Given the large number of bricks-and-mortar issues which real estate companies must address daily, it’s unsurprising that issues associated with data privacy and cybersecurity often seem less urgent for many property owners. But recent changes in the law in California, Virginia, New York State and now New York City mean it no longer makes good business sense for real estate companies to delay becoming proactive in addressing privacy and cybersecurity issues.
The requirements are extensive: limits on the type of data that may be collected from a wide variety of building-wide computer systems; occupants must consent to permitted collections of data; and requirements to provide a privacy policy and specified types of computer security. The law also strictly limits the permissible uses of data that it will still be legal to collect. And it provides occupants with a private right of action, including the right to recover damages and attorneys’ fees, for violations of its prohibition on the sale of data. Nearly all residential buildings must comply, or risk regulatory action or class action liability.