Data privacy and security is the set of laws that deal with how an organization can collect, process and use personally identifiable information and how that information should be protected.
Community associations quite often have and maintain the names, addresses and financial information of their residents and owners. Many criminal groups find this type of information useful for identity theft. These groups often encrypt the data so that the community association cannot access it to gain leverage and force an organization to pay a “ransom” for its return. For this reason and in response to the amount of sensitive information held about ordinary people in the wider economy, all fifty states have laws in place that require most organizations to disclose when an unauthorized party has accessed to information. Community associations, like any other organization in North Carolina, should always act reasonably when the organization makes a decision to do something with personal information or risks negligence lawsuits and class actions.
Unfortunately, North Carolina does not provide legal guidelines on how community associations can act reasonably with respect to residents’ personal data, but the federal government has provided frameworks that it recommends. The National Institute of Standards and Technology has published a privacy and cybersecurity framework that, when followed, enables organizations to identify what data they have, protect that information, and control and manage data. , govern data with rules defined within the organization, communicate the roles of each member of the organization, detect malicious or unauthorized activity, react when an incident occurs and recover from the incident.
There are a number of practical steps organizations can take to avoid or reduce the severity of common compliance traps. The first is to regularly review supplier contracts, at least once a year, to ensure they reflect an organization’s risk tolerance. Often times, a trusted service provider or other provider may have a breach that affects the privacy and security of data entrusted to a community association. Without contractual protections, the organization could incur significant costs to remedy the problem with little legal recourse to have these costs covered by the offending party.
Additionally, data encryption, which is a mathematical process of turning data from readable text into nonsense and vice versa when a code (called a key) is used, can be an important tool in the toolkit. compliance for community associations. Under North Carolina law and the law of many other states, a breach only triggers reporting obligations when the stolen information was also not encrypted or when the encryption key was stolen with the information. data. It’s not a quick fix, but encryption is a practical technology that will be an important part of any compliance strategy.
Cyber insurance can also be an effective way to cover risks. However, insurance isn’t as simple as buying a policy and calling it a day. Insurers are increasingly raising premiums and lowering caps for organizations that do not take a proactive approach to mitigate privacy and security risks. Thus, while insurance can serve as a hedge against devastating effects, it should not be viewed as a substitute for a compliance strategy.
We also recommend that you obtain community feedback on the community association’s data privacy and security efforts. Community associations are necessarily accountable to their residents and owners, so understanding stakeholder risk tolerance can inform leaders how to move forward with a compliance strategy. The laws involved obviously don’t change based on the feelings of the community, but discussing the issue at an annual meeting can be a good way to communicate the expectations of stakeholders in your community for leadership.
Liability challenges and risks and unmet stakeholder expectations are pervasive for community associations that do not take a proactive approach to the privacy and data security of their residents ‘and owners’ information.
© 2021 Ward and Smith, Pennsylvania. All rights reserved.Revue nationale de droit, volume XI, number 181