Year: 2018

american dollar bills american dollar bills american dollar bills american dollar bills american dollar bills


Great news: the new “Tax Cut and Jobs Act” (“TCJA”), doubles the estate tax exemption amount from $5.49 million per individual (the 2017 exemption amount) to $11,180,000 million. (For convenience, this article will use the $5.6 million projected exemption amount for 2018 before TCJA and $11.2 million).  The new higher number will be adjusted for inflation. This means at least until 2026 married couples may have up to $22.4 million in assets and avoid the estate tax.  Since very few individuals have assets in excess of the new exemption amount, this tax law change will even further reduce the number of people exposed to the tax who are required to file an estate tax return. (It is estimated that less than 2,000 estates will be required to pay tax compared to over 5000 for 2017).

This means that most of us can concentrate our estate plans on the “real issues, the ones affecting our families and the proper and orderly disposition of our assets.  We may no longer need the complexity of “ILITs” (irrevocable life insurance trusts) or “IDGTs” (intentionally defective grantor trusts).  We will likely still need to consider the use of trusts to meet our lifetime and testamentary goals, such as avoiding probate or distributing our assets over time, to avoid waste or the unwise use of our savings by young or immature beneficiaries. Trusts provide for the orderly distribution of assets over time, in a protected fashion.  Do you want significant assets (e.g. $100,000) being distributed to a young 18-year-old?  Would the result be the prudent use of the funds for education?  Or, perhaps a new car and “a year off” enjoying the pleasant company of many new friends?

Who is adversely affected by the increase in the exemption?  One example is charities.  Do you still need a testamentary charitable gift or charitable remainder trust?  You do if you have a charitable intent and desire to benefit your favorite charity, church or alma mater.  However, it is likely some individuals will abandon their charitable goals with the new higher estate tax exemption, since they will no longer need to give away assets to avoid the estate tax.

IMPORTANT NOTE:  The new estate tax exemption amount is only effective until December 31, 2025.   Afterwards, unless there are more changes, the provisions will revert to the 2017 rules and the $5.49 million exemption amount. However, at least we should be able to benefit from the continued indexing of the credit amount.  The hope is that the estate tax will be eliminated in its entirety before the 2025 sunset.  However, as they say, “hope is not a plan.”  What do YOU do in the interim?  Assuming you own assets in excess of $5.6 million, can you prudently count on the ultimate repeal of the tax when hundreds of thousands of dollars may be at stake?  The estate tax has been in place since 1916.  Remember 2010, when the estate tax was eliminated, only to be brought back the same year?  Our thought is to plan your estates based on current law, rather than predict what the law may be when you die.

Estate tax planning during 2018-25 falls into four zones, depending on the level of your assets:


At this level you can focus on your lifetime and testamentary goals in carefully designing and reviewing your estate plan, however, you must be mindful of the appreciation of your wealth over time, especially if your assets exceed $4 million.  As we know, we are living longer and a plan for a “safe” $4 million estate may not last 10 -15 years with the appreciation in your portfolio to $6 million or higher. Remember what the stock market did in 2017?


There are significant opportunities available in this zone to minimize risks of inadvertent taxation.  If the projected value of your assets in 2026 will be over the $5.6 million limit you may wish to take available actions to reduce your exposure, since under current law the new higher exemption amount will revert to the prior indexed limit.  To reduce your exposure, see the ideas under zone 3, below.  Also consider:

  • Significant gifts to family members of amounts in excess of $5.6 million, to “use” the new higher exemption amount before it goes away in 2025. Note: there is some risk of a “claw-back” of this amount when the exemption goes back to its pre-TCJA level, however at this time the consensus appears to be that will not occur.  Also, even if there is a claw-back, the gift will shift the post-gift appreciation to the family members. Another limitation to consider on these gifts is the loss of a step-up in basis.
  • Gifts of the extra exemption amount may be direct, or through trusts such as a “dynasty” trust for family members.
  • Use of “I love you” wills and trusts containing “disclaimers” makes it possible for a surviving spouse to minimize estate taxes at the first spouse’s death. A spouse may be given the amount in excess of $5.6 million but have the opportunity to disclaim it to younger family members when the exemption level decreases.
  • If you believe the $11.2 limit will survive past 2025, you may wish to consider the opportunity to “reverse” some of your previous estate planning transfers to minimize expected future income taxes with a step-up in basis (which was retained under TCJA). (Note, don’t wait until the last minute to do this, there are special rules that can limit this opportunity).
  • Another basis step-up opportunity exists with gifts to parents who are below the exemption limits. (Again, don’t wait until the last minute).
  • You may also wish to unwind certain arrangements, such as life insurance trusts, which may be no longer needed.

In this zone, we are thankful for the increase in the exemption, but we must also consider some of the options that were available before the increase, for example:

  • Annual gifts of up to $15,000 (for 2018) per individual;
  • Educational and medical gifts paid directly to institutions/providers;
  • Charitable Trusts;
  • Irrevocable Life Insurance Trusts;
  • Grantor Retained Annuity Trusts;
  • Qualified Personal Residence Trusts; and
  • Intra-family sales, for example to a “defective” grantor trust, and other “freeze” techniques such as low interest loans.

The use of these and similar options will help eliminate or minimize estate taxes attributable to assets in excess of the $11.2 million limit.


For married couples, the combined exemption of $22.4 million will exempt most estates from estate taxes.  For those above this level, the higher exemption will save significant taxes, however additional planning to minimize taxes above that level suggests consideration be given to the use of the options described above.

Overall, the new tax law provides significant opportunities and requires new considerations.  A review and adjustment of your current estate plans and documents is in order.  For example, if you have an older “tax will” with a formula tax adjustment clause (for example a “marital trust” and “family” or “credit shelter” trust) your spouse may be significantly underfunded by reason of the new exemption amount.  The next step is to review your documents and consult with your advisors.  After properly conforming your documents to your wishes, watch for new laws or IRS Regulations that may affect your decisions.  Lastly, plan on repeating this process as we approach the “sunset” of this legislation in 2025.  Your family will benefit from your diligence.

About the Author:

Pat Herman is senior tax attorney at Vandeventer Black, having a tax degree and 35 years of experience. Pat’s practice is focused on estate planning, employee benefits and ERISA matters, general tax planning, and exempt organizations. For more information, contact Pat at


Final Crane Operator Certification Requirements

On November 9, 2018 OSHA issued a final rule revising the Crane Operator Certification Requirements. The final rule is effective on December 10, 2018, except for certain evaluation and documentation requirements that are effective February 7, 2019. Under the final rule, employers are required to train operators as needed to perform assigned crane activities, evaluate them, and document successful completion of the evaluations. Employers who have evaluated operators prior to December 9, 2018, will not have to conduct those evaluations again, but will only have to document when those evaluations were completed.

The final rule is a performance-based standard that does not establish the specific skills that must be assessed, but instead provides a list of performance-based criteria. The criteria include evaluation of operator’s skills and knowledge with safety devices, operational aids, software and lifting capacity, boom length, attachments, and counter weight set up. While the evaluator does not need to be certified or have previous experience as an operator, the evaluator must have the knowledge, training and experience necessary to conduct the evaluation. The evaluation must be documented and maintained while the operator is employed.

The final rule eliminates the earlier proposed requirement for certification based on the lifting capacity of the crane. The final rule permits accredited testing organizations to certify operators based on the type of crane or based on the type and capacity of the crane, which ensures that more accredited testing organizations are eligible to meet OSHA’s certification program requirements. Compliant certifications that were already issued by type and capacity are still acceptable under the final rule.

For additional information refer to the final rule at

court room court room court room court room court room

Before Entering Into A Contract With An Arbitration Provision, Consider What Time Period The Parties Will Have To Bring Claims

Statutes of limitations are statutory deadlines for filing legal actions. Limitation periods vary by the type of action. It is important to evaluate these limitation periods because if the deadline is missed, then the claim may be time-barred by the court.

Arbitration provisions are increasingly common. Only a few jurisdictions, however, explicitly address whether statute of limitations provisions apply to arbitration provisions. For example, the Code of Virginia addresses various matters concerning the validity and enforceability of arbitration agreements; but, it does not address the interplay of limitations periods.

Without a specific statutory provision governing the limitation on an arbitration proceeding, how may parties to an arbitration protect against a claim being brought too late? One way is contractually. Parties may expressly agree in their contract that a certain limitations period will apply to the arbitration proceeding. If, however, the parties do not designate an applicable limitations period, then depending on the specific arbitration language in the contract, timeliness becomes an issue for determination by either the arbitrator or a court.

Generally, that determination depends on the governing state’s law or other substantive law controlling the parties’ claims. The laws of two states, Georgia and New York, limit an arbitrator’s authority by specifically extending the application of statute of limitations periods to arbitrations. For other states, the answer is less clear. Most states, including Virginia, have limited the applicability of the statute of limitations to “actions.” Some states have determined that the term “actions” only applies to judicial proceedings and not arbitrations, meaning that in cases governed by those states’ laws, state statutes of limitations will not apply. Virginia, however, has not addressed that question.

Parties may avoid the issue by including a specific reasonable limitation period and by mandating determinations of arbitrability otherwise to the arbitrator. Keep in mind that unreasonable limitation periods may be subject to public policy enforcement considerations. Additionally, regardless of the parties’ agreement, all limitations defenses are subject to the specific circumstances of a case.

The limitations period, like other aspects of arbitration agreements, requires careful consideration and drafting.

Close-up of a dark wooden gavel on a desk Close-up of a dark wooden gavel on a desk Close-up of a dark wooden gavel on a desk Close-up of a dark wooden gavel on a desk Close-up of a dark wooden gavel on a desk

SBA Rules On SDVOSB Ownership And Control

The Department of Veterans Affairs (VA) and the United States Small Business Administration (SBA) each has its own service-disabled veteran-owned small business (SDVOSB) contracting program. Until recently, the VA and SBA programs were subject to different sets of eligibility rules. Effective October 1, 2018, SBA revised its eligibility requirements for the SBA service-disabled veteran-owned small business concern (SDVO SBC) program. Due to the VA’s recent elimination of its own eligibility requirements and corresponding adoption of SBA’s rules on eligibility, the recent changes to the SBA rules impact eligibility determinations under both programs.

In a few respects, the recent rule changes eased SDVOSB eligibility requirements. For example:

  • Non-service-disabled veteran minority owners now have more rights to decide certain extraordinary company actions (this was discussed in a prior article).
  • In states with community property laws (note: Virginia is not a community property state), ownership is now determined without regard to community property;
  • In limited circumstances, upon the death of a service-disabled veteran owner, his or her surviving spouse can own the SDVOSB for a period of up to ten (10) years;
  • Company stock owned by an employee stock ownership plan (ESOP) is exempt from the ownership calculation.

However, in many other ways, SBA now more tightly restricts SDVOSB eligibility than it did previously. For example, there is a bright line rule that service-disabled veteran owners must receive at least 51% of annual distribution of the company’s profits and retained earnings, and 100% of the value of each share upon sale of stock or dissolution of the company. Additionally, in the following circumstances, there is a presumption that non-service disabled veterans control the company (but the presumption is rebuttable):

  • A non-service disabled veteran who is involved in the management or ownership of the SDVOSB is a current or former employer (or principal of a current or former employer) of the service-disabled veteran;
  • A non-service disabled veteran receives compensation that exceeds compensation paid to the SDVOSB’s highest-ranking officer (usually CEO or President);
  • The SDVOSB shares an office, employees, equipment, resources, or services with another company in the same line of work and the other company or any of its owners, officers, directors, or their direct relatives owns an equity interest in the SDVOSB;
  • A non-service disabled veteran holds an equity interest in the SDVOSB and provides critical financial or bonding support;
  • A non-service disabled veteran holds a critical license required in the SDVOSB’s line of work;
  • The SDVOSB is dependent upon non-service disabled veteran individuals or entities such that the service-disabled veteran owner’s independent business judgment is compromised;
  • The service-disabled veteran owner is not able to work for the firm during “normal working hours”; and
  • The service-disabled veteran owner “is not located within a reasonable commute” to the SDVOSB’s “headquarters and/or job-sites locations, regardless of the firm’s industry.” Evidence that the service-disabled veteran owner is able to telecommute is insufficient to rebut the presumption.

Although they represent a departure from SBA’s old regime, the new rules are closely aligned with the eligibility criteria historically used by the VA. Importantly, the new regulations provide much-needed clarity on the eligibility requirements for SDVOSBs under both the SBA and VA programs, and hopefully will eliminate some of the inconsistencies previously experienced between the two programs.

Vandeventer Black Vandeventer Black Vandeventer Black Vandeventer Black Vandeventer Black

Recent Change To Rights Of SDVOSB Minority Owners

The Department of Veterans Affairs (VA) and the United States Small Business Administration (SBA) each administers its own service-disabled veteran-owned small business (SDVOSB) contracting program. Until very recently, each program was subject to its own set of rules. Disparities between the eligibility requirements of the VA’s “Vets First” program and the SBA’s Service-Disabled Veteran Owned Small Business Concern (SDVO SBC) program led to inconsistent results: a SDVOSB might qualify under the Vets First program, but not SBA’s program, or vice versa. Recent regulatory changes helped resolve some of the inconsistencies between the two programs and the corresponding confusion that has plagued service-disabled veteran-owned contractors.

Via a final rule effective October 1, 2018, the VA eliminated its own criteria for SDVOSB eligibility and instead adopted SBA’s eligibility guidelines found in 13 C.F.R. Part 125 for applicants to the Vets First program. Then, SBA adopted revised guidelines—also effective October 1, 2018—on service-disabled veteran-owned business eligibility.

One important conflict resolved by SBA’s new rules are the rights of non-service-disabled veteran owners of an otherwise qualified SDVOSB. Historically, the VA program acknowledged the business reality that a non-service-disabled veteran owner deserved to have input on certain fundamental changes to the business. Giving the non-service disabled veteran owner a say in “extraordinary” company actions was necessary for the non-service-disabled veteran owner to protect its investment in the business and benefitted the service-disabled veteran owner by making it easier to solicit potential investors. SBA, however, required the service-disabled veteran owner to exercise absolute control over the business, which SBA interpreted as prohibiting non-veteran owners from having rights over even extraordinary matters.

Effective October 1, 2018, SBA has changed its position on the rights of non-service-disabled veteran owners. 13 C.F.R. § 125.13(m) now specifies that in the following five “extraordinary circumstances,” a service-disabled veteran owner’s lack of unilateral and absolute authority does not make the business ineligible for SDVOSB status:

  1. Adding a new equity stakeholder;
  2. Dissolution of the company;
  3. Sale of the company;
  4.  The merger of the company; and
  5. Company declaring bankruptcy.

In other words, a non-service-disabled veteran owner now can have a say in any of these five decisions (but only these five decisions) without destroying the service-disabled veteran owner’s full “control” over the business required for SDVOSB eligibility. In addition to enhancing the opportunities for non-veteran investment in SDVOSBs, the regulatory change in 13 C.F.R. § 125.13(m), as well as the VA’s adoption of SBA’s eligibility requirements, provides some much-needed consistency between the VA and SBA SDVOSB programs. For more information, please contact the authoring attorney.


court room court room court room court room court room


As I reported earlier1, the U.S. Supreme Court held in Epic Systems Corp. v. Lewis on May 21, 2018, that employers and employees can agree in arbitration agreements that claims be brought on an individual, rather than class or collective basis. Now, the U.S. Court of Appeals for the Sixth Circuit has held that the Epic ruling extends to claims brought under the Fair Labor Standards Act (FLSA).

In Gaffers v. Kelly Services, Inc., the plaintiff worked in a “virtual call center” – essentially, a call center operation where the employees work from home – and claimed that the employer had underpaid him and his fellow “virtual” employees. The plaintiff brought suit against his employer under the FLSA on behalf of himself and his coworkers as an FLSA collective action. More than 1,600 employees joined him in the case. About half of those employees, however, had signed arbitration agreements with the employer in which they agreed that individual arbitration is the only forum for any employment claims, including wage claims. When the employer moved to compel individual arbitrations of those employees’ claims, the plaintiff argued that the National Labor Relations Act (NLRA) and the FLSA rendered those arbitration agreements unenforceable.

The Sixth Circuit shot down the plaintiffs’ argument. Relying on the Supreme Court’s decision in Epic, the court explained that neither the NLRA nor the FLSA displace the Federal Arbitration Act (FAA), which demonstrates a strong federal policy in favor of arbitration. Although the NLRA gives employees the right to concerted activity, and the FLSA gives employees the right to bring wage claims in collective actions, neither law shows a “clear and manifest” congressional intention to create exceptions to the FAA or to invalidate individual arbitration agreements. When employers and employees agree in an arbitration agreement to submit all claims to arbitration on an individual basis, therefore, the employee cannot bring an FLSA collective action.

The Sixth Circuit’s application in the Epic ruling to FLSA claims is another reminder to employers to review their arbitration agreements with their employees or, if they do not have arbitration agreements with their employees, to consider making such agreements. Arbitration of employment claims offers several advantages over litigation. If you have questions regarding your company’s arbitration agreements or would like to discuss whether arbitration agreements are the right fit for your company, the labor and employment attorneys at Vandeventer Black are available to assist you.  For more information, please contact the authoring attorney.

  1. “S. Supreme Court Rules In Favor Of Employment Agreements Requiring Arbitration On An Individual Rather Than Class Or Collective Basis.
Construction Worker Construction Worker Construction Worker Construction Worker Construction Worker

Your Responsibility for Worker’s Compensation May Extend Further Than You Think

Workers’ compensation obligations may extend to cover individuals beyond those you consider to be your traditional employees. While this article considers such obligations under the Virginia Workers’ Compensation Act (VWCA), the consideration may be applicable in other states as well. Consult with an attorney licensed in your state to discuss the issue.

One of the aims of the VWCA is to prevent employers from avoiding responsibility for employee injuries by contracting work out to others. To accomplish this, the VWCA designates some employers as “statutory employers” in certain circumstances. Statutory employers are responsible for injuries under the VWCA just like traditional employers. The statutory employer doctrine is normally implicated where the injured worker is an employee of an uninsured subcontractor. Understanding whether you are considered a statutory employer on a particular project is an important part of ensuring you are prepared to accept that work. This is especially true in the construction context, where contracting and subcontracting is the norm.

Under the VWCA, a statutory employer is one who contracts for another party to do any work that is “part of his trade, business or occupation.” Va. Code § 65.2-302(A). Thus, the key is whether the injured worker was performing work that was part of the potential statutory employer’s “trade business or occupation.” Courts in Virginia often rely on three different inquiries to aid in answering this question.

The first is often called the “normal work test.” This test asks whether the activity in that industry is normally conducted by employees of the project owner, rather than independent contractors. If it is, then the activity is considered part of the employer’s trade, business or occupation. This makes the employer a statutory employer and liable to the injured worker under the VWCA.

The second inquiry is the “subcontracted fraction test.” This test considers whether the work engaging the injured worker was a subcontracted fraction of a main contract. In this case, a general contractor, for example, can be the statutory employer of an injured subcontractor—even if the activity was not part of the trade, business or occupation of the project owner—if the subcontractor was doing work that was clearly part of the main contract.

The third inquiry is the “stranger to the work test.” This test applies when the injured worker is an employee the project owner or general contractor, and a subcontractor was somehow responsible for the injury. The subcontractor is liable under the VWCA if it is not a “stranger” to the particular business of the owner. For example, the Virginia Supreme Court considered a subcontractor who installed an automatic door at an automobile manufacturing plant that injured an employee of the plant owner to be a stranger to the owner’s work of manufacturing and selling automobiles. In that case, the subcontractor was not covered under the VWCA.

Courts have noted that making these determinations is highly dependent on the facts and circumstances of each case. Accordingly, it is important to discuss the issue with an experienced attorney who is familiar with what sort of facts and circumstances should be considered, and who can help you determine what impact any statutory employer issues may have on your business or project.

General Contractors: Important Licensing Considerations

Businesses must become licensed before acting in a contractor’s capacity.  The ability to issue licenses serves an important function of protecting public safety by ensuring that contractors meet established minimum competency requirements.  When applying for licensure, important considerations include (a) where the work will be performed, (b) the type of work the contractor plans to do, (c) the size of its projects, and (d) the clients it plans to service.

Location.  Before acting as a contractor, a business must obtain a license in the location where the work is to be performed.  Each state has its own licensing requirements – most requiring state-wide licenses, some requiring municipality-specific licenses, and a few requiring both state and municipal licenses.

Type of Work.  A business desiring to become licensed must evaluate which trades it plans to perform or coordinate.   Nearly every state issues both expansive general contractor’s licenses, which encompass a variety of trade areas, and also specialized licenses.  Licenses limited to specialties are typically easier and less expensive to obtain, requiring less reference letters and more limited examinations.  The broader general contractor licenses allow room for growth and more flexibility as new job opportunities arise but are more difficult and usually more expensive to obtain with lengthy and comprehensive examinations and verifiable work experience requirements.

Size of Projects.  Most contractors’ licenses are divided into classes based on the contract price of the contractors’ projects.  The selection of a classification dictates many of the prerequisites for licensure.  For example, a state or locality typically requires information regarding the financial worth and working capital of a business before they will issue a license.  Lower classifications may simply require signed/notarized financial statements whereas upper classifications may require professionally prepared and audited financial statements.  Furthermore, upper classifications require a demonstration of higher working capital than lower classifications and may also require a contractor to maintain large (and expensive) bonds.

Clients.  The clients that a contractor expects to service can also dictate the license(s) needed.  For example, some (but not all) states require specific licenses when performing public works contracts.

A contractor must be careful to ensure that it obtains the appropriate license(s) that encompass the type and size of its anticipated work and also the clients it intends to service.  Exceeding the scope or classification of a license can be both dangerous and costly – leading to expensive penalties and possible suspensions or terminations of licenses, not to mention damage to the reputation of the business.  Planning ahead will save time, expense, and face later.

Construction of office building on purple sunset with two cranes Construction of office building on purple sunset with two cranes Construction of office building on purple sunset with two cranes Construction of office building on purple sunset with two cranes Construction of office building on purple sunset with two cranes

Contractor Safety Continues to Improve, but Trends Continue

Various aspects of construction are inherently unsafe. The Federal Occupational Safety and Health Administration (OSHA) therefore continues to maintain focus on the construction industry in an ongoing effort to alleviate workplace incidents.

Part of that efforts includes inspection and citation for workplace safety violations. For fiscal year 2017 (October 1, 2016 through September 30, 2017), Federal OSHA’s “Top 10” most frequently cited OHSA standards were as follows (with included regulatory reference and link to further related information available from OSHA noted for each):

  1. Fall protection, construction (29 CFR 1926.501) [related OSHA Safety and Health Topics page]
  2. Hazard communication standard, general industry (29 CFR 1910.1200) [related OSHA Safety and Health Topics page]]
  3. Scaffolding, general requirements, construction (29 CFR 1926.451) [related OSHA Safety and Health Topics page]
  4. Respiratory protection, general industry (29 CFR 1910.134) [related OSHA Safety and Health Topics page]
  5. Control of hazardous energy (lockout/tagout), general industry (29 CFR 1910.147) [related OSHA Safety and Health Topics page]
  6. Ladders, construction (29 CFR 1926.1053) [related OSHA Safety and Health Topics page]
  7. Powered industrial trucks, general industry (29 CFR 1910.178) [related OSHA Safety and Health Topics page]
  8. Machinery and Machine Guarding, general requirements (29 CFR 1910.212) [related OSHA Safety and Health Topics page]
  9. Fall Protection–Training Requirements (29 CFR 1926.503) [related OSHA Safety and Health Topics page]
  10. Electrical, wiring methods, components and equipment, general industry (29 CFR 1910.305) [related OSHA Safety and Health Topics page]

The Top 10 are all things that should already be addressed in contractor and project safety plans and training; but their identification by Federal OSHA as the most commonly cited violations give further reason to emphasize these items in both plans and training.

Ideally, such violations eventually become eliminated in the industry, but realistically accidents will continue to happen. Given that, prior consideration of them and incorporation into plans and training can effectively reduce their incident and, when inspections occur, demonstrate company proactiveness to have avoided such incidents.

Vandeventer Black’s Construction and Labor Practice Group attorneys are available to assist with construction site incidents and other work safety guidance matters.

Protection background. Technology security. Protection background. Technology security. Protection background. Technology security. Protection background. Technology security. Protection background. Technology security.

Five Steps to Greater Cybersecurity Health for Community Associations

Media reports concerning cyber attacks continue to increase.  Over the past few years, some of the largest and well-known companies have been affected by data breaches. These companies have experienced millions of dollars in losses as a result.  Even a small data breach impacting only a few thousand records can expose a business to significant losses that may have a devastating impact including causing a business to close.

Community associations may believe that because they are small, they are immune from attack. Statistics, however, tell a different story. Internet security firm Symantec’s 2018 Internet Security Threat Report revealed that in 2017, small businesses were as equally affected as large enterprises by email-borne malware containing a malicious link.[1]  Additionally, in its 2016 report on cyber-attacks, Symantec reported that 43% of all spear-phishing attacks in 2015 were against small businesses with 1 to 250 employees.[2]

Many associations work with a management company to manage day-to-day operations, such as maintenance, resident communication, assessment collection and covenant enforcement. These companies may also provide dedicated information technology (IT) resources to help your association.  Therefore, protecting your association and its members by learning about data privacy and security and maintaining appropriate protections is an important responsibility for any association. Even if your association has dedicated IT resources at its disposal, there are steps your association can take to assess its cyber risk and defend against cyber threats.

Step 1: Perform A Data Inventory and Assessment

Before you can accurately assess your level of risk, you should understand the type of information you collect, how you collect it, how you maintain it, and who has access to it.  Depending on the size of your association, this may require meetings with multiple individuals or a single meeting with one individual.  Ultimately, your goal is to understand your information and what you do with it.

Types of Information

Your association may collect different types of sensitive information from members.  For example, your association may collect personally identifiable information (PII), such as first and last names, home or business addresses, email addresses, credit card and bank account numbers, dates of birth, social security numbers, city of birth or residence, driver’s license numbers and phone numbers.  You may also collect medical information, federal tax information (FTI) and other types of sensitive information.  Identifying the type of information your association collects is critical in determining its level of sensitivity.

How Is Sensitive Information Collected?

Your association should also determine how you collect sensitive information.  Do you collect it electronically, in paper form, or a combination of both? Do you have a public facing webpage that members can utilize to input information?  Do you accept credit card payments online?

Depending on how you collect information, there may be certain legal requirements attached to how it is collected.  For example, if you collect protected health information (PHI), the Health Insurance Portability and Accountability Act (HIPAA) requires certain safeguards if PHI is collected or transmitted electronically.  Additionally, if you accept credit card payments, either online or from a point of service device, the Payment Card Industry Data Security Standard (PCI-DSS) mandates certain cyber security requirements to protect card holder information.

How Is Sensitive Information Maintained?

If the information is maintained in paper form, where are those files kept?  Are they in a secure locked area, accessible only to authorized individuals? Is your information maintained electronically? If so, where?  On the office desktop, a local dedicated server, a mobile device, or in the cloud?  It is important for your association to know where the information resides so that it can be properly secured.

Who Has Access To Sensitive Information?

Sensitive information should only be accessible by individuals on a “need to know” basis.  Your association should determine who needs access to sensitive information and for what purpose.  You should then permit access only to those individuals who need it and only for the purposes for which it is needed and prohibit all other access. Your association should consider polices that specifically identify by name or position those who have access to sensitive information.

Do Not Collect Information You Do Not Need

While you may need to collect certain information from homeowners and residents, be careful about what you collect. Only collect the information you need and do not keep it longer than you need it, in accordance with your data retention policies.  If you do not have a record retention policy, consult your association attorney about drafting one.

Step 2: Understand the Laws that Apply to the Information Maintained by Your Association

Various state and federal laws govern the collection, protection, and data breach reporting requirements of sensitive information. Legal requirements generally depend on the type of information collected and maintained. Multiple layers of laws apply to different types of information.  Many of these laws come with breach notification requirements.

For example, Virginia’s breach of personal information notification law, codified at Va. Code § 18.2-186.6, requires individuals and entities who own, maintain, or license computerized data that contains personal information of Virginia residents, and who have a reasonable belief that such personal information was accessed or acquired by an unauthorized individual or entity, to report the breach without unreasonable delay to the Office of the Virginia Attorney General as well as to any affected resident of the Commonwealth.[i]

Va. Code § 18.2-186.6 defines “personal information” as the first name or first initial and last name in combination with any one or more of the following when not encrypted or redacted:

  • Social Security number;
  • Driver’s license number or state identification card number; or
  • Financial account number or credit card or debit card number in combination with any required security code, access code or password.[ii]

Similarly, Virginia’s breach of medical information notification law requires individuals and entities who own, maintain, or license computerized data that contains medical information of Virginia residents, and who have a reasonable belief that such personal information was accessed or acquired by an unauthorized individual or entity, to report the breach without unreasonable delay to the Office of the Virginia Attorney General as well as to any affected resident of the Commonwealth.[iii]

Federal laws such has HIPAA have their own reporting requirements.  It is important for your association to understand the type of data you collect and the legal requirements that apply to that data.  Doing so now will save your association time and expense in the event a breach does occur.

Step 3: Develop and Enforce Appropriate Data Privacy and Security Policies/Guidelines

After reviewing your data and any applicable laws, review your association’s governing documents.  This will lay the foundation for the development and implementation of a comprehensive cyber security policy.  The policy should include the following[3]:

A. Data access governance/roles and responsibilities

Determine who in your association/management requires access to sensitive information and who will be responsible for its collection, storage and management. Allow access only to authorized members.  Monitor access to ensure unauthorized access does not occur.  Ensure that appropriate security standards are in place to protect sensitive data from unauthorized access, including if your association requires employees to have remote access to sensitive data.

Physical access to data is also an important consideration.  Your association should consider and implement physical security protocols to protect sensitive data. These may include monitoring access to facilities, ensuring visitors are escorted, and ensuring that employees who no longer work for the association no longer have access to facilities and systems.

B.  Password protection/password management

Require the use of strong passwords.  Require employees and users to change passwords on a regular basis and require employees to follow good password protection management practices.

C. Data destruction

As part of your association’s data retention policy, require sensitive data that is no longer needed or required by your association’s policies or applicable law to be destroyed in a secure manner.

D. Breach response plan

The worst time to develop a breach response plan is after a breach has already occurred.  Develop a plan that is consistent with the legal requirements applicable to the data you maintain. The plan should include not only the steps to take immediately after a breach is discovered, but how homeowners will be notified of the breach. Specific roles should be assigned to individuals in the association so that there is no confusion regarding who is responsible for what activities if a breach occurs.

You should also consider establishing relationships with third-party breach response organizations to assist you in the event of a breach. These organizations assist in investigating the causes of the breach, mitigating its effects, and providing legal advice and representation.  Once the plan is developed, it should be practiced on a regular basis so that each member of your association knows their role in the plan and how to respond in the event a breach occurs.

E. Social media/bring your own device (BYOD)

Define when and how employees may access social media and personal email while at work.  Also, institute rules for the use of mobile devices.  Ensure that unauthorized individuals will not be able to access sensitive information.

F. Training

While having a cyber security policy is important, it is also important that you have a regular training program to educate your employees on cyber risk. Awareness of cyber risks is part of a good defense and part of an overall risk mitigation strategy.  There are many training options available and some may be obtained for little to no cost, depending on the type and complexity of training.

G. Business continuity/disaster recovery

Any cyber security plan should include a continuity of operations and disaster recovery plan. If a breach or other event impacting the availability of information systems occurs, your association must have the ability to be able to have access to the information you need to continue operating. Information systems should be backed up on a regular basis and a plan for operational continuity should be in place.

H. Continuous Review

Once developed, your policy should not sit on the shelf, collecting dust, never to be seen again.  It should be reviewed and updated at least annually, to ensure it is up to date and accurately reflects your association’s business model and technical environment.  It should also contain a plan of action for addressing and correcting any vulnerabilities in your association’s security.

Step 4: Understand Your Risk Profile and Consider Purchasing Cyber Liability Coverage

It is important for an association to understand its overall risk profile.  If your association utilizes a management company that provides dedicated IT resources, review your agreement to ensure the management company understands your association’s needs relative to your business model and your sensitive information.  Ensure that the IT resources provide adequate security to protect your information and that they are responsive to IT related issues.  These considerations are equally important if your association provides its own IT services in-house.

Your association may also decide to consider additional protection in in the form of cyber liability insurance.  During the past several years, insurance companies have started offering customers cyber liability policies specific to cyber risks, including those risks associated with data breaches. Since they are relatively new, and the extent of cyber risks are still being fully appreciated, these polices can vary between insurers in terms of their coverages and exclusions.  In general, however, these policies typically offer both first-party and third-party coverages. They may also include breach response services as part of coverage. These policies and their levels of coverage vary by insurer, so it is important to review any policy and its exclusions prior to purchase, to understand the potential limitations in coverage. Failure to do so can lead to uncertainty and can expose your association to coverage disputes at the worst time – after a breach has already occurred.

Step 5: Keep Up with Technology/Stay Informed

Whether your association provides its own IT services in-house, or utilizes services provided by a management company, it is important to stay informed about the latest issues in data privacy and security.  This includes, keeping up with technology, such as reinforcing networks against malicious attacks, installing software patches regularly, updating operating systems and hardware as well as reviewing and updating internal policies and procedures, keeping current with legal requirements, and increasing employee awareness through regular training.

If your association has not taken these steps to assess your cyber security health, now is a good time to get started.  Each day that passes without performing a risk assessment exposes your association to unnecessary risk. Cyber attacks are not going away; on the contrary, it is likely a matter of not “if” but “when.”



[3] This is not a complete list and your policy may contain additional topics.

[i] Va. Code § 18.2-186.6 (B).

[ii] Va. Code § 18.2-186.6 (A).

[iii] Va. Code § 18.2-186.6 (B).

Upcoming Events
Stay Connected
    Your Cart
    Your cart is empty