08/14/2018 by Jonathan V. Gallo
Media reports concerning cyber attacks continue to increase. Over the past few years, some of the largest and well-known companies have been affected by data breaches. These companies have experienced millions of dollars in losses as a result. Even a small data breach impacting only a few thousand records can expose a business to significant losses that may have a devastating impact including causing a business to close.
Community associations may believe that because they are small, they are immune from attack. Statistics, however, tell a different story. Internet security firm Symantec’s 2018 Internet Security Threat Report revealed that in 2017, small businesses were as equally affected as large enterprises by email-borne malware containing a malicious link. Additionally, in its 2016 report on cyber-attacks, Symantec reported that 43% of all spear-phishing attacks in 2015 were against small businesses with 1 to 250 employees.
Many associations work with a management company to manage day-to-day operations, such as maintenance, resident communication, assessment collection and covenant enforcement. These companies may also provide dedicated information technology (IT) resources to help your association. Therefore, protecting your association and its members by learning about data privacy and security and maintaining appropriate protections is an important responsibility for any association. Even if your association has dedicated IT resources at its disposal, there are steps your association can take to assess its cyber risk and defend against cyber threats.
Step 1: Perform A Data Inventory and Assessment
Before you can accurately assess your level of risk, you should understand the type of information you collect, how you collect it, how you maintain it, and who has access to it. Depending on the size of your association, this may require meetings with multiple individuals or a single meeting with one individual. Ultimately, your goal is to understand your information and what you do with it.
Types of Information
Your association may collect different types of sensitive information from members. For example, your association may collect personally identifiable information (PII), such as first and last names, home or business addresses, email addresses, credit card and bank account numbers, dates of birth, social security numbers, city of birth or residence, driver’s license numbers and phone numbers. You may also collect medical information, federal tax information (FTI) and other types of sensitive information. Identifying the type of information your association collects is critical in determining its level of sensitivity.
How Is Sensitive Information Collected?
Your association should also determine how you collect sensitive information. Do you collect it electronically, in paper form, or a combination of both? Do you have a public facing webpage that members can utilize to input information? Do you accept credit card payments online?
Depending on how you collect information, there may be certain legal requirements attached to how it is collected. For example, if you collect protected health information (PHI), the Health Insurance Portability and Accountability Act (HIPAA) requires certain safeguards if PHI is collected or transmitted electronically. Additionally, if you accept credit card payments, either online or from a point of service device, the Payment Card Industry Data Security Standard (PCI-DSS) mandates certain cyber security requirements to protect card holder information.
How Is Sensitive Information Maintained?
If the information is maintained in paper form, where are those files kept? Are they in a secure locked area, accessible only to authorized individuals? Is your information maintained electronically? If so, where? On the office desktop, a local dedicated server, a mobile device, or in the cloud? It is important for your association to know where the information resides so that it can be properly secured.
Who Has Access To Sensitive Information?
Sensitive information should only be accessible by individuals on a “need to know” basis. Your association should determine who needs access to sensitive information and for what purpose. You should then permit access only to those individuals who need it and only for the purposes for which it is needed and prohibit all other access. Your association should consider polices that specifically identify by name or position those who have access to sensitive information.
Do Not Collect Information You Do Not Need
While you may need to collect certain information from homeowners and residents, be careful about what you collect. Only collect the information you need and do not keep it longer than you need it, in accordance with your data retention policies. If you do not have a record retention policy, consult your association attorney about drafting one.
Step 2: Understand the Laws that Apply to the Information Maintained by Your Association
Various state and federal laws govern the collection, protection, and data breach reporting requirements of sensitive information. Legal requirements generally depend on the type of information collected and maintained. Multiple layers of laws apply to different types of information. Many of these laws come with breach notification requirements.
For example, Virginia’s breach of personal information notification law, codified at Va. Code § 18.2-186.6, requires individuals and entities who own, maintain, or license computerized data that contains personal information of Virginia residents, and who have a reasonable belief that such personal information was accessed or acquired by an unauthorized individual or entity, to report the breach without unreasonable delay to the Office of the Virginia Attorney General as well as to any affected resident of the Commonwealth.[i]
Va. Code § 18.2-186.6 defines “personal information” as the first name or first initial and last name in combination with any one or more of the following when not encrypted or redacted:
- Social Security number;
- Driver’s license number or state identification card number; or
- Financial account number or credit card or debit card number in combination with any required security code, access code or password.[ii]
Similarly, Virginia’s breach of medical information notification law requires individuals and entities who own, maintain, or license computerized data that contains medical information of Virginia residents, and who have a reasonable belief that such personal information was accessed or acquired by an unauthorized individual or entity, to report the breach without unreasonable delay to the Office of the Virginia Attorney General as well as to any affected resident of the Commonwealth.[iii]
Federal laws such has HIPAA have their own reporting requirements. It is important for your association to understand the type of data you collect and the legal requirements that apply to that data. Doing so now will save your association time and expense in the event a breach does occur.
Step 3: Develop and Enforce Appropriate Data Privacy and Security Policies/Guidelines
After reviewing your data and any applicable laws, review your association’s governing documents. This will lay the foundation for the development and implementation of a comprehensive cyber security policy. The policy should include the following:
A. Data access governance/roles and responsibilities
Determine who in your association/management requires access to sensitive information and who will be responsible for its collection, storage and management. Allow access only to authorized members. Monitor access to ensure unauthorized access does not occur. Ensure that appropriate security standards are in place to protect sensitive data from unauthorized access, including if your association requires employees to have remote access to sensitive data.
Physical access to data is also an important consideration. Your association should consider and implement physical security protocols to protect sensitive data. These may include monitoring access to facilities, ensuring visitors are escorted, and ensuring that employees who no longer work for the association no longer have access to facilities and systems.
B. Password protection/password management
Require the use of strong passwords. Require employees and users to change passwords on a regular basis and require employees to follow good password protection management practices.
C. Data destruction
As part of your association’s data retention policy, require sensitive data that is no longer needed or required by your association’s policies or applicable law to be destroyed in a secure manner.
D. Breach response plan
The worst time to develop a breach response plan is after a breach has already occurred. Develop a plan that is consistent with the legal requirements applicable to the data you maintain. The plan should include not only the steps to take immediately after a breach is discovered, but how homeowners will be notified of the breach. Specific roles should be assigned to individuals in the association so that there is no confusion regarding who is responsible for what activities if a breach occurs.
You should also consider establishing relationships with third-party breach response organizations to assist you in the event of a breach. These organizations assist in investigating the causes of the breach, mitigating its effects, and providing legal advice and representation. Once the plan is developed, it should be practiced on a regular basis so that each member of your association knows their role in the plan and how to respond in the event a breach occurs.
E. Social media/bring your own device (BYOD)
Define when and how employees may access social media and personal email while at work. Also, institute rules for the use of mobile devices. Ensure that unauthorized individuals will not be able to access sensitive information.
While having a cyber security policy is important, it is also important that you have a regular training program to educate your employees on cyber risk. Awareness of cyber risks is part of a good defense and part of an overall risk mitigation strategy. There are many training options available and some may be obtained for little to no cost, depending on the type and complexity of training.
G. Business continuity/disaster recovery
Any cyber security plan should include a continuity of operations and disaster recovery plan. If a breach or other event impacting the availability of information systems occurs, your association must have the ability to be able to have access to the information you need to continue operating. Information systems should be backed up on a regular basis and a plan for operational continuity should be in place.
H. Continuous Review
Once developed, your policy should not sit on the shelf, collecting dust, never to be seen again. It should be reviewed and updated at least annually, to ensure it is up to date and accurately reflects your association’s business model and technical environment. It should also contain a plan of action for addressing and correcting any vulnerabilities in your association’s security.
Step 4: Understand Your Risk Profile and Consider Purchasing Cyber Liability Coverage
It is important for an association to understand its overall risk profile. If your association utilizes a management company that provides dedicated IT resources, review your agreement to ensure the management company understands your association’s needs relative to your business model and your sensitive information. Ensure that the IT resources provide adequate security to protect your information and that they are responsive to IT related issues. These considerations are equally important if your association provides its own IT services in-house.
Your association may also decide to consider additional protection in in the form of cyber liability insurance. During the past several years, insurance companies have started offering customers cyber liability policies specific to cyber risks, including those risks associated with data breaches. Since they are relatively new, and the extent of cyber risks are still being fully appreciated, these polices can vary between insurers in terms of their coverages and exclusions. In general, however, these policies typically offer both first-party and third-party coverages. They may also include breach response services as part of coverage. These policies and their levels of coverage vary by insurer, so it is important to review any policy and its exclusions prior to purchase, to understand the potential limitations in coverage. Failure to do so can lead to uncertainty and can expose your association to coverage disputes at the worst time – after a breach has already occurred.
Step 5: Keep Up with Technology/Stay Informed
Whether your association provides its own IT services in-house, or utilizes services provided by a management company, it is important to stay informed about the latest issues in data privacy and security. This includes, keeping up with technology, such as reinforcing networks against malicious attacks, installing software patches regularly, updating operating systems and hardware as well as reviewing and updating internal policies and procedures, keeping current with legal requirements, and increasing employee awareness through regular training.
If your association has not taken these steps to assess your cyber security health, now is a good time to get started. Each day that passes without performing a risk assessment exposes your association to unnecessary risk. Cyber attacks are not going away; on the contrary, it is likely a matter of not “if” but “when.”
 This is not a complete list and your policy may contain additional topics.
[i] Va. Code § 18.2-186.6 (B).
[ii] Va. Code § 18.2-186.6 (A).
[iii] Va. Code § 18.2-186.6 (B).