Privacy and Data Security for HOAs: What Your Community Association Needs to Know

Privacy and Data Security is the body of law that addresses how an organization can collect, handle, and use personally identifiable information and how that information needs to be protected.

Community Associations quite often have and maintain the names, addresses, and financial information of their residents and homeowners. Many criminal groups find this kind of information valuable for identity theft. Such groups often encrypt the data so the Community Association cannot access it to gain leverage and force an organization to pay a “ransom” for its return. Because of this and in reaction to how much sensitive information is held on everyday people in the broader economy, all fifty states have laws on the books that require most organizations to disclose when an unauthorized party has accessed the information. Community Associations—just like any other North Carolina organization—always must act reasonably when the organization makes decisions to do something with personal information or risk negligence lawsuits and class actions.

Unfortunately, North Carolina does not provide statutory guidance on how Community Associations can act reasonably with respect to residents’ personal data, but the federal government has provided frameworks that it recommends. The National Institute of Standards and Technology has published a Privacy Framework and a Cybersecurity Framework that, when followed, allow organizations to identify the data they have, protect that information, control and manage the data, govern the data with set rules within the organization, communicate the roles of each member of the organization, detect malicious or unauthorized activity, respond when an incident occurs, and recover from the incident.

There are a number of practical steps that organizations can take that can avoid or reduce the severity of common compliance pitfalls. The first is to review vendor contracts regularly—at least once a year—to make sure that they reflect an organization’s risk tolerance. Often, a trusted service provider or another vendor can have a breach that impacts the privacy and security of the data entrusted to a Community Association. Without contractual protections, the organization might incur significant costs remediating the problem with little legal recourse to have those costs covered by the party at fault.

Additionally, encrypting data, which is a mathematical process to transform data from readable text to nonsense and back again when a code (called a key) is used, can be an important tool in the compliance toolbox for Community Associations. Under North Carolina law—and the law of many other states—a breach only triggers reporting obligations when the information that was stolen was also unencrypted or when the encryption key was stolen with the data. This is not a silver bullet but, encryption is a practical technology that will be an important part of any compliance strategy.

Cyber insurance can also be an effective means of covering risk. However, insurance is not as simple as buying a policy and calling it a day. Insurers are increasingly raising premiums and lowering caps on organizations that do not take a proactive approach to mitigate privacy and security risks. So while insurance can act as a hedge against devastating effects, it should not be seen as a substitute for a compliance strategy.

We also recommend getting community input on the Community Association’s Privacy and Data Security efforts. Community Associations are necessarily accountable to their residents and homeowners, so understanding stakeholders’ risk tolerance can inform the leadership on how to move forward with a compliance strategy. The laws at issue obviously do not change based on the community’s sentiments, but discussing the matter at an annual meeting can be a good way to communicate what expectations the stakeholders in your community have of leadership.

Challenges and risks of liability and unmet stakeholder expectations are everywhere for Community Associations that do not take a proactive approach to the Privacy and Data Security of their residents’ and homeowners’ information. 

This entry was posted in CMCA by CMCA ~ The Essential Credential. Bookmark the permalink.

About CMCA ~ The Essential Credential

CAMICB is a more than 25 year old independent professional certification body responsible for developing and delivering the Certified Manager of Community Associations® (CMCA) examination. CAMICB awards and maintains the CMCA credential, recognized worldwide as a benchmark of professionalism in the field of common interest community management. The CMCA examination tests the knowledge, skills, and abilities required to perform effectively as a professional community association manager. CMCA credential holders attest to full compliance with the CMCA Standards of Professional Conduct, committing to ethical and informed execution of the duties of a professional manager. The CMCA credentialing program carries dual accreditation. The National Commission for Certifying Agencies (NCCA) accredits the CMCA program for meeting its U.S.-based standards for credentialing bodies. The ANSI National Accreditation Board (ANAB) accredits the CMCA program for meeting the stringent requirements of the ISO/IEC 17024 Standard, the international standards for certification bodies. The program's dual accreditation represents compliance with rigorous standards for developing, delivering, and maintaining a professional credentialing program. It underscores the strength and integrity of the CMCA credential. Privacy Policy: https://www.camicb.org/privacy-policy

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s