By Aaron Goodlock, Orten Cavanagh & Holmes, LLC
As banks, credit card companies, and financial service providers grapple with identify theft, so too must HOAs. Over the last several years, there has been a substantial increase in cyber-related crimes, resulting in increased identity theft and financial fraud. As a result, federal and state governments have been working to enact laws to reduce crime and protect constituents, primarily via statutes addressing consumer protection, data and cybersecurity requirements, and criminal sanctions.
In 2018, the Colorado legislature approved House Bill 18-1128, which was enacted and became effective September 1, 2018 to address privacy and cybersecurity protections. The new law applies to many entities in Colorado, including most HOAs and community association management companies.
HB 18-1128 has two primary components, including: (1) requirements for storing and protecting “personal identifying information” (as defined in the statute) and (2) changes to the Colorado’s breach notification laws.
Managing and Protecting “Personal Identifying Information”
HB 18-1128 applies to all “Covered Entities.” Covered entities include any individual or entity that maintains, owns, or licenses “personal identifying information” (PII). The statute defines PII to include social security numbers; personal identification numbers; passwords; passcodes; official state or government-issued driver’s licenses or identification card numbers; passport numbers; biometric data (such as fingerprints); employer, student, or military identification numbers; or financial transaction devices (such as credit or debit card numbers or bank account information).
Under the newly enacted laws, HOAs and management companies that store or maintain PII are required to implement and maintain reasonable security procedures and practices that are “appropriate to the nature of the personal identifying information and the nature and size of the business and its operations.” The statute also requires HOAs and management companies with access to PII to adopt written policies addressing the destruction of records containing PII when they are no longer needed.
A third requirement under the new statute is that HOAs that maintain PII must take measures to preserve the confidentiality of PII when transferring such data to third parties (such as the association’s manager or management company or another service provider). The statute provides that covered entities “shall require” third party service providers to implement and maintain reasonable security procedures and practices which are reasonably designed and tailored to protect against unauthorized access, use, modification, disclosure, or destruction of PII. One method to address this requirement is for associations to carefully review their management agreements and ensure that adequate protections are in place, including appropriate indemnification provisions. Associations are also encouraged to consult their attorneys when reviewing association contracts whenever the disclosure or transfer of PII is involved.
Compliance with Colorado’s Breach Notification Statute
The second primary component of HB 18-1128 deals with notification requirements in the event of a data or security breach that results in, or is likely to result in, the misuse of “personal information.”
For purposes of Colorado’s breach notification statute, “personal information” includes a Colorado resident’s first name or first initial and last name in combination with any of the following data: driver’s license number or identification card number; student, military or passport identification number; medical information; health insurance identification number; or biometric data. “Personal information” also includes a Colorado resident’s username or email address in combination with a password or security questions and answers that would permit access to an online account or a Colorado resident’s account number or credit or debit card number in combination with any required security code, access code, or password that would permit access to that account.
The statute requires that if a breach occurs, the covered entity (e.g., the association or the management company) is required to notify the affected individuals within 30 days. The statute also specifies certain information that must be included in the notice and disclosed to the affected individuals.
If a breach involves a compromise of personal information affecting 500 or more individuals, the association or management company is required to notify the Colorado Attorney General’s office. If the breach involves more than 1,000 individuals, notice is also required to be provided to the credit reporting agencies. Accordingly, large communities that include 500 or 1,000 homes or more, including the association’s board of directors and management, should be cognizant of their duties and responsibilities in the event of a breach and would be wise to address such requirements in the association’s written policies.
Good risk management practices for associations and management companies includes adopting and implementing appropriate written policies (pursuant to the statute), including policies for maintaining PII and other personal information and developing incident response plans in the event of a breach. By doing so, boards of directors and management companies can limit their risk of liability if and when a breach occurs.
Another method to limit risks involving data and security breaches is through obtaining and maintaining appropriate insurance including, without limitation, cyber liability insurance (cyber risk insurance), computer crime insurance, D&O insurance, and fidelity insurance. Associations should consult their insurance agents and advisors to determine the appropriate coverage based on the particular community’s needs.