Only You Can Prevent Data Breaches

New York City

Feb. 1, 2018 — Boards need to take steps to protect electronically stored info

Does your co-op or condo electronically store personal data of residents, such as Social Security or driver’s license numbers? What about approval packages for new buyers? Do they contain Social Security numbers? 

If the answer is “yes,” then your board needs to take steps to guard against a data breach. And boards have an obligation under New York law to tell residents – and anyone else whose data they’ve collected – if a computer system is penetrated and data may have been compromised. If you distribute sensitive information to your directors, then you also have to worry about the directors’ laptops and smartphones. Here are some steps to protect against liability for a data breach:

• Adopt a security plan that limits the amount of sensitive information you maintain. Do you really need to keep an electronic copy of every resident’s driver’s license on your computer? If you do, think about blotting out the license number and the date of birth before you scan it. You can’t be sued for wrongfully releasing data you don’t have. 

• Perform an assessment of all possible intrusion risks. Some are obvious, such as outside hackers trying to break through a computer firewall.  Others may be less so, such as computers in public areas that lack strong password protections.

• Review your risk assessment with an information technology expert. Ask them to add any items you may have missed, and then work with them to protect against all identified risks. 

• If you or your managing agent keep data on a computer or network that connects to the Internet, arrange for a penetration test of your system. This is not the same as hiring a hacker to break into your system; rather, it’s an attempt to identify Internet intrusion points that could be exploited by a hacker. In many cases, shutting down an intrusion point is a simple fix. 

• Train your directors, officers and employees to be cautious when using any electronic device. Make sure that everyone attends a training session and have them sign an attendance sheet.  No one should be exempt. Training is not foolproof. Vigilance must continue after the training class is over. 

• Consider instituting access limitations for electronic data. Does every director, officer or resident really need to have access to every document on your system for every resident or applicant? Can you limit access? If so, do so. 

• The National Institute of Standards and Technology (NIST) now recommends against periodic password changes. Nevertheless, you should consider which password protection policy best suits you. Make sure that yellow stickies with passwords on computer monitors are forbidden! 

• Establish policies and procedures for portable devices such as laptops, cell phones, and tablets, as well as home computers. If you send board packages to your directors with personal information about applicants for residence or employment, you must be especially careful with remote devices. Make sure that you can disable access for any remote device that is lost or stolen. 

• Review your employee termination procedures. Immediately cut off a terminated employee’s access to data and materials. Do the same for residents who move out. 

• Repeat your risk assessment every year and every time you have a significant change in technology. Train all new employees, directors and officers. Refresh the training annually. It would be a good idea to schedule a training session after every annual meeting to make sure that all officers and directors, new and old, are up to date. 

Jay L. Hack is a partner in the law firm of Gallet Dreyer & Berkey.

Subscribe

join now

Got elected? Are you on your co-op/condo board?

Then don’t miss a beat! Stories you can use to make your building better, keep it out of trouble, save money, enhance market value, and make your board life a whole lot easier!