May 20, 2022

Volume XII, Number 140

Advertisement
Advertisement

May 19, 2022

Subscribe to Latest Legal News and Analysis

May 18, 2022

Subscribe to Latest Legal News and Analysis

May 17, 2022

Subscribe to Latest Legal News and Analysis

Privacy and Data Security for HOAs: What Your Community Association Needs to Know

Privacy and Data Security is the body of law that addresses how an organization can collect, handle, and use personally identifiable information and how that information needs to be protected.

Community Associations quite often have and maintain the names, addresses, and financial information of their residents and homeowners. Many criminal groups find this kind of information valuable for identity theft. Such groups often encrypt the data so the Community Association cannot access it to gain leverage and force an organization to pay a "ransom" for its return. Because of this and in reaction to how much sensitive information is held on everyday people in the broader economy, all fifty states have laws on the books that require most organizations to disclose when an unauthorized party has accessed the information. Community Associations—just like any other North Carolina organization—always must act reasonably when the organization makes decisions to do something with personal information or risk negligence lawsuits and class actions.

Unfortunately, North Carolina does not provide statutory guidance on how Community Associations can act reasonably with respect to residents' personal data, but the federal government has provided frameworks that it recommends. The National Institute of Standards and Technology has published a Privacy Framework and a Cybersecurity Framework that, when followed, allow organizations to identify the data they have, protect that information, control and manage the data, govern the data with set rules within the organization, communicate the roles of each member of the organization, detect malicious or unauthorized activity, respond when an incident occurs, and recover from the incident.

There are a number of practical steps that organizations can take that can avoid or reduce the severity of common compliance pitfalls. The first is to review vendor contracts regularly—at least once a year—to make sure that they reflect an organization's risk tolerance. Often, a trusted service provider or another vendor can have a breach that impacts the privacy and security of the data entrusted to a Community Association. Without contractual protections, the organization might incur significant costs remediating the problem with little legal recourse to have those costs covered by the party at fault.

Additionally, encrypting data, which is a mathematical process to transform data from readable text to nonsense and back again when a code (called a key) is used, can be an important tool in the compliance toolbox for Community Associations. Under North Carolina law—and the law of many other states—a breach only triggers reporting obligations when the information that was stolen was also unencrypted or when the encryption key was stolen with the data. This is not a silver bullet but, encryption is a practical technology that will be an important part of any compliance strategy.

Cyber insurance can also be an effective means of covering risk. However, insurance is not as simple as buying a policy and calling it a day. Insurers are increasingly raising premiums and lowering caps on organizations that do not take a proactive approach to mitigate privacy and security risks. So while insurance can act as a hedge against devastating effects, it should not be seen as a substitute for a compliance strategy.

We also recommend getting community input on the Community Association's Privacy and Data Security efforts. Community Associations are necessarily accountable to their residents and homeowners, so understanding stakeholders' risk tolerance can inform the leadership on how to move forward with a compliance strategy. The laws at issue obviously do not change based on the community's sentiments, but discussing the matter at an annual meeting can be a good way to communicate what expectations the stakeholders in your community have of leadership.

Challenges and risks of liability and unmet stakeholder expectations are everywhere for Community Associations that do not take a proactive approach to the Privacy and Data Security of their residents' and homeowners' information. 

© 2022 Ward and Smith, P.A.. All Rights Reserved.National Law Review, Volume XI, Number 181
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Angela doughty, Ward and Smith, IP Attorney
Trademark Specialist

Angela leads the firm's Intellectual Property practice and is a North Carolina State Bar Board Certified Specialist in Trademark Law.  She routinely counsels and assists clients with identifying, protecting, and enforcing their U.S. and international intellectual property rights; anti-counterfeiting and U.S. Customs matters; Internet and domain law issues, including proceedings before the National Arbitration Forum and World Intellectual Property Organization; website terms of use and privacy policies; branding and franchising agreements; software development and...

252-672-5471
Peter N. McClelland Cybersecurity Attorney Ward and Smith
Attorney

Peter is an attorney and a Certified Information Privacy Professional/US (CIPP/US) who assists clients in a range of privacy, data security, cyber supply chain and technology matters.

He regularly counsels on the legal requirements and risks associated with the collection, storage, transfer, use, protection, and disposal of data. Businesses and individuals rely on his privacy and data security expertise for structuring and operationalizing privacy compliance programs, data breach response and planning, contract and vendor management, and...

919-277-9157
Advertisement
Advertisement
Advertisement