Published on: August 1, 2016
By Stephen Marcus
Cyber-thefts are becoming more frequent, more sophisticated and more costly. This isn’t news to anyone who surfs the Internet, reads newspapers (I’m told I’m not the only one who still does that) and watches television news. But if you think only the largest financial institutions and giant corporations are at risk, you are badly and dangerously mistaken.
Symantec, a computer security company, reports that nearly half of the cyber-attacks launched last year targeted small businesses. A survey by CFO Magazine found that one in five small and midsized companies suffered cyber-attacks last year, compared with one-in-four larger financial firms.
Those statistics should set alarm bells jangling in condo association board rooms, because condominiums are small businesses and they have two commodities cyber-thieves want: Money (all associations have bank accounts and many collect payments electronically from owners) and consumer information – bank account and bank routing numbers, credit card numbers, sometimes social security numbers and e-mail addresses – information thieves can use to snag more information, steal identities, and drain bank accounts.
It’s true the most condos don’t control the billions of dollars or the millions of consumer files thieves may find in large banks. But condos are also less likely to have sophisticated cyber-defenses in place, which makes them easier targets; and most aren’t aware of the risks they face, which heightens their vulnerability.
A few examples illustrate the range of real world threats associations face:
- A board member or manager loses a laptop or an I-phone containing association bank account numbers or passcodes.
- An association employee leaves a file containing confidential owner information lying open on a desk, with predictable and unfortunate results.
- An email communication discussing a member’s medical condition is sent inadvertently to all owners rather than going to board members only.
- A cyber-thief hacks the association’s computer system, stealing confidential information about owners or gaining access to the association’s bank accounts.
The losses from any of these incidents can be enormous. In addition to the obvious loss to the association if its funds are stolen, there may be compensation to consumers if thieves steal their funds or personal information, plus the cost of defending the inevitable law suits that will result, and the difficult to quantify but also enormous cost of the reputation damage the association and its management company will suffer. There may also be penalties assessed if the association has failed to comply with state data protection statutes.
Those statutory penalties can be steep. The Massachusetts statute, one of the toughest in the nation, imposes treble damages for failing to implement data security measures and up to $50,000 for failing to report security breaches. A newly enacted Rhode Island statute, which took effect in June of this year, assesses $100 per record for data security breaches if the violation is deemed “reckless” and $200 if it is “willful.” Both statutes generally require businesses (including condominium associations) to adopt and follow written procedures for protecting the personal information they collect.
With few exceptions, condominium boards don’t realize how vulnerable they are and how little protection they have for the losses they may incur. If a thief steals the association’s passcode by hacking its e-mail system and then uses the passcode to drain association bank accounts, board members would expect the bank to reimburse the association for the loss. That’s not how it will work. The thief used a legitimate pass code to access the accounts and the bank did nothing wrong by accepting it. It was the association’s failure to protect its passcode, not the bank’s acceptance of it, that caused the loss. And neither the bank nor its insurer will be required to pay for it.
What about the association’s insurance? You won’t find any good news here. The association’s fidelity policy, which would cover thefts by a manager or an association employee, won’t cover thefts by third parties unrelated to the association. So unless your manager or an association employee stole your password or helped the hacker do so, your insurer isn’t going to pay this claim either.
Some associations are looking to control their risks by having their management company handle all the data management functions. But transferring responsibility for these tasks won’t eliminate the potential liability related to them. An owner whose personal information is stolen will almost certainly sue the association as well as the management company, and courts tend to view the end users of data collection services as at least partly responsible for the negligence of the companies they hire. Also, don’t forget: Most management contracts include an indemnification provision requiring associations to pay the defense costs and any damages awarded for claims against the management company resulting from work done on the association’s behalf.
While the association’s Directors and Officers (D&O) liability policy might cover defense costs and owners’ damages from a data breach, Joel Meskin, vice president in charge of community association products for McGowan & Company, Inc. points out, insurers are increasingly excluding cyber coverage from the new policies they write. And any coverage you currently have for cyber losses won’t cover forensic costs (for analyzing the cause of a data breach) and remediation costs (to fix the problem); nor will it cover the notice to owners and credit monitoring services that state data protection laws typically require. And “no standard condominium industry policy” will cover penalties assessed for failing to comply with those statutes, Meskin says. To get that protection, you need a cyber-insurance policy.
Some insurers are offering limited cyber-coverage as an add-on to their general liability policies, but the operative word is “limited.” Industry experts say that only a stand-alone cyber-insurance policy issued by a specialty insurer offering the product can provide the comprehensive coverage you need.
These policies are more widely available now than they were even a few years ago, but the coverage is still new and it’s complicated. So boards should have their insurance agent or another expert help them analyze and compare different policies to make sure they get the coverage they need and the protection they expect. You want to watch out particularly for exclusions and sublimits that can bring unexpected and unwelcome surprises when you file a claim. You also want to make sure your management company has cyber-coverage of its own and insist that they name the association as an additional insured on that policy.
Common Sense Security
Insurance coverage for cyber-risks is essential, but taking steps to reduce those risks is equally important. Most of the measures insurance experts and technology specialists recommend fall into the common sense category. Many Condo Associations offer free wireless internet access (wifi) for Owners. At a minimum, institute a basic password that will protect your wifi from people who are hunting for unsecured networks – and trust me, they’re out there. For added security, you should change your password every 90 days at the minimum, or every 30 days if you want to be more aggressive. I’ve compiled a few of the most important that you will find on just about every list of cyber-security tips. This isn’t a complete list, but it’s a starting point for assessing your security needs:
- Review your security measures periodically; change passcodes and update computer virus protection regularly.
- Follow statutory requirements for collecting, storing and destroying personal information. Security specialists recommend that boards approve a formal, written document retention and disposal policy, specifying how long information will be held and how it will be destroyed. I recommend that you also have your attorney review it.
- Collect only the data you need and store it only for as long as necessary. If you don’t collect and store information, no one can steal it.
- Limit access to personal information to board members, association representatives and employees who have a business-related “need to know.”
- Make sure that anyone who has access to the information understands the privacy regulations and the importance of complying with them.
- Encrypt e-mail communications containing confidential or personal information. Better still, don’t send confidential information via e-mail even if it is encrypted. Use the telephone.
- If you offer free Wi-Fi (wireless internet access) in common areas, protect it with a password that you update periodically.
- If your association processes owners’ payments on-line, do so via a separate computer that isn’t linked to your central server. If thieves penetrate your computer system, they won’t get to your bank.
- Don’t overlook the basics: Don’t leave confidential information exposed and unprotected; if you have an office, lock the door when no one is in it; establish protocols to protect laptops, I-phones, and other mobile communications equipment used by board members or others with access to confidential information.
- Take security risks seriously – don’t underestimate the threats and don’t assume your community is immune from them.
- Educate yourself about cyber-threats. Knowledge is power. It is the best defense against cyber-security risks and the strongest weapon with which to combat them.