial or emotional harm. However, such a determination must be documented in writing and retained for five years after the exposure. And if the exposure involves more than 500 people, the determination must be provided to the state attorney general within 10 days of its drafting. 

    The Consequences of Noncompliance

    Violations of the SHIELD Act are under the authority of the attorney general, and can incur civil penalties of $5,000 per violation. The New York Law Journal points out that “The Act specifically states that its data security requirements create no private right of action for any violations.”

    Failure to report a data breach under the previous laws was subject to penalties of $10 per instance of violation, up to a maximum of $150,000. The SHIELD Act doubles the penalty recoverable by the attorney general to $20 per instance of failed notification, and increases the maximum penalty recoverable to $250,000. The Act also increases the time within which the attorney general may bring an action from two years to three years.


    Related Articles

    The Pandemic, Personal Privacy & the Law

    The Legal Rights of Residents

    Disease & Disclosure

    Preserving Privacy in the Pandemic

    A Question of Privacy

    NY Law is Unclear When it Comes to Co-op/Condo Residents' Info, Attorneys Say

    Q&A: COVID-19

    Q&A: COVID-19

    Helping Out in the Age of Coronavirus

    Lending a Hand Without Overreaching

    Q&A: Taping a Board Meeting

    Q&A: Taping a Board Meeting

     

    Comments

    • My name is Joseph i serfed in my coop as member of its board many years ago.Confidentiality was part of the coop board but sometimes the board would hide many other common discussion to keep practically everything they do confidential and refused to be transparent as they spend our money ,that was 30 years ago. Today we have a member of my board doing and acting of the same manner as 30years ago .No vision , no advancement, its like we are back where i started 30 years ago.Couple of years i ended up in the Court with my Coop only for the judge to discover their misdeed while in the Court the Judge threw thevmember of the board out of her Court Room as they feel they had a right to be there and their case was thrown out without merit I had sent letter to the Governor of NY and dome member of the Legislature requiring management companybto be licensed to manage building in the State of NY to no avail as money talk in this town, yet the shareholder keep on getting screw by the building management and bad dishonest board members.Board member have a duty to be accountable during their time of service .My current Board is out of touch with reality as they are violating the bylaw and its Governance by refusing to hold Election under our coop establish system ,they have no respect for democracy now i received a letter today from the coop lawyer and the president seeking to remove from my apt for asking for accountability and asking for the board election.A president is not for life in our coop must be elected every year by its peer on the board after the annual board election to chose member to represent our interest not the interest of the contractor .We are giving bonuses to the staff every year without due regard to the shareholder consent is that also confidential since we are all paying the bills. Our coop needs major help with the government eye no shareholder elected board member to remove them from their home this is sickening after a coop president hijacked the board took over with no election ,no information we are there to guess no improvement and to top it all they are refraining upon our freedom of speech with their lawyer who is getting a monthly paycheck to secure their post on our board.It's seem to me that the bylaw of the coop only apply to others not them as they reached article after articles on what i have been doingbwrong yet they have been on my coop board with no election for the past 3 years with a system so screwed up now after 3 years and no election.Yes i am concern about money yhat previous managemnt company used without accountability since our Treasurer had no ideas of what was and is happening .The two people aware of the money are the coop lawyer and the illegal president.We need some legal help her in this coop who has been a kitty pot for our contractor.Few years ago a shareholder acting as a friend took 500dollars from me to seek legal advice ahe never told me and the other party what she did with our money and never gave us a report on what the advice was she has since died this is sherwood village.,mind you the current president of our coop had problems of her own wich will ne discussed before a judge after getting on our coop board her first action was to take charge of yhe parking which she messed up she a got a soace a former board memver was removed inder her lion paws the guy has since moved out because of her. She wanted a parking space since my wife was president and she said no because there were issues and my wife as coop president gave the full explanation to our corporate lawyer which now she cant temember ehat a world Its deceit all around as you turn around in this cooperative whic is a community.Any one willing to hrlp i need a good lawyer to suck it to them eith their 3 years no election and an illegal board making bad decision for our investment.