Cameras, key fobs, and identity theft: securing your digital data is a must.
The ease of accessing digital security information and the sheer amount of that information make it imperative that boards create privacy policies for accessing that information.
Sure, your doorman probably isn’t gossiping about the people you’re dating. And sure, that fellow board member who wants you out isn’t looking through security-camera footage to show people you’re not cleaning up after your dog. And, surely, you as a parent aren’t going to ask your board or management to let you see electronic key-fob data and confirm what time your teenager came home.
Except … what’s to stop you?
There’s no law preventing gossip. There’s no statute forbidding someone to look through security footage for political dirt. There’s no case law saying a parent – or a suspicious wife, an aggrieved neighbor, or anyone else in your building – can’t ask a board member or a building manager for such data. And if all this is legal, then without a policy in place, it’s all open to abuse.
Unquestionably, buildings need security. Providing it, in the form of security guards, doormen, cameras, and electronic key fobs is an important function of any co-op or condo board. But as we move inexorably toward digital data – with digital video recorders (DVRs) able to store over 1,000 days of footage on something little bigger than a shoebox, and with internet-enabled cameras that can send security video to your smartphone – the ease of accessing information and the sheer amount of that information make it imperative that boards create policies defining who can access security data, and what privacy rights your residents can reasonably expect.
At least one condominium in the New York metropolitan area is concerned. Trump Tower in White Plains had its lawyer, James Glatthaar, a partner at Bleakley Platt & Schmidt, draft a privacy policy that deals with the security cameras. It restricts the viewing of images to the board of managers, to the resident manager and his assistant, and to the management company. It limits use to the condominium’s normal business practices, and prohibits its commercial use. That’s of particular concern in this case, since members of the New York Knicks have apartments there, close to the NBA team’s practice facility. But aren’t we all entitled to the same rights?
“You have to try and respect the privacy of occupants,” says Bruce Levinson, an attorney in his eponymous firm. “But,” he cautions, “that needs to be balanced against the obligation of a board to provide for the security of those occupants.”
Meanwhile, in Florida
Nonetheless, written privacy policies are rare in New York co-ops and condos – though that’s less true with Florida condominiums and homeowners’ associations. “Florida’s communities might be a lot more on top of this issue,” reports attorney Donna DiMaggio Berger, a founding partner of Katzman Garfinkel & Berger, which has six offices throughout Florida. “Some communities are already thinking about the issue of privacy concerns and have crafted policies.”
“Privacy and security of information has always been a responsibility that boards should take very seriously,” says Warren Schreiber, president of Bay Terrace Cooperative Section 1, a 200-unit garden-apartment complex in northeast Queens, and the co-president of the Presidents Co-op and Condo Council.
“On my board, one member is head of security. He is the only one authorized to view our security videos. Other board members cannot just go to him and say, ‘Let me see video surveillance.’ We’ve had instances where shareholders have wanted to see video surveillance when they’ve felt there was damage to their cars. There we’ve drawn the line: we look at the surveillance footage, and if we find evidence of damage we’ll turn it over to them.” Also, “if one of my board members wants to go to our property manager to look at his next-door neighbor’s personal files – our property manager would not allow that to happen.”
Such unwritten de facto policies seem to be the norm so far. Max G. Freedman, vice president of the management company Maxwell-Kates, says that, with buildings in its portfolio, the issue of access to security data “is discussed with the boards and it is restricted to the managing agent, superintendent, attorney, or building security firm and only when necessary. Our advice to boards has been that they allow management and other professionals to handle security issues, thereby removing themselves from any liability. Most often the data is only recovered and used when issues involving criminal or other legal matters, such as an insurance claim, arise.”
Just De Facto, Ma’am
Yet de facto policies, by their nature, are prone to misremembering, misinterpretation, and on-the-fly changes. Writing down unwritten rules helps avoid such issues and provides clarity and fairness. Why, then, does the Real Estate Board of New York trade group know of no buildings with written privacy policies?
“It’s an interesting privacy issue and something that’s gone under the radar,” observes David Jacobs, an attorney with the Electronic Privacy Information Center, a nonprofit organization in Washington, D.C., concerned with new-technology privacy and civil liberties issues. “There aren’t clear rules there,” he says. “You have a lot of states introducing various bills, most of which only apply to law enforcement but some also to private use.” In the co-op and condo realm, “having a policy and giving residents notice of it and explaining it clearly is definitely a good idea.”
“We’ve been doing a lot of camera systems lately,” says Matthew Arnold, president of the security-installation company, Academy Mailbox, “and the biggest blowback we get from boards is the privacy issue, where they feel Big Brother is watching. That is a concern for them.”
Protocol Me
You need to have protocols in place. According to privacy and security experts, a co-op/condo security policy has to take into consideration three issues: employee gossip, data security, and data access.
With buildings managed by Cooper Square, says company president Dan Wurtzel, “there’s a privacy policy that says doormen are not permitted to chat with residents about the comings and goings or anything involving another resident. That’s standard protocol. If a doorman says, ‘Hey, you should see the people who go in and out of Mr. Jones’s apartment in the evening,’ that’s grounds for disciplinary action, up to and including termination. If the doorman reports to the super or management that, ‘We think there’s suspicious activity based on the kind of visitors and when they’re arriving,’ that’s okay,” he notes.
The second issue is maintaining the security of your collected data. “Boards always have to adapt to changing technology, and changing methodology,” says Schreiber, the board president, who notes that with identify theft becoming a growing concern, “instead of people breaking into an office at night, you have people hacking into computers or surveillance systems.”
Steps to Securing Data
So what exactly does securing your data entail? For most buildings, it means protecting paper documents, security-camera footage, and electronic key-fob data.
Paper documents. Residents’ personal information, should be kept to a minimum, and Social Security numbers should be stripped from them. Files should be kept in a locked cabinet, preferably within a locked closet or room; many buildings keep them off-site, at the management company’s office.
Security-camera footage – as opposed to the real-time feed doormen typically monitor for emergency situations – is trickier since it can be stored in different ways. Some older systems may still use videotape, but today footage is mostly stored on a DVR or a remote communal server. None of this should be readily available, even to the board members. When a report is made, footage could be made available to a third party, like the management company, who could notify the board or the police. However, Levinson notes that security footage “is not something that should be the subject of due diligence by attorneys representing potential buyers: ‘Well, I want to look at the tapes to see if it’s a safe building and whether my client should buy.’ That is inappropriate.”
“It is a good idea if you limit times and conditions” under which data can be accessed, says Leslie Cole, head of the security-management firm Leslie Cole Associates, “so you know how and when it is used and who’s using it.”
In fact, “a lot of times [building staff doesn’t] even do that,” says Arnold. “Instead, they call us and we go and burn a CD or [put the footage on] a flash drive,” he says, referring to a portable data device, also called a thumb drive, which is the size of a small matchbox.
Key fobs. More prosaically, how do you physically secure a DVR or the computer that houses key-fob data? “You lock them off [in a box] in a basement room that’s locked,” says Arnold. While this need not literally be a basement room, such equipment should never be in an unlocked environment. Many buildings keep them in the super’s office, which may not be kept locked, creating a security risk. Regardless of who can access it, your data should be password-protected.
How often security-camera footage gets erased is another aspect of policy. Do you really need to keep over two years’ worth of footage, as some systems are capable of doing? Commonly, says Arnold, “it gets erased after 30, 60, or 90 days.”
Are there downsides to having a written policy? “Once you have a written policy,” Levinson says, “you have to substantially comply with it.”
But isn’t that the point? To prevent boards and others from behaving badly? If you break a policy to spy on your neighbor or do opposition research on a board candidate, shouldn’t that carry a consequence? And a policy applied evenly and without favoritism can help blunt lawsuits by shareholders/unit-owners claiming that the board or management is after them.
Ultimately, says Neil Davidowitz, president of the management company Orsid Realty, security and privacy can co-exist. “As long as you have systems protocols and you share those with your residents, there’s no reason that security and privacy have to be mutually exclusive.”