How to Protect Your HOA from a Data Breach

Does your association think it has a good handle on potential risks the association might face? Concerns such as injuries from accidents, disputes among neighbors, and potential lawsuits against board members may top that list. But there's a risk too many people overlook: data security. 

Personal Identifiable Information 

Associations handle personally identifiable information daily, including homeowner names, addresses, bank account information, credit card numbers, credit histories, and Social Security numbers. Unfortunately, these items are attractive to cybercriminals, and as data thieves grow more sophisticated in their tactics, the potential risks of a data breach increase for an association.

The Most Common Forms of Data Breaches

The Foundation for Community Association Research reports that more than half of homeowners associations have policies and procedures to collect, store, and protect homeowners' data. 

According to the Foundation's report, Wired: 2018 Survey of Cybersecurity in Community Associations, ransomware and phishing are the most common forms of attack on community associations. More than half of the communities surveyed reported that fraud and theft are their top concerns. 

More than half (52%) of all data breaches result from hacking, which occurs when an unauthorized user accesses a computer network for illicit purposes, according to Verizon's 2019 Data Breach Investigations Report. This breach can happen externally (by a cybercriminal from an outside entity) or internally (by an association board member).

Thirty-two percent of breaches occur due to phishing, where a cybercriminal sends an email designed to mimic a financial institution or otherwise trusted resource. If a board member believes the email is authentic and provides login credentials as requested, the data thief has all the information they need to access association accounts. Unfortunately, phishing schemes have become more effective as fraudsters refine their strategy.

A New Data Breach: Social Engineering

An emerging type of data breach is called social engineering. Here, a cybercriminal sends an email that evokes fear or urgency in a board member, essentially conning them into divulging personally identifiable information. Unfortunately, that email is often one of many steps in a more complex fraud scheme.

In every piece of sensitive data, cyber thieves see dollar signs. According to Verizon, 71% of breaches are financially motivated.

How To Protect Your Association

No matter how well-intentioned board members might be, they could be one wrong email away from falling for a phishing scheme and causing a data breach. That's why protecting your association and its board is paramount. Thankfully, you can take steps to protect your liability and that of the association in the event of a breach.

Start by reviewing your association's insurance coverage. For example, board members may think their association's directors and officers (D&O) policy offers protection. However, while these policies provide liability coverage for claims when individual members (or the entire board) fail to act or act wrongfully on the association's behalf, they do not cover cyber liability unless it's specifically listed within the policy.

The association's crime and fidelity policy, which protects the money in the association's accounts, may provide some coverage depending on the endorsements included in each association's plan. Ensure your association's crime policy consists of the following:

• Computer fraud. Covers loss of money, securities, and property due to using a computer to fraudulently transfer funds from inside the association or banking premises to outside the premises.

• Funds transfer fraud. Covers losses resulting from theft of association funds utilizing fraudulent communication, such as a phishing email.

• Fraudulently induced transfers. Covers losses due to any act that influences a person to take actions that may or may not be in their best interest, such as replying to social engineering threats.

What Is Cyber Liability Coverage?

Associations should consider cyber liability coverage. Look for policies that provide first-party (losses and damages to the association) and third-party (losses and damage to outside entities) coverage. These will cover many of the expenses of data breaches, including legal and forensic services, regulatory fees, notification costs, crisis management, and credit monitoring for all affected parties.

Most cyber liability policies will include a retroactive date; be sure to be covered because if a claim happens before that date, you won't be covered. Getting coverage is a crucial stipulation, especially since 56% of all breaches take months to discover, Verizon notes.

Steps on How to Improve Data Security

In addition to reviewing the association's insurance coverage, board members can take multiple steps to improve data security.

• Make sure all personally identifiable information is encrypted and stored in a secure server.

• Talk with your manager about the data security requirements that are in place.

• Use complex passwords with lowercase letters, uppercase letters, numbers, and special characters.

• Implement two-factor authentication that requires users to log in twice from two different devices.

• Give administrative privileges or personally identifiable information access only to board members whose specific roles require it.

• Engage an outside cybersecurity firm that can monitor association data and alert the board of any concerns if funds allow.

Contact Condominium Associates 

The risk of data breaches grows every year, and homeowners trust a community association's board to keep their information safe. Don't break that trust. Taking steps to prevent cyberattacks will save board members and residents from agonizing and expensive headaches down the road. Contact Condominium Associations with any questions or concerns.