New Legal Requirements for New York Real Estate Company Data Security and Privacy – Real Estate & Construction


To print this article, simply register or connect to Mondaq.com.

Landlords are used to seeing themselves as owners of homes and businesses, but the law also considers them to be housing data. Just as they are expected to keep their premises safe and secure, they have a legal obligation to protect the information they also collect, and limitations on how it can be used. With the advent of new requirements, lawyers for owners, managers and service providers should encourage their clients to update their practices and procedures.

It’s no surprise that real estate companies are subject to data theft attempts, experienced by more than 30% of businesses according to a 2018 KPMG study. The industry collects sensitive personal and financial data on tenants, as well as its own financial and other private data, but until recently without the oversight imposed on financial services. And, of course, real estate professionals are just as susceptible to brute force phishing attacks indiscriminately targeting emails, phones, websites, and social media as anyone else.

Large businesses as well as small organizations were victims of data breaches, including Douglas Elliman Property Management in April 2021, Long & Foster in 2020 and First American Financial Corp in 2019. These data breaches, which involved millions of records sensitive, are made public. known due to legal disclosure requirements. In these circumstances, businesses are vulnerable to the actions of regulators, lawsuits from those whose information has been compromised, and ransomware requests from hackers. They also run the risk of damaging their brand and credibility, not to mention insurance coverage against data breaches or future higher premiums.

In addition to data security and privacy obligations, owners and managers have restrictions on the type of information they can collect about residential tenants from building security systems and utility systems when ‘they are provided, and what they can do with that information.

The primary law, applicable to any business or organization that collects private information, including information that owners regularly collect, such as account numbers, credit card numbers, and email addresses, is the NY Stop Hackers and Improve Electronic Data Security Law, known as NY SHEILD Law, NY Gen Bus. Law § 899-bb. Passed by the state legislature in 2019 and supplementing federal credit information collection and privacy laws [see 16 CFR Part 314, the Fair
Credit Reporting Act (15 US Code §1681), and the
Gramm-Leach-Bliley Act (15 USC §6801], NY SHIELD is best known for requiring companies to disclose to parties whose data has been unlawfully exposed, either inadvertently or as a result of criminal activity, that the exposure has taken place.

The law goes beyond that. It places a positive obligation on organizations that obtain such data to take reasonable steps to protect the information. This includes designating those responsible for implementing a data security program, identifying risks and developing procedures to deal with them, and ensuring that appropriate training is provided. A threat assessment involves more than the technology of the business. Information stored on the premises must be physically secure. Third party vendors should be checked for their own safety precautions. Periodic updates and enhancements, such as two-factor authentication requiring code separate from passwords, are needed to keep up with evolving threats.

Another area where technology and regulations evolve is the information collected about residential tenants by and for building security systems. Access to recordings should be protected by a password and, if possible, on a system that creates a log of who is accessing them. Recurrent training should remind employees with access to video recordings that they cannot be used for non-work purposes. Landlords and managers should also remind their employees that they can violate federal, state or municipal fair housing laws if tenants are targeted for surveillance based on certain discriminatory criteria, such as race, religion. or national origin.

Likewise, companies that have or are considering switching to ‘smart access’ electronic key fobs and similar systems, instead of physical keys, should be aware that the information collected is regulated, as is the use that is made. can be made of it.

Landlords and their agents cannot discriminate by requiring credentials or limiting the number of key chains due to any status protected by fair housing laws.

Owners and managers may require “adequate proof of identity” before issuing a key fob, but not just an NYS driver’s license, and may not keep track of a license or passport number, where it was issued or the address indicated, even if it is different from the address of the building. Photos of tenants can be obtained, but cannot be displayed on the keychain itself. The remote control system can keep track of each time it is used to open the front door or other door, but cannot be used to record when a tenant leaves the building (DHCR Docket No. XK110024OD, 2010)

New York City recently took it a step further with city council passing the Tenant Data Protection Act on May 28, 2021, Local Law 63 of 2021. Landlords are prohibited from using data to harass tenants and must delete, anonymize or destroy the information within 90 days and within 90 days of a tenant leaving, unless the information is needed to stop illegal activity.

Landlords are required by law to provide tenants with a “plain language” privacy policy. Security measures are necessary. The sale of the data collected is prohibited and tenants have a private right of action in the event of a violation.

Key chains cannot be used to track the whereabouts of tenants. In addition, the law goes beyond information from the building access system. Unless otherwise required by law, a landlord cannot collect any information about a tenant’s use of gas, electricity, or other utilities, except for total monthly usage. If the owner is the building’s Internet service provider, only aggregate information or information necessary for billing can be collected. Commercial use of the individual use information is prohibited.

Although the law is currently in force, however, owners of smart access buildings are not liable for a violation until January 1, 2023, in order to allow owners to replace or upgrade their systems. Owners who have not established – and maintained – a data security program on the basis that this cannot happen to them, are at risk and should be urged to comply, train their staff, and self-regulate. keep abreast of this rapidly changing technological environment.

Originally published by the Brooklyn Barrister, Fall 2021

The content of this article is intended to provide a general guide on the subject. Specialist advice should be sought regarding your particular situation.


Comments are closed.