By Donie Vanitzian
Question: Our HOA’s website, which was created and controlled by the management company, houses a treasure trove of documents and information pertaining to our association and its members.
The website has been hacked, causing embarrassing and confidential information to be leaked and destroying our attorney-client privilege in a legal case. It also caused a huge uproar by owners about the board’s cavalier attitude about cybersecurity.
The breach prompted owners to remove nearly the entire board. Only one director was even concerned enough to question what would happen to our website information when our management company is terminated, which should be soon.
But even the new board members are unprepared and do not want to hire a cybersecurity expert for advice, reasoning that there are more important things to spend our money on.
Directors don’t understand the risk they are subjecting owners to even after the prior hack. Are they right? Why couldn’t we be hacked again?
Answer: Your question raises a number of concerns, the greatest of which is the board members’ view that spending money on data security should not be a top priority.
Unless your community is on an island without electricity, they could not be more wrong. There are all sorts of estimates on the costs of cybercrime in the United States, including one by the for-profit Infosec Institute, which pegs it at $100 billion annually, about double the losses incurred from floods, hurricanes and other weather-related disasters.
Maybe your board thinks that your association won’t be hacked again because it is small. But the reality is that cybercriminals often target smaller enterprises precisely because they are lax on cybersecurity. In fact, 62% of data-breach victims are small-to-midsized enterprises that incur an average of $38,000 in related costs, according to the 2016 Internet Security Threat Report from Symantec, a provider of security software.
That risk is only going to increase with the advent of ransomware, which allows hackers to hold computer systems hostage until a ransom is paid. Security software provider Malwarebytes reports that the use of ransomware is exploding, comprising more than 60% of malware in the first quarter of 2017.
Nobody is immune as even police departments have been forced to pay. Average demands more than tripled to $1,077 in 2016, Symantec says.
In addition, under California Civil Code section 1798.82, a party that is victimized by a data breach must provide notice and offer mitigation services to those affected by the breach. To the extent that the breach involved data from residents outside of California, the association will need to make disclosures under data-breach notification laws in those other states too.
The management company’s control over the website and information flows is another concern.
What plans are in place for backing up the website and its data, and how will that data be transferred to the homeowner association at the end of the contract? To the extent the management company assumed control for the website, it may also have assumed liability for the breach, whether contractually or as a matter of negligence.
Both the management company and the homeowner association should submit the losses due to the data breach to their insurance carriers to see if existing insurance covers such breaches. If not, the board should look into buying a cyber-insurance policy and/or require its vendors to carry one. This requirement, of course, must be written in any new vendor contract.
Consulting with a cybersecurity professional also is an important investment both to determine the cause of the data breach and identify other potential vulnerabilities that can be addressed to prevent a future attack. This needs to include current assessments of the data stored on the association’s or management company’s website, and the extent to which such data retention is necessary.
An association cannot avoid the dangers of cybercrime by pretending that it does not exist. Failure to take steps to prevent and insure against it could make board members liable to homeowners for negligence and breach of fiduciary duty for any losses stemming from the breach. This is especially true at an association where there already has been an incident.