By David T. Podein, Esq. / Published December 2017
Cyberattacks and data breaches can occur with any personal or business computer connected to the internet—and there is no reason for condominium and homeowner associations (“community associations”) to believe they will fly under the radar of potential hackers.
In fact, community associations often are in possession of a significant amount of personally identifiable information (“PII”) and other sensitive information pertaining to their residents. Just think of the types of information on a tenant/resident application and a purchaser/new owner application: prior addresses, email addresses, birthdates, information about family members (including children), employment information, credit reports, bank/check account information (check for the application fee), copies of drivers’ licenses, and sometimes much more!
The Florida Information Protection Act (“FIPA”), which is codified in Florida Statute Section 501.171, is broad enough to apply to community associations and businesses alike. FIPA addresses the following key topics that directors and management teams should be aware of:
Additionally, FIPA mandates strict reporting requirements in the event of a breach of security involving personal information. Depending on the nature and size of the breach of security, the party will have to report to the Florida Department of Legal Affairs, the individuals potentially affected, and/or credit reporting agencies.
A violation of FIPA shall be treated as an unfair or deceptive trade practice in any action brought by the Florida Department of Legal Affairs against the subject entity or third-party agent. There are also strict civil penalties for violations of FIPA: $1,000 for each day up to the first 30 days following certain violations, and thereafter, $50,000 for each subsequent 30-day period or portion thereof for up to 180 days. If the violation continues for more than 180 days, then the penalty may amount to but cannot exceed $500,000. Many community associations outsource most of the management and recordkeeping functions to a licensed community association manager and/or professional management company. It is essential that the board of directors, with the assistance of legal counsel and an insurance consultant, review and negotiate any contracts (management company, vendors, information technology, etc.) that involve protection of the association’s official records (including residential information).
Have you and the association’s legal counsel confirmed the scope of your management company’s liability and indemnification duty to the association in the event the company’s network suffers a cyberattack/breach of security of personal information? These issues should be considered during the contract bidding and negotiation process. Clearly drafted clauses in the management contract (and also for third-party vendors of the association handling data/personal information) should spell out the specific duties and responsibilities of the parties.
Does the association and/or management company have insurance coverage for these potential events, and if so, what are the coverage amounts and the scope of the coverage? Insurance coverages and exclusions involve complex issues that could fill an entire article. The insurance industry has been relatively quick to provide new insurance products in this area. Associations/directors should consult with their legal counsel and insurance consultant regarding both first-party and third-party coverages for breach of security incidents.
Does the association and/or management company have written cybersecurity policies and—of equal importance—is there a written emergency plan with specific steps, points of contact, emergency personnel, etc. for addressing a cyberattack/breach of security?
Do not assume the management company or other third-party vendor has these procedures in place. Request copies of their respective cybersecurity policies and emergency plans. Associations should consult with their information technology professionals and legal counsel when reviewing these items.
Cybersecurity and the protection of personally identifiable information will only increase in importance as more and more of the interactions and business between residents/owners and community associations move into the digital realm. Diligent directors should seek out professional advice and consultation from information technology professionals, legal counsel, and insurance consultants to make informed decisions on these important issues.
David T. Podein
Partner at Haber Slade