First Step Toward Managing your Association’s Data Breach Liability Risks Is Recognizing Them
By Stephen Marcus
You are the president of a condominium board and you don’t appreciate getting a call from a fellow board-member Sunday at midnight. The reason for the call is even less welcome. The board member has lost a laptop containing every essential piece of association related information it would be possible for anyone to have. Names, addresses, account information and credit card numbers for association residents, passcodes for association bank accounts, budget details and financial reports all were stored on this laptop, which, the board member admits sheepishly, was not passcode protected.
This nightmare scenario is all-too-real, and it is by no means the only cyber-related risk associations face. Thieves can steal the information stored on laptops and desktops by penetrating the security defenses protecting them. They can use stolen passcodes to drain association bank accounts. They can trick unwitting board members or managers into sending to the thieves funds intended for someone else.In all of these cases, the targeted associations will have very large, very painful, and potentially very expensive headaches. How large, how painful and how expensive will depend on three factors:
- The policies and systems the association has in place for protecting data;
- The policies it has for dealing with security breaches; and
- The insurance coverage it has for the expenses and liabilities resulting from them.
For purposes of this discussion, I’m going to focus on data protection, because the need to protect association information may be less apparent to board members than the need to protect association funds.
Statutory Requirements
To start with the basics: Any community association that collects “personally identifiable information” about residents, is required by law to protect it. Massachusetts is one of 24 states that now have data security statutes in place, and the Massachusetts law is recognized as one of the toughest in the country. It requires, any entity that collects private consumer information (name, social security number, driver’s license, bank account numbers, or credit and debit card numbers) to take reasonable steps to protect that information; to detail those measures; and to create a “Written Information Security Program” (WISP) describing their security protocols.The penalties for violating these requirements are stiff – up to treble damages for failing to implement security measures and up to $50,000 for failing to report security breaches. A newly enacted “Data Beach Notification Law,” which took effect in April, expands the requirements for notifying consumers and state regulators of a breach.On the consumer side, the existing statute simply required notice to all consumers victimized by a beach; the new law specifies that “notice shall not be delayed on grounds that the total number of residents affected is not yet ascertained.” That means entities suffering a breach can’t wait until they have identified all potential victims; they must provide rolling notices to consumers as they are identified.
Notice to the attorney general, already required under the existing data protection law, must be more detailed, including information about the nature of the breach, the individuals affected by it, and the steps taken in response to it. The new law also requires breached entities to disclose whether they maintain the WISP (“Written Information Security Program”) required by law.I’m particularly concerned about that WISP requirement and I think condo associations should be, too. I haven’t had a client ask about WISPs since the law mandating them took effect seven years ago – and I don’t think that’s because everyone is doing what they should. I think it’s because many associations never drafted plans in the first place, or if they did, they didn’t implement the plans and/or haven’t reviewed or updated them to reflect changes in technology and in the risks they face.From the standpoint of a breached institution facing litigation from affected owners and scrutiny from the attorney general, I don’t know which would be worse ─ not having a WISP or failing to do what the plan requires. Either lapse will weaken the association’s legal defenses and increase its potential liability.
Recognizing the Risks
The biggest cyber risk for most condo associations is the failure to recognize just how vulnerable they are. Many assume that giant corporations would be the most likely targets. But those corporations also have the most sophisticated defenses in place. Although condo associations have less money and less data to steal, they also have weaker defenses that can be penetrated more easily.One survey found that nearly half of the cyber attacks launched in the past three years targeted small businesses – and condo associations are small businesses. If Target and American Express and TJ Max, with all of their resources and state-of-the-art data protection defenses, can be hacked by cyber-thieves, as they have been, how could any condo association reasonably expect to be immune from these attacks?When it comes to the cyber-risks condo associations face, ignorance is not bliss – it is frightening. The cost of a data breach can be staggering. Under the new Massachusetts Data Breach Notification law, in addition to notifying affected residents, an association would have to provide 18 months of free credit monitoring services if the stolen information includes a Social Security number – a minimum of 42 months if the information comes from consumer credit reports.
Calculating the Costs
For a relatively small community, or even for a sizable one, this may not sound overwhelming. But as Joel Meskin, vice president in charge of community association products for McGowan & Company, Inc., points out in a recent Condo Media article, unless an association regularly purges old files, the lost data could include information on past residents going back years of decades, in which case, Meskin notes, “you’re talking about a geometric increase in notification costs and credit reporting expenses.”
Breached institutions also face potential penalties if they haven’t complied with state data protection laws. In Massachusetts, the attorney general could assess treble damages for failing to implement data security measures and up to $50,000 for failing to report a security breach. A Rhode Island law assesses $100 per record if the violation is deemed “reckless” and $200 if it is willful. And those are just regulatory penalties. There are also the costs of defending the inevitable suits filed by affected consumers, the damages courts might award if associations lose those legal battles, and the invisible but no less significant reputation costs involved. The association may blame its management company for the breach and vice versa, but both will be damaged by the negative publicity resulting from it.Professionally managed associations assume that the management company handling data collection responsibilities would be on the hook if the data is compromised. But that’s not how it works. First, most management contracts require the association to indemnify the management company for any litigation resulting from the company’s execution of its duties. Absent evidence of ‘gross negligence’ by the company, the association would have to honor that obligation. Also, as a practical matter, the courts have generally found that even when a third party manages consumer data, its end users are at least partly responsible for protecting it. In other words, associations can outsource the data collection responsibility, but they can’t evade potential liability for a data breach.
Are You Covered?
What about insurance? That’s a reasonable question, but the answer is less than completely reassuring. If the association’s Directors’ and Officers’ (D&O) liability policy doesn’t expressly exclude coverage for cyber liability and data breach (and many are beginning to exclude that coverage) the policy will probably cover defense costs and damages up to the policy limits – typically $1 million. But the policy won’t cover all the ancillary costs – notice requirements and credit monitoring, for example, plus forensic analysis (to identify the cause of the breach) and remedial measures required to fix the problem; nor will it cover penalties or fines resulting from statutory violations.
That broad-spectrum coverage is available, but it comes in a separate cyber risk-data breach policy designed for that purpose. Many companies now offer these policies, but you want one that is written specifically for condominium associations. As with insurance of all kinds, the policies vary widely in scope, quality and cost. You should shop carefully, ideally with the help of an insurance advisor who works extensively with condominiums, to find the coverage you need.Another important point about cyber-risk/data breach insurance: Applications for the coverage will typically ask for details about the association’s data protection procedures. If you say you have a WISP but don’t, or if you have a WISP but aren’t doing what it says, the insurer could cite that misinformation as a basis for denying compensation for a covered data breach claim.This simply underscores the importance of having reasonable data protection policies and following them. The best insurance coverage available will never be a substitute for risk management policies and data protection measures that strengthen the association’s defenses and reduce its data breach risks.If you want more information about data security or have questions about that issue, email Stephen Marcus (smarcus@meeb.com.) or call him at 781-843-5000.