Data breaches and cyber attacks are routinely in the news and most of us understand that they pose a persistent threat. As is often the case with bad incidents, however, people tend to think that it will not happen to them. As a result, they may not take sufficient steps to protect themselves. That is a dangerous approach, and community associations need to recognize that they could be easy targets for cyber criminals and are also subject to unintentional breaches.
Cyber crime is one of the fastest growing areas of economic crime, and there is no reason to believe that it will slow anytime soon. Community associations and management companies are logical targets in that they maintain sizeable bank accounts (funded by member assessments!) as well as databases containing detailed information on their members, which often includes banking, credit card, or other financial information that is attractive to crooks. In addition, many people have access to the association’s sensitive information, including a rotating roster of volunteer homeowners who serve on the board of directors. It is easy to imagine a scenario in which a board member’s or manager’s laptop or portable device containing the association’s financial information as well as member information gets lost or stolen, resulting in the emptying of the association’s accounts and/or efforts by bad actors to compromise association members’ identities. Equally plausible is a hack into the association’s (probably not well-secured) systems, providing the hacker with all the information he needs to inflict significant harm on the association and its members. It is imperative for association leaders and the professionals who provide guidance and support to associations to recognize the potential for data breaches and cyber attacks, take steps to minimize the likelihood of such breaches and attacks being successful, and be able to swiftly and adequately respond if a breach or attack occurs.
Financial gain is the biggest driver behind cyber attacks. It is important to keep in mind that even if the association does not possess direct financial information regarding its members, that does not reduce an association’s attractiveness as a target. Cyber criminals do not just mine for data that is directly linked to financial access; they also mine for gateway data that can be helpful in their efforts to ultimately gain such access. People often use the same or similar passwords to access a variety of their accounts, such as social media, email accounts, and even access to the association’s website. If a cyber criminal gains access to the association’s member database, that can provide the criminal with names, email addresses, birthdays, phone numbers, association passwords, and other information that the criminal can then use in his efforts to ultimately achieve a financial gain. Accordingly, even non-financial data must be protected.
Association leaders should evaluate their digital infrastructure in much the same way that they evaluate the physical facilities for which the association is responsible. The manner in which sensitive data is stored and shared should be reviewed, and short-term and long-term planning should take place to ensure that cybersecurity becomes a regular part of the association’s operational considerations. The association should evaluate the desirability of obtaining cybersecurity insurance and should consult with its vendors to ensure that any such vendors who have access to or control of any of the association’s sensitive data have taken reasonable steps to protect that data. Most important, associations should be aware that cyber attacks and data breaches are not just things that happen to big corporations, they can and do happen in our industry as well.
By Michael C. Gartner, ESQ.
Michael is a partner with Whiteford, Taylor and Preston, LLP, and represents common-interest communities in general business affairs and litigation. He previously served on the Quorum Editorial Committee, including as the committee’s Co-chairman and Communications Council Chair. He currently serves on the WMCCAI’s Board of Directors.