Condo Associations Responsible for Disclosing Owner Data

An LA Times article cites a growing concern for all businesses, loss of personally identifiable information. The article brings up a scenario where copies of condo owners check and bank records are freely copied and distributed. An organization disclosing personally identifiable information is likely breaking ever increase web of state laws protecting consumers from hacks and other data loss.

In California the law allows each individual to recover up to $3,000 if the disclosure was willful, intentional or reckless and $500 if accidental. Illinois generally caps damages at $100 per individual but requires the person who disclosed the information and requires the victims to be notified and provided credit monitoring.

Because of the rise of hacks and leaks the government has been quick to enforce these laws to protect harmed consumers. With the cost of responding to this web of regulations increasing many insurance companies exclude coverage for loss of personally identifiable information. Stand alone policies, requiring separate underwriting and premium, are readily available.

A condo association has three choices – ignore their exposure, purchase insurance or eliminate the risk. The easiest and cheapest option is to not store (physically or electronically) any personally identifiable information. This includes bank account numbers, social security, drivers license and date of birth information. There should be no reason for an association to have these. Any copies of checks or computer scans should be deleted once they are no longer needed.

The second option is to purchase insurance. Many insurers will add the coverage to a condo package or directors & officers policy for several hundred dollars. A few are adding it for free. However, associations should be careful about relying on this as reporting a small claim can cause the premiums for all related coverages to skyrocket.

The third option is to do nothing. The number of residents is generally small and the chance of data loss is remote. However, the association should be prepared for the legal bills required to comply with the notification requirements in Illinois and other states.

The most important step is for an association to understand it’s risks and have a plan to manage them. Loss of data, whether electronically or in hard copy, has become a daily headline. No board member can claim they did not understand their responsibilities in protecting the unit owners information, whether it’s held personally or by a trusted third party management company. Contact our expert cyber liability brokers today.