Incidents such as these precipitated the passage of the New York Social Security Number Protection Law. Taking effect January 1, 2008, as General Business Law Section 399dd, it prohibits any nongovernmental "person, firm, partnership, association" — including condo associations — or corporation" — including co-op corporations — from making an individual's Social Security number available to the general public.

It's been a growing problem, as many co-op purchasers have discovered. "I was buying an apartment last fall," recalls Dunleavy, who works for a large Wall Street investment house. She'd been considering a co-op apartment at 165 Perry Street, in Manhattan's West Village. With two-bedroom apartments listing at $2.4 million and up, it's not the kind of place at which financially unsophisticated people either serve on the board or buy units.

Dunleavy eventually decided not to buy, and on December 10, 2007, her 20 percent deposit was wired back to her checking account from the seller. Four days later, someone "called my bank and changed the address and phone number on my account," Dunleavy says. "That next Monday, the 17th, they went to two different Chase branches in Westchester. At 10:03 A.M., they walked into the first and took out $4,700. Ten minutes later, they took out $4,500 from the same teller. Then 15 minutes later, they went to a branch down the street and withdrew $4,700."

Whodunnit?

"A couple of weeks after submitting an application package, Heather had her identity stolen," says her broker, Christine Toes, a vice president of Citi Habitats. "It was a little coincidental that she had her social security number, bank statements, addresses, and everything else in one place, so it seemed a likely possibility that, in the process of applying, her personal information has been compromised."

To date, there's been no way to know for sure — the police investigation remains in progress. Josh Salon, vice president of Salon Realty, the building's managing agent, says the leak "must have happened from the mortgage broker's office or the bank. We were able to account for all of our copies" of the application package, which the board members told him they had shredded.

Whatever happened or how, there'll be a whole lotta shreddin' going on, thanks to the new law. Specifically, it forbids printing the SSN on a card or tag required for an individual to get products, services, or benefits; forbids requiring someone to transmit an unencrypted SSN over an unsecured internet connection; and forbids printing an individual's SSN on any material mailed to the individual unless state or federal law requires it – which limits that last to, essentially, tax documents. Fines for violation are $1,000 for the first instance and $5,000 for each subsequent instance.

What does this mean for a diligent board? "They have to take reasonable measures to prevent the dissemination of social security numbers," notes attorney John M. Monahan, a partner at Jaeckle Fleischmann & Mugel and a labor-law specialist long involved in records-privacy issues. "An organization has to have a policy and practices in place, addressing how Social Security numbers cannot be used and who has access to them, and putting security measures in place both for hard copies and for electronic systems." For example: "Definitely do not e-mail Social Security numbers unless you have a means of encrypting. That same rule goes for fax and internet [transmissions]."

Need to "No"

The first step in devising a policy is simply to realize that only your attorney and your managing agent actually needs your SSN in order to run credit checks. Except in the case of self-managed buildings – where the board members themselves are performing the backgrounders — a board doesn't need to see SSNs at all.

Ben Kirschenbaum, general counsel of managing agent Cooper Square Realty, touts a model policy used by his firm. "Our application packages are sent shrinkwrapped to boards. That way, a board member will know if it's been tampered with. We had one instance in which a board member noted that the shrinkwrap had been removed, and so we notified the applicant of the possibility that someone had [his or her] SSN and offered to take precautions. In that instance, nothing apparently happened." The company also instructs board members to destroy each copy of the package after they're done with it.