Homeowner associations, like most organizations, have adopted information technology for everything from accounting and bookkeeping to email and other forms of communication such as preparation of documents and presentations, etc. However, HOA board members and their management staff must recognize and address the inherent risks in modern electronic technology, especially data breaches & server hacks that compromise information the HOA is responsible for keeping private.
Types/Levels of Data
Not all information is equal. An HOA basically has three levels of information:
- Information suitable for the public, such as the HOA’s founding documents (articles of incorporation, CC&Rs, Bylaws), possibly marketing and promotional materials and HOA-sponsored events open to the general public.
- Information limited to members, including a member directory, meeting agendas and minutes, financial reports required by the Bylaws or state law to be published to members, rules enforcement procedures and HOA-sponsored events open to members only.
- Information restricted to HOA board members and management; for example:
- Minutes of executive session meetings
- Board packets & management reports
- Disciplinary & collection activities
- Email between/among board members
- Contracts & other legal matters/documents
- HOA employee personnel records
Best Practices to Protect HOA Information
The technical tools – passwords, firewalls, data encryption – used to protect information stored electronically are beyond the scope of this article. Board members should consult with the HOA’s IT experts, whether they are in-house employees, management company employees or an outside IT contractor service. These specialists are best able to advise the board what data security features the HOA implement.
However, the HOA board and the management staff must go beyond mere technical solutions to:
- First, recognize the organization’s information is an asset of the HOA like physical assets, and they must protect that information.
- Second, review applicable federal, state and local laws and regulations to determine the scope of their obligation to protect HOA information.
- Third, develop and adopt an information security policy and associated procedures, to include:
- What information is to be protected, at what level
- What steps are to be taken if/when there is a data breach
- What, when and how records will be disposed of when they are no longer needed
- Acquire the appropriate liability insurance in case the HOA is sued as a result of a data breach.
This may seem like overkill, especially for a small HOA with limited resources. However, having policies and procedures in place reduces the chances of the HOA, its board and its management being found negligent and therefore liable for damages resulting from the breach.
What to Do When Protection Fails
As soon as a data breach is detected, the board and management must consider it a significant event to be dealt with promptly, with a sense of urgency.
The board and management must initiate immediately the HOA’s data breach protocol to minimize the damage. Specific steps include:
- Assess the nature (deliberate, accidental) and scope of the breach damage.
- The relevant parties: board, management and law enforcement (when appropriate)
- Those members believed to have been affected
- The insurance carrier
- All HOA members
An official spokesperson should be designated and only they should speak publicly to provide factual information. Understandably, HOA members will be upset if their information is compromised. Giving them incorrect or misleading information that later must be retracted will turn them from being upset to being angry.
Once the immediate crisis has been resolved, the board and management should conduct a thorough “after action review” to determine what must be done to prevent such failures in the future and how to improve the breach protocol. Such a crisis is unpleasant but can be a great teacher.
Large or small, every HOA has some sort of online presence with financial and member information stored on a computer somewhere. Regardless of where the information is stored, the HOA board is responsible for protecting it. The board must keep faith with their members that information will be kept safe, and protect the HOA from serious, expensive legal risks.