COOPERATORNEWS.COM  COOPERATORNEWS —  MAY 2022    7  QUESTIONS & ANSWERS  Legal  Q  A&  New York’s Property Management Leader   Let’s Talk   | 212.634.5410  Download our   Fire Safety Guide  and watch our   Webinar  today  The best defense   against tragedy is   PREPAREDNESS  See us at Booth 112, 213  Safeguarding Personal Information  Q  My co-op building’s property man-  agement company has an alarm-  ingly bad habit of NOT taking all   necessary precautions to protect highly sensi-  tive and confi dential shareholder information,   like the information contained in sales closing   documents, refi nance applications,  etc.—doc-  uments that clearly bear the shareholders’ or   potential buyers’ proprietary, personal, iden-  tifying confi dential information (DOB, SS#,   driver’s license  number, bank information,   mortgage loan amount and loan number, etc.).   In most instances, these confi dential docu-  ments were also not redacted before they were   sent to public email addresses. Th  is has been   going on for two decades now!   I have brought this very serious privacy   violation to the attention of my co-op board   and the property management company as   they have a fi duciary responsibility to protect   shareholders from such risk exposure when   handling sensitive and confi dential informa-  tion. I have also requested that a secure cyber   portal be established and made accessible only   to our property management company, and   only via password, for the explicit delivery,   exchange, review, and approval of confi dential   fi nancial and sensitive information.    I  have also  requested  that  the  manage-  ment company remedy past and future cyber   security confi dentiality violations by provid-  ing shareholders with a lifetime identity theft    package at their expense. However, the prop-  erty management company is only willing to   provide one  year  of identity theft   coverage,   citing this is the “industry standard” in these   situations. I strongly disagree, as I don’t think   this off er is going to be suffi  cient enough to   thoroughly protect a shareholder from iden-  tity theft  risks for years to come.   I am seeking a legal expert opinion about   this matter and feedback concerning if the   provision of one year of identity-theft  cover-  age is indeed the accepted and established “in-  dustry standard.” Finally, what should be the   expectation of accountability on the part of   both the co-op board and the property man-  agement company in this situation?                           —Looking for Data Security  A  “Th  ere are two principal stat-  utes in New York that establish   data security obligations,” says   Jay L. Hack, Esq., senior partner at the fi rm of  mation of a resident of New York must have   Gallet, Dreyer & Berkey, LLP in Manhattan  reasonable safeguards to protect the security,   and head of the fi rm’s fi nancial institutions  confi dentiality, and integrity of the informa-  practice. “First, there is the Security Breach  tion. Th  e safeguards should include adminis-  Notifi cation Act, adopted in 2005, which re-  quires that companies that hold protected  protect the information.   computerized data notify the subjects of the   data if someone has improperly accessed  a ‘private right of action’ that allows private cit-  the data. In 2019, in recognition of the lim-  ited protection off ered by the 2005 statute,  the New York Attorney General has the right   the legislature adopted the Stop Hacks and  to enforce the law and assert a claim against a   Improve Electronic Data Security (SHIELD)  company that does not maintain appropriate   Act, which imposed an affi  rmative obligation  information security safeguards, private indi-  to implement data security programs on com-  panies that collect information on New York  Act merely because safeguards are not main-  residents.   “Not all information is protected by these  if he or she can prove actual damage, but even   laws. Th  e law only protects ‘private informa-  tion,’ which generally includes (i) a number  co-op or condominium cannot force a manag-  or code that can be used to access a fi nancial  ing agent or the board to provide identity theft    account, (ii) biometric data that is used to  protection simply to remedy prior weak infor-  ascertain the individual’s identity; or (iii) a  mation security procedures.   username or email address plus a password or   security question and answer that would per-  mit access to an online account. Th  e fact that  strongly recommend that all companies that   John off ered to buy Unit 5A for $950,000 is  have private information implement a best   not, by itself, a fact that the law protects, even  practices program to maintain a good repu-  though it may be a secret. Trade secrets, an-  nual income levels, mortgage loan amounts,  serve goodwill, and promote good relations.   and  similar  information  are  not  protected,  Th  e wrongful release of protected information   even though the subject of the information  can easily destroy decades of goodwill. Th  e   may want to keep it secret.  “Since the SHIELD Act became eff ective in  among others:  2020, any person or business that owns com-  puterized data which includes private infor-  trative, technical, and physical safeguards to   “However, the SHIELD Act does not create   izens to sue for a violation of the law. Although   viduals do not have a claim under the SHIELD   tained. A private individual may have a claim   that is debatable. For example, a resident of a   “Even though there is no private right   of  action  for  violating  the  SHIELD  Act,  we   tation, maintain customer relationships, pre-  recommendations we have provided include,   • Consult with your information technol-  continued on page 26