Managing Risks Associated with Data Security, Cyber Space, Technology, and the Internet of Things
By W. Meskin, Esq., CIRMS, MLIS, CCAL Fellow
A Few Things that everyone can agree on are that the Internet of Things ("IoT"), cyber liability, data breach, cybercrime, and technology are touching everyone’s life, both positively and negatively. Most people agree that all their devices and systems, including the required software and hardware, are expanding, changing, and growing faster than any of us can keep up with or understand. Most everyone communicates using smart phones and/or other smart devices. More and more, new homes are built as smart homes or existing homes are transitioned into smart homes. Many of us yearn for times gone by.
Community associations are not immune to the intended and unintended consequences of this brave new world. Some community association boards, community association managers, and business partners acknowledge the changing world, while many others come from the position of why fix something that they do not perceive as broken. At the same time, a vast majority of the community association industry is ready to pursue the necessary elements of the requisite risk management of these new technologies. (See Wired, 2018 Survey of Cybersecurity in Community associations.)
Community associations, whether condo, co-op, single family HOA, or other common interest development (hereafter referred collectively as "associations"), are managed by boards elected by the unit owners. The key obligation of the board is to protect, preserve, and enhance its community association. To comply with its obligation, boards must put the interest of the association ahead of its own and those of the unit owner members. The board’s duty is to the "entity."
The issues addressed here involve risk management, both insurance and non-insurance resources: (1) proactive non-insurance risk management tools to eliminate or minimize consequential damage from a cyber event, a data breach event, on-line theft, phishing, social engineering, hacking, ransomware and extortion, among others; and, (2) what insurance products are available and what should the policy include to proactively minimize insurance claims and covered losses and perils.
The goal of this article is to convince community association boards, community association managers, and business partners to put the risk management and insurance for these exposures toward the top of the board’s agenda. These issues of this "brave new world" are different from prior board issues. In the past, boards had more breathing room to see how claims play out to determine their cost benefit level of risk. Boards, association managers, and business partners hear about, read about, and experience potential cyber, data, technology, and the IoT.
As most of us know, it is far cheaper to address and fix issues sooner than later. The board and unit owners of Champlain Towers South in Surfside, Florida, received an engineering report in 2018 clearly identifying the significant infrastructure issues that were critical and needed to be addressed. The unit owners voted to not pursue any of the necessary work (approximately $9 million) per unit. Many of the board members at the time resigned due to the vote. Approximately two years later, unit owners voted to pursue the changes, which were now estimated at $16 million. Unfortunately, had they been proactive and not chosen to defer maintenance in 2018, there may be 98 individuals still living in a beautiful building overlooking the ocean. (I speculate that if the fixes and improvements had been completed, the unit values would have dwarfed the cost.) Admonition: It is imperative that you have your insurance professional meet with your board to evaluate this issue for your association to help identify the issues and to explain the potential insurance solutions. In addition, have a similar meeting with your association manager(s) to discuss a strategy for non-insurance protected matters.
Associations hear about all the cyber, data, IoT, and technology issues every day, but do not see them occurring in community associations. Earlier this year there was a Ransomware attack in a high-rise Boston association. While I can’t disclose that insured, I bet they were happy to obtain the cyber liability/data breach insurance coverage. Associations are living with a false sense of security. Hackers and cyber criminals no longer only look to large targets; they are looking at small and soft targets that may not result in a large hit, but are simple and quick hits. At the end of the day, the issue is not if a hack or event will occur, but when it will occur.
When I speak to boards and association professionals on this topic, I am often asked, "What can we do?" Although it is a bit tongue-in-cheek, I advise them to remove all technology in the management of the association.
The first thing you need to do is an audit of your association’s use of any of the following, including what exposures board members and association managers may have on their personal or business devices. For example, do your association board members, employees, property managers, or other business partners use any of the following in the management of the association? Any positive answers to the following warrant cyber liability/data breach coverage.
Admonition: It is important for board members to understand that there is no board member privilege. Therefore, their personal e-mails are not protected from discovery in litigation. Do you want to have your personal devices and/or your business/work data requested in litigation? The only possible protection for this is to either eliminate all email between and among board members or to create an intranet-type email where the board of directors must log in to the website board of directors section and the email is shared and goes to all board members.
Do you know who to call if any of the scenarios listed above occur? Do you have someone to call if the computer has been compromised? Time is critical. Do you have access to education, webinars, and proactive risk management services available for the board of directors? Do you have someone to defend the association against claims by governmental agencies or civil lawsuits (at someone else’s expense)?
Tip: There is one coverage under the cyber liability/data breach policy that in and of itself is worth its weight in gold and a sufficient reason to purchase the coverage. The data breach response services materials include a number to call if any of the scenarios mentioned here occur. What is provided is a coach or claim coordinator to assist you with the claim. Most policies provide a booklet outlining the services approved and listing approved computer forensic experts, forensic accountants, attorneys, and other principals to assist with various claim issues within their expertise.
Community association insurance professionals (brokers) have been proposing cyber liability and data breach coverage for many years. Under a cost benefit analysis, this is no longer an optional coverage for the board of director fiduciaries. It should be part of every association’s insurance portfolio. Board members must understand that their primary obligation is to protect the association’s assets, tangible and intangible, and heed professional advice regarding the proposed insurance. Failure to obtain this coverage can result in draconian costs. Just Google cyber liability and data breach claim costs.
The cost to obtain a cyber liability/data breach response policy is relatively inexpensive and provides a great deal of both protection and access to extensive risk management information, data breach coaches, forensic computer experts, and training videos.
Still, the first excuse from boards and community association managers is cost. Cost is actually the main concern of the majority of boards everywhere for all insurance. The typical policy is roughly between $500 and $2,500 annually. The following four policies in Massachusetts are: $809 for a $100K limit, $902 for a $250K limit, $2,139 for a $500K limit, and $2,669 for a $1M limit. The key underwriting rating factors are: (a) location; (b) limit of liability requested; (c) the association’s annual revenue (for the purpose of underwriting, would be the total of all assessment and special assessments in the upcoming budget year, not capital or improvement or reserve funds). The second excuse is, "Why do we need these coverages in the first place?" Boards say, "We have not seen any claims for cyber liability or data breach in associations," or "Associations are small fish, why would the hacker or cybercriminal spend his or her time on associations? What is happening is that the large targets are getting smart, upgrading security measures and are doing significant training for all their employees. Hackers and cybercriminals are lazy and go for the easy score.
The underwriting of these policies is not very rigorous. Sometimes the key is learning the basic sections of the policy to determine what is covered. Most boards of directors understand that they are insured for any type of risk, injury, or damage. However, the question is, are they self-insured or insured by an insurance policy? If it is the former, the insured will have to pay any attorney fees, settlements or judgments out of its own assets. In most states, fines and penalties are not covered.
In the normal course, the insurance coverage purchased by associations includes two categories of benefits: "defense" of claims, governmental proceedings, and civil lawsuits; and "indemnity" for settlements and judgments that the insured becomes liable for. In addition, there is generally no coverage for fees, penalties ordered by regulatory entities, or remedial measures. However, fines, penalties, and remedial measures are covered to one degree or another in the cyber liability/data breach response services policies.
The insurers that provide this coverage have videos, articles, and training – generally at no additional cost. This does not need to be an all or nothing strategy; it could be simple things, such as putting limitations on websites, requiring dual authorization to most IoT devices, and being a minimalist with respect to what you maintain.
In addition, insurance should be obtained. See the chart of insurance solutions for various risks that associations may in fact experience and the various insurance policies that may respond. The challenge is that contrary to many other types of policies, the insurers have not developed standard terminology or standard coverages. Additionally, policies providing cyber liability/data breach response services are not bundled in the same way with the same coverage.
Joel W. Meskin, Esq., is managing director of Community Association Products at McGowan Program Administrators. He became an insurance professional in 1981 and spent 15 years specializing in insurance coverage litigation. Meskin has the CIRMS and MLIS designations and is a CCAL Fellow. He is a member of the FCAR Research Committee and a founding member of the FCAR Think Tank and just began his third term on the CAI National Board of Trustees.