Best Practices to Protect Your HOA Data

Homeowner associations (HOAs), like most organizations, have adopted information technology for everything from accounting and bookkeeping to email and other forms of communication to preparation of documents and presentations, etc.  However, HOA board members and their management staff must recognize and address the risks inherent in modern electronic technology, especially data breaches & server hacks that compromise information the HOA is responsible for keeping private.

Types/levels of Data

Not all information is equal.  An HOA basically has three levels of information:

1. Information suitable for the public, such as the HOA’s founding documents (articles of incorporation, CC&Rs, by-laws), possibly marketing and promotional materials and HOA-sponsored events open to the general public.
2. Information limited to members, including a members’ directory, meeting agendas and minutes, financial reports required by the by-laws or state law to be published to members, rules enforcement procedures and HOA-sponsored events open to HOA members only.
3. Information restricted to HOA board members and management; for example:
   1. Minutes of executive session meetings.
   2. Board packets & management reports.
   3. Disciplinary & collection activities.
   4. Email between/among board members.
   5. Contracts & other legal matters/documents.
   6. HOA employee personnel records.
      
      

Best Practices to Protect HOA Information

The technical tools – passwords, firewalls, data encryption – used to protect information stored electronically are beyond the scope of this article.  Board members should consult with the HOA’s IT experts, whether they are in-house employees, management company employees or an outside IT contractor service.  These specialists are best able to advise the board what data security features the HOA implement.

However, the HOA board and the management staff must go beyond mere technical solutions to:

1. First, recognize the organization’s information is an asset of the HOA like physical assets, and they must protect that information.
2. Second, review applicable federal, state and local laws and regulations to determine the scope of their obligation to protect HOA information.
3. Third, develop and adopt information security policy and associated procedures, to include:
   1. What information is to be protected, at what level (as discussed above).
   2. What steps are to be taken if/when there is a data breach.  (See below).
   3. What, when and how records will be disposed of (destroyed) when they are no longer needed.
   4. Acquire the appropriate liability insurance in case the HOA is sued as a result of a data breach.

This may seem overkill, especially for a small HOA with limited resources.  However, having a policy and procedures in place reduces the chances of the HOA, its board and its management being found negligent and therefore liable for damages resulting from the breach.

What to Do When Protection Fails

As soon as a data breach is detected, the board and management must consider it a significant event (that is, a crisis) to be dealt with promptly, with a sense of urgency.

The board and management must initiate immediately the HOA’s data breach protocol to minimize the damage. Specific steps include:

1. Assess the nature (deliberate, accidental) and scope of the breach damage.
2. Notify:
   • The relevant parties: board, management and law enforcement (when appropriate).
   • Those members believed to have been affected.
   • The insurance carrier.
   •  All HOA members.

An official spokesperson should be designated and only they should speak publicly to provide only that information (facts) that has been confirmed.  Understandably, HOA members will be upset if their information is compromised. Giving them incorrect or misleading information that later must be retracted will turn them from being upset to being angry.

Once the immediate crisis has been resolved, the board and management should conduct a thorough “after action review” or “lessons learned” review to determine what must be done to prevent such failures in the future and how to improve the breach protocol.  Such a crisis is unpleasant but can be a great teacher.

Conclusion

Large or small, every HOA has some sort of Internet presence and financial and member information stored on a computer somewhere.  Regardless of where the information is stored, the HOA board is responsible for protecting it.  The board must keep faith with their members that information will be kept safe, and protect the HOA from serious, expensive legal risks.

Additional Information

For more discussion concerning HOA information privacy, see:

http://blog.hignell.com/hoa-management/pros-and-cons-of-your-hoa-being-on-social-media.

https://www.echo-ca.org/article/hoa-records-security-protecting-homeowners-personal-information.

These two webpages describe what HOA information can be withheld and what must be made public.

https://www.davis-stirling.com/HOME/Records-Not-Subject-to-Inspection.

https://www.davis-stirling.com/HOME/Records-Subject-to-Inspection.

This webpage discusses the risks to HOAs posed by cybertheft.

https://www.hoaleader.com/public/Its-Not-Just-Homeowners-at-Risk-for-Cybertheft-Your-HOA-Is-Too.cfm.

The Hignell Companies have been providing HOA management services and advising HOA boards of directors for over 30 years. Our clients range from the small (25 units) to the large (2300 units) located throughout Northern California. Call us (530-894-0404) or visit our website.  Let us help you ensure your HOA’s information stays safe.