Boards face hefty fines if they leak buyer identities.
A new law to protect buyers from identity theft is in effect. Read what this means for boards reviewing buyer applications and trying to comply with the law.
Heather Dunleavy wasn’t herself. Literally. But Chase Bank didn’t know that when it let “Heather Dunleavy” – an imposter – withdraw nearly $15,000 from her account. And that occurred not long after Dunleavy had given a co-op board copies of an application package, complete with her social security number (SSN), all her banking details, and much, much more.
There’s less chance of that happening as of January 1, 2008, when the New York Social Security Number Protection Law went into effect. Listed as General Business Law Section 399dd, it prohibits any nongovernmental “person, firm, partnership, association or corporation” from making an individual’s social security number available to the general public.
It’s certainly been a growing problem (see “Hotline: A Stolen Life,” September 2007), as many co-op purchasers have discovered. “I was buying an apartment last fall,” recalls Dunleavy, who works for a large Wall Street investment house. She’d been considering a co-op apartment at 165 Perry Street, in Manhattan’s West Village. A six-story, yellow-brick former commercial loft building, it saw a one-bedroom triplex recently sold for about $1.4 million. Two-bedroom apartments list at $2.4 million and up. It’s not the kind of place at which financially unsophisticated people either serve on the board or apply to buy a unit.
Dunleavy, after some back-and-forth with the board – first they rejected her, then they accepted her – eventually decided not to buy. On December 10, her 20 percent deposit was wired back to her checking account from the seller. Four days later, someone with knowledge of this fact “called my bank and changed the address and phone number on my account,” Dunleavy says. “That next Monday, the 17th, they went to two different Chase branches in Westchester. At 10:03 A.M., they walked into the first and took out $4,700. Ten minutes later, they took out $4,500 from the same teller. Then 15 minutes later, they went to a branch down the street and withdrew $4,700.”
“A couple of weeks after submitting an application package, Heather had her identity stolen,” says her broker, Christine Toes, a vice president of Citi Habitats. “It was a little coincidental that she had her social security number, bank statements, addresses, and everything else in one place, so it seemed a likely possibility that, in the process of applying, her personal information has been compromised.”
To date, there’s been no way to know for sure – the police investigation remains in progress. Josh Salon, vice president of Salon Realty, the building’s managing agent, says the leak “must have happened from the mortgage broker’s office or the bank. We were able to account for all of our copies” of the application package, which the board members told him they had shredded.
Whatever happened or how, there’ll be a whole lotta shreddin’ going on, thanks to the new law. Specifically, it forbids printing the SSN on a card or tag required for an individual to get products, services, or benefits; forbids requiring someone to transmit an unencrypted SSN over an unsecured internet connection; and forbids printing an individual’s SSN on any material mailed to the individual unless state or federal law requires it – which limits that last to, essentially, tax documents. There are loopholes for inadvertent disclosures and errors, but it wouldn’t be prudent to count on them. Fines for violation are $1,000 for the first instance and $5,000 for each subsequent instance, going up to $250,000 for multiple violations that may stem from a single act or incident.
“It clearly applies to co-ops,” says veteran cooperative attorney James Samson, a partner at Samson Fink & Dubow. Adds fellow longtime co-op.condo attorney Stuart Saft, a partner at Dewey & LeBoeuf, it also applies to condo associations, which fall under the law’s “person, firm, partnership, association, or corporation” list of applicable entities.
What does this mean for a diligent board? “They have to take reasonable measures to prevent the dissemination of social security numbers,” notes attorney John M. Monahan, a partner at Jaeckle Fleischmann & Mugel and a labor-law specialist long involved in records-privacy issues. “An organization has to have a policy and practices in place, addressing how social security numbers cannot be used and who has access to them, and putting security measures in place both for hard copies and for electronic systems.” For example: “Definitely do not e-mail social security numbers unless you have a means of encrypting. That same rule goes for fax and internet [transmissions].”
The first step in devising a policy is simply to realize that only your attorney and your managing agent actually needs your SSN in order to run credit checks. Except in the case of self-managed buildings – where the board members themselves are performing the backgrounders – a board doesn’t ever need to see SSNs at all.
In fact, redacting that detail from the board’s copies of an application package is the surest and safest way for a board to virtually eliminate the risk of a fine: if the board itself never gets the SSN, then it can’t leak the SSN. (What liability a board may have if its managing agent, attorney, or other representative leaks an SSN is unclear, since the law is so new.)
Ben Kirschenbaum, general counsel of managing agent Cooper Square Realty, touts a model policy used by his firm. “Our application packages are sent shrinkwrapped to boards. That way, a board member will know if it’s been tampered with. We had one instance in which a board member noted that the shrinkwrap had been removed, and so we notified the applicant of the possibility that someone had [his or her] SSN and offered to take precautions. In that instance, nothing apparently happened.”
Another step the company takes, he says, is asking board members to destroy each copy of the package after they’re done with it. If the board has no shredder, “we offer that if the packages are returned, we will destroy them.” Toes of Citi Habitats does likewise. “I include with each board package an envelope large enough to put the package into, and I ask the board members to mail it back, and I’ll reimburse them for postage.”
Once a transaction is complete, says Kirschenbaum, “we no longer retain a paper copy of the application. We make an electronic copy that is stored in a secured location where you have to have the proper security codes in order to get access. No applications are placed in a file in a general office environment.”
What of encryption? There’s no specific, legally mandated standard yet. As for properly disposing of electronic information, “New York State,” says Monahan, “is setting up a program of approved vendors of information services – IT professionals – who will be approved by the state government to go in and destroy personal information from databases.”
Dunleavy, who Chase reimbursed for her stolen funds, is a financial-industry professional with smart suggestions of her own. “Keep information separate,” she suggests. “Don’t have it all in one place. [An applicant’s] previous address can be kept separate from things that can be used as a security question, such as a mother’s maiden name. And you should know the names of whoever has your package of personal information – co-op boards generally don’t tell you who’s looking at it, and so I had to go to the managing agent in order to get the names so that I could give them to the investigators. It’s a little scary.”
The whole issue, of course, goes beyond simply setting board policy. It means rethinking a board’s mindset. “A friend of mine is shopping for a co-op,” says Dunleavy, “and people are calling her difficult because she’s not supplying her social security number everywhere they ask. People shouldn’t be made to feel bad about not making all this information available to everyone who asks – not everybody needs it. I think boards aren’t used to anything outside the norm, and so they think people with legitimate privacy concerns are being difficult.”
That will probably change. Notes Saft: “It really is about more than just the confidentiality of social security numbers. There’s [a related] law, General Business Law section 399h, which addresses disposal of records containing personal-identifying information,” such as mother’s maiden name, checking account number, etc. As identity-theft grows, personal data overall will increasingly be handled on a need-to-know basis.
That may puncture some boards’ egos. But when it comes to social security numbers, you can’t leak what you don’t know – and given the potential fines now in place, that’s less a matter of social security than it is of fiscal security.