Community associations and board members can land themselves in hot water and find themselves liable if a cyber attack occurs. In addition to the loss to the association if funds are stolen, there may be compensation to owners if thieves steal their funds or personal information.
Board Members Can Be Liable
Community associations and board members can land themselves in hot water and find themselves liable if a cyber attack occurs. In addition to the loss to the association if funds are stolen, there may be compensation to owners if thieves steal their funds or personal information. There is also the expense to defend a potential lawsuit and resulting reputational damage to the association. Penalties may also be assessed if the targeted association failed to comply with state data-protection statutes. These statutes vary, which is why it’s important for an association to understand its obligations under the law.
The Importance of Cyber Security
To help mitigate risk, it’s important for the association to have a cyber security policy in place. This includes:
- Review governing documents and local laws. These official documents will set up a foundation for adding a new cyber security policy.
- Determine which individuals will handle the data and which individuals will ultimately manage cyber security. Keep close tabs on who gets access to sensitive data and who gets administrative privileges.
- Outline a plan of action if security breaches or criminal hacking occur.
- Set up a list of rules for using association mobile devices or computers to ensure that unauthorized people will not be able to access confidential information.
- Establish a data breach plan. To prepare for a potential data breach, there are several resources from trusted authorities like the Federal Trade Commission (FTC). The Online Trust Alliance has an online guide about data breach preparation and the FTC offers resources that explain the process of securing association data and protecting customer data.
- Provide board members with a set of guidelines. These cyber security principles can help community associations better understand new policies and see how to respond to potential cyber attacks and data breaches. They are key to bringing everyone onto the same page regarding cyber security policies and procedures.
- Teach residents about cyber security. Educating residents about cyber security should be a priority for the association. This can be done via the community’s newsletter, emails or letters directly to residents, along with tips posted on the community website.
- Ensure that the association software is secure, with features that defend against malware and protect sensitive and confidential information. This includes creating strong passwords, updating software regularly, investing in an anti-virus solution, encrypting all data, and ensuring regular back-ups are being made, among other measures. Make sure the management company will not be sharing the association’s private data with third parties or storing data on servers that are shared with other businesses or clients of the data host.
Secure Cyber Liability Insurance
In addition to having a cyber security plan in place to help mitigate the risk of a breach, it’s also critical for an association to carry Cyber insurance. Note that General Liability insurance does not cover the impact of a data breach on the association. A Cyber policy includes first-party and third-party coverages. First-party coverage is for losses and damage to the business, while third-party coverage is for losses that an outside entity incurs due to a cyber event. A policy can be designed to pay for first-party expenses that include:
- Legal and forensic services to determine whether a breach occurred and assist with regulatory compliance if a breach is verified
- The costs involved to notify affected customers (homeowners, condo owners) and employees
- Customer credit monitoring
- Regulatory defense & penalties – coverage for defense costs and fines or penalties for violations of privacy regulations
- Crisis management and public relations to educate customers about the breach and rebuild a company’s reputation
- Business interruption expenses as a result of the breach
- Cyber extortion reimbursement for perils including credible threats to introduce malicious code; pharm and phish customer systems; or corrupt, damage, or destroy your computer system
A Cyber policy can also be designed to pay for the following third-party expenses:
- Judgments, civil awards, or settlements a client is legally obligated to pay after a data breach
- Electronic media liability, including infringement of copyright, domain name, trade name, service mark, or slogan on an intranet or Internet site
Policies, including the scope of coverage, terms, sub-limits, deductibles and other important factors, vary from one carrier to the next and it’s important to work with an experienced insurance professional in designing a Cyber insurance solution that meets the needs of the association.