If you think your building’s security is top-notch because everyone locks their doors and there are state-of-the-art video cameras monitored by building staff, think again.
Consider what is found in an association’s computer files and desk drawers: a gold mine for criminals. And in many cases, there’s very little to prevent the crooks from getting their hands on the goods.
Has your board taken steps to protect the personal information of every unit owner, shareholder or resident from falling into the wrong hands? Is the property protected by having a cyber liability insurance policy in place if a hacker steals the names and Social Security numbers of your residents from your computers?
Cyber liability insurance, also known as privacy/data liability insurance, is the fastest growing insurance product today. Its purpose is to mitigate the costs associated with a computer breach such as fines, penalties, legal fees, credit monitoring, notification of victims and crisis management, to name just a few.
Does your board or property management company need cyber liability insurance? Yes.
More than half of today’s cyber-attack targets are small and medium-sized businesses, according to Symantec, a leading player in the computer security industry. Associations offer just what a cybercrook wants: bank accounts and consumer data that can be used to steal identities.
The common general liability and Directors and Officers (D&O) liability insurance policies carried by boards and associations, and professional liability policies carried by managing agents, will not fully cover claims related to identity theft or unauthorized disclosure of personal information.
Without a cyber liability insurance policy, the association, board and/or agent would foot the bill to defend itself against lawsuits brought by residents, government fines, cost of notifying owners of the theft, and of repairing damage to your property’s reputation and much more. Board members and property managers know that the physical security of residents is of paramount importance.
Just as concerning an issue is the sharp rise in computer breaches by third-parties seeking personal information and financial data. Each condo and co-op board must have an effective plan to safeguard this critical data. A strong cyber liability insurance policy is an important part of that plan and is something that every association and board needs.
What do you have to lose?
All over the world, criminals are using brain over brawn to make their living, and computer hackers and data thieves have become experts in gaining access to even the most secure systems. The problem has become so pervasive that legislatures are getting involved. On March 1, 2017, New York became the first state in the nation to require strict mandatory cyber security standards for financial institutions.
All boards have bank accounts that can be drained with a little illegally obtained information. Today’s applications to purchase or lease a condo or co-op require the applicant’s name, date of birth and Social Security number. With that priceless information, a person’s identity can be replicated illegally, and quite easily. Anyone who has ever had their identity stolen will wholeheartedly agree that their Social Security number is priceless information.
The Ponemon Institute, a research center based in Michigan, reported in 2014 that a cyber-breach costs an average of $200 per compromised record. Simple math shows that a 100-unit co-op would pay a minimum of $20,000 in fees and fines.
What do associations have that criminals want?
Social Security numbers
Dates of birth
Credit card information
Bank account and routing numbers
Hackers don’t just steal information. They’re infamous for committing a host of serious cybercrimes, any of which could be aimed at disrupting business-as-usual within a condo or co-op association.
For example, hackers can transmit computer viruses to attack an association or management company’s computers. These “Trojan Horses” can then unknowingly be passed along to your residents, applicants and vendors, thus crippling their computers and causing lost business and income (all while continuing to spread the virus).
And in a worst-case scenario, a hacker can cause a complete shutdown of a company’s computers and the catastrophic loss of all data.
Who is liable in the event of a cyberattack and theft of personal data?
Those responsible for securely maintaining personal information of applicants and residents, usually the management company and/or the association’s board, are liable in the event personal data is stolen, regardless of the circumstances. It’s always best to consult with your association’s attorney for legal advice and answers to specific questions, but here are some common examples of cybercrimes involving boards and management companies:
A board member or managing agent’s laptop containing Social Security numbers and names of building residents is stolen from their car
A fired employee gives the association’s bank account information and password to someone else, who then withdraws money from the account
Paper applications containing personal data are not shredded by the management company or board, but instead are discarded in open trash cans, where they are found by cleaning staff and used to create fraudulent identities
When there’s a cyberattack where personal information is stolen, lawsuits and fines often follow, and the victims’ attorneys often cast a wide net.
“Remember that managing agents are safeguarding sensitive information for the association on its behalf,” says Kenny Boddye, senior marketing specialist for Kevin Davis Insurance Services. “Even if the managing agent stores all of the resident data on its own servers, residents may still file suit against the association and board in the event of a breach. There may be no language in the management contract about who is liable/responsible for the data. This ambiguity is another major reason why the association should have its own cyber liability insurance policy, in addition to the managing agent and their company.”
What does a good security program look like?
Always check with your association’s attorney and your insurance agent for advice. The foundation of a good cyber security program for boards and management companies calls for following a few basic rules:
Have a written cyber security plan and train employees in its use
Install the best antivirus software possible, and update it frequently
Change passwords often, and keep them random and complicated
Seek out advice from a security expert
What will happen to a board or management company that is found liable?
Even with a solid security plan and procedures in place, the unthinkable can occur. The costs of being found liable in the case of a cyberbreach and loss of personal data can be extremely expensive, and without cyber liability insurance, the defendant is on the hook for all expenses, from legal fees to fines.
Here are just a few of the consequences of being found liable:
Lawsuits brought by persons whose personal information was lost, duplicated or stolen, regardless of whether or not it was used for any purpose
Local and/or federal government fines
Paying for the cost of notifying every individual who was a victim to apologize and offer any information possible (via letters, postcards, website, call centers, etc.)
Paying for the cost of credit monitoring services for any victims
Paying for the cost of a crisis management or public relations firm to combat negative publicity
Installation of software and other cyber security programs to ensure this same thing doesn’t re-occur
Mandatory compliance with any other court-ordered directives
No cyber security program is 100 percent guaranteed. But cyber liability insurance will help protect your board and your association from the financial penalties that can result from a cyberattack.
For more information about how working with a professional property management company can help your association lower its risk and protect your assets, including digital assets, contact FirstService Residential, New York’s condo and co-op management leader.