All of these new and not-so-new innovations offer an array of benefits – cost-savings, operating efficiencies and improved communication among them. But they also create a panoply of risks that association boards need to recognize, manage and often insure against.
“The business world does not fully appreciate how interconnected the Internet has made us, which translates into unseen liabilities and financial blind spots for companies that do not adequately plan for the potential of catastrophic internet attacks, failures, abuses, outages….cyber risk is irreversible and geometrically expanding.”
Although that warning, from a June, 2010 report by Betterley Risk Consultants, is aimed at corporations, it applies equally to the risks confronting community associations, as they expand their usage of and reliance on Internet-based tools. Those risks fall roughly into two major categories: Data management and communications.
Data Security: A Growing Concern
Of the two, data management risks are probably better-known, because, at least until recently, they have gotten more attention. Widely reported incidents of computer hacking, computer fraud and security breaches have heightened awareness of the need to protect personal information and to strengthen the defenses against cyber-crimes and the increasingly creative criminals who perpetrate them.
In Massachusetts, computer security breaches at TJX and the Hannaford Bros. Supermarket chain produced what are said to be among the broadest data security regulations in the country. Although not aimed specifically at community associations, the regulations, issued by the state Office of Consumer affairs and Business Regulations, catch association boards, along with businesses of all types and sizes in a far-reaching compliance net.
The regulations apply to any entity that collects private consumer information, defined as the first and last name or first initial and last name of a Massachusetts resident, in combination with any one of the following:
• Social Security number;
• Driver’s license number or state-issued identification card number;
• Financial account number; or
• Credit or debit card number.
The rules generally require entities to protect the personal information they collect, specify the steps they will take in the event of a security breach, and to create a “written information security program” (WISP), describing their security protocols. The law anticipates that the security measures will match the nature of the information collected and the risks incurred and community associations will typically rank low on that risk scale, Moira Casey, director of human resources at the Massachusetts law firm Marcus, Errico, Emmer & Brooks, observes. “But everyone has to do something [to comply],” she emphasizes, because the penalties for non-compliance are stiff – starting at $5,000 and including the possibility of treble damages for failing to implement security measures and up to $50,000 for failing to report security breaches.
“Common Sense” Requirements
Although the regulations may seem “overwhelming,” Casey says, in fact, “compliance for community associations is not as daunting as it may appear. It’s really just a combination of common sense and good business practices,” she says. Associations do have to create written security plans, but their plans don’t have to be particularly detailed or comprehensive. Casey’s suggestions:
• Limit access to personal information to board members, association representatives and employees who have a business-related “need to know.”
• Make sure that anyone who has access to the information understands the privacy regulations and the importance of compliance.
• Collect only the information the association needs, don’t hold it for any longer than necessary, and dispose of it properly. Security specialists recommend that boards approve a formal, written document retention and disposal policy, specifying how long information will be held and how it will be destroyed.
• Store personal information the association collects safely. ‘You can’t leave it lying around,” Casey says. Keep paper copies under lock and key, have appropriate password protections, firewalls and anti-virus protections to safeguard computer files, review and update those protections periodically.
• If you transmit personal information electronically, make sure it is encrypted. Better still, Casey advises, “just telephone, if you can. It is easier than encrypting” and avoids the liability risks of electronic communication.
Boards should also be aware of two Federal Trade Commission (FTC) regulations: The “Red Flag” Rule and the Data Disposal Rule. Like the Massachusetts WISP regulations, the FTC rules mandate data security measures, but the requirements are much less extensive and less far-reaching; in fact, they don’t appear to touch community associations at all. Nonetheless, the Community Associations Institute (CAI) suggests, “While the risks of FTC enforcement might be somewhat low for community associations, adopting a Red Flag policy will ensure compliance as well as implement best practices for resident financial data.”
Red Flag compliance doesn’t require much – basically, just adopting protocols for identifying and responding to security breaches and periodically updating data security measures. The FTC Disposal Rule, similarly, requires safe disposal of protected financial information – hardly complicated and far from onerous. The “common sense and good business practices” Casey advises for WISP compliance apply equally here.
Adopting “common sense” data protection measures will also help associations preserve their rights should they have to file an insurance claim to cover losses resulting from a security breach. The obvious concern would be a breach of the association’s computer files, resulting in litigation and possibly damages awarded to consumers whose personal information is stolen. But associations themselves might also be victimized by a breach at a financial institution at which community funds are deposited.
Nancy Cannan, CIRMS, executive vice present of marketing at Community Association Underwriters of America (CAU), dealt with two situations last year in which association bank accounts were among those hacked by outside parties.
“The first thing you consider in these cases is, what’s the bank’s culpability,” Cannan says. “But with the electronic transfer of funds, bankers will say it’s possible that board members or managers could be responsible for the theft. So the association will have to show that all the accounts were password protected and that they had appropriate safeguards in place.”
Another possible concern for community associations: Their insurance policies may not cover, or fully cover, these losses. A fidelity bond covers only theft or dishonesty by association officials or employees, Cannan points out; it won’t apply to theft committed by a third party who gains access to the association’s account. For protection against that risk, associations would need coverage specifically for computer fraud, which is included in some policies (but not all of them), and often subject to limits too low to cover a sizable loss. Boards should review their policies to see what kind of coverage they have, Cannan advises, and they should consider adding a computer fraud endorsement, if necessary, to provide the protection they need.
The two bank account hacking incidents associations she handled last year were the first Canaan had seen in nearly two decades with CAU. “But in this world,” she predicts, “these losses could become a lot more common.”
Everyone Is a Publisher
Insurance questions also arise, in big ways, in the communications arena, where associations are encountering liability risks most never envisioned. Boards probably don’t think of themselves as publishers when they post information on their Web sites, host on-line chat rooms or exchange e-mails with owners or other trustees. But an April report by Betterley Insurance Consultants notes, in the Internet communications world, “media liability is no longer the concern of just traditional media companies. With the spread of the Web, social networking and the need to stand out in a crowded and noisy economy, we are all media companies, engaging in activities once thought to be the exclusive presence of the traditional media,” and incurring the same liability risks of any other print publisher or media organization.
That list of potential risks is long and intimidating. Associations that publish, post, or tweet anything electronically might be sued for: Libel, copyright infringement (reproducing content without permission), plagiarism, interference with contractual relations, harassment, emotional distress, and invasion of privacy. And this is a short list.
“You only have to pick up a newspaper to see examples of ways in which associations could get themselves into hot water in a hurry,” Cannan says. Of all the possible exposures, libel is probably the biggest concern for community associations. The risk of saying something that infuriates or offends someone else (and triggers a libel suit) certainly exists with conventional communications platforms, such as Web sties and e-mail, Stephen Marcus, a partner with Marcus, Errico, Emmer & Brooks, observes. But those risks are magnified on social networking sites, such as Facebook, he says, because these platforms typically encourage broad participation and open communication, and the information posted on them “can be catapulted instantly into Cyber Space, increasing both the audience and the association’s potential liability.”
Highlighting that concern, a California appeals court ruled recently that comments made in a blog were not subject to privacy protections and could be reprinted elsewhere without the blogger’s permission. In this case, a college student wrote at length and in disparaging terms in her MySpace blog about her home town. A reader (the principal of the high school the student had attended) sent the comments to the local newspaper, which published them as a letter to the editor.
The student sued, claiming that her blog was a private forum. The court disagreed, ruling (in Moreno v. Hanford Sentinel Inc.) that posting the comments on her blog “made [them] available to any person with a computer, and thus opened [them] to the public eye…No reasonable person would have had an expectation of privacy regarding the published material,” the court added, noting that “the potential audience was vast.”
Although relatively few associations have ventured into the social networking arena, that is likely to change, some industry executives believe. Melissa Garcia, an attorney in the Denver, CO law firm HindmanSanchez, says many communities are finding that Facebook, in particular, allows them to convey information, encourage owner involvement and build community far more effectively than Web sites, newsletters or e-mail. Garcia, who is pioneering the use of twitter in her law firm, predicts that social media communications will eventually replace other communications tools.
“Younger residents, in particular, spend far less time today surfing the Web or reading their e-mail. But they live on Facebook and Twitter,” Garcia notes, and increasingly, “this will be the only way to reach them.”
A Brave, New, Scary World
That prospect excites social media enthusiasts like Garcia, but it makes insurance industry executives like Joel Meskin, vice president in charge of community association product for McGowan & Company, Inc., more than a little nervous. Of all the Internet-based communications technologies, he says, “social media scares me the most. I understand the ideological value of social media,” he adds. “But I haven’t been convinced of its practical value to community associations. It’s a wonderful concept in a perfect world. But as an association, board member, your duty is to manage the corporation. There is absolutely no up side that outweighs the potential down side of having an association-sponsored Facebook page or twitter account.”
The “down side,” Meskin believes, is the out-sized liability risks social media sites create. “Board members don’t always have the most perfect judgment in the world,” he notes. “They don’t always think before they speak – or write.”
Meskin described one recent incident notes one recent incident in which an association board president, “who usually had the patience of Job” finally had all he could take from a resident, who appeared at every board meeting and criticized everything the board did. After one particularly contentious session, the president googled the gadfly and found that his CPA license had been revoked and that he had several ethical investigations pending against him – information the board member shared via e-mail with all 240 association residents. The gadfly, predictably, has filed a libel suit.
It isn’t the possibility of a large award, should the association lose this suit, that most concerns insurers, Meskin says; it’s the cost of defending these actions, however they are resolved. In this case, “we can debate whether the allegations are true, but we’ll still have to pay the litigation costs.
“People will always sue the deep pockets,” he points out. So when one owner sues another for something said on a social media platform (or an interactive Web site), even if the association has all the appropriate disclaimers and regulations governing content, Meskin says, “they will almost certainly sue the association as well.”
Are You Covered?
This raises the obvious question about whether association insurance policies will cover these actions. The answer is – perhaps, but not necessarily. And if existing policies do provide coverage now, Meskin predicts, they probably won’t for much longer.
Association policies do not specifically target social media risks, but advertising coverage – “the equivalent of personal injury in written form,” Cannan explains is standard in many general liability policies. The standard limits may not be high enough for media-related risks, however, and the policies often strictly limit the individuals covered, Meskin notes. Although the directors and officers liability policies that protect board members and association employees typically exclude defamation, Meskin says it is possible to find some policies without those exclusions.
Outside of the community association realm, general liability policies are now excluding coverage for claims arising from electronic chat rooms or bulletin boards hosted by the insured. Meskin says he has seen one association umbrella policy providing defamation coverage that specifically excluded social media and he predicts that these exclusions will become common in association policies as litigation in this area multiplies and defense costs and damage awards begin to pile up.
For the moment, a policy that provides “advertising coverage” for defamation and does not specifically exclude social media, bulletin boards, blogs and the like, would kick in if an association is sued for comments posted on an association-sponsored social media platform.
But Meskin thinks the better course is for associations to avoid these platforms and the risks related to them. “If board members tell me their association has [social media involvement],” he says, “I will have a come-to-Jesus meeting with them, tell them it’s not a good idea, and suggest strongly that they talk to an attorney before proceeding.” And if the board insists on going forward? Meskin replies: “I wouldn’t be the one who would write that policy for them.”…(Read whole news on source site)
* These articles and related content on this website are provided without warranty of any kind and in no way consitute or provide legal advice. You are advised to contact an attorney specializing in Association Management for legal advice related to your specific issue and community. Some articles are provided by thrid parties and online services. Display of these articles does in no way endorse the products or services of Community Association Management by the author(s).