HOA Records Security: Protecting Homeowners' Personal Information

Protecting personal information

How prepared is your HOA or management company in today’s high technology world of information? Have you taken the time to evaluate if association data are in compliance with the latest privacy laws in regards to homeowner personal information? More and more personal data is being stolen from “secured” files, by individuals who are experienced in breaking through firewalls, security login, and password protected files. If a homeowner’s personal information were lost or stolen from the association database, how will the HOA handle the situation? Your first step will probably be to notify the affected homeowners, but even this comes with a set of uncertainties:

  • How will the homeowners be contacted?
  • When will they be reached (right after the digital burglary or after the HOA has fixed the problem)?
  • How will it this security breach affect your HOA's or management company's reputation?

As the risks of data theft increase with technological advancements and our reliance on digital services and products, these questions need to be asked, and your association or management company should have the answer. 

How to Protect an HOA's Private Information

Your association has spent thousands of dollars on preventive maintenance for association assets. They’ve retained a reserve study specialist to assist in evaluating future monetary needs for those assets. The banking selection is set to protect the long-term funds that have accumulated. But how much time has been spent on protecting those “paper” and/or “electronic” records from being stolen? Without preventative measures, your association and its members may be at risk.

First, take a good look at federal, state, or local laws to determine what homeowner personal records should be protected. “Personal information” does not include publicly available information. Rather, personal information will usually mean an individual's name, social security number, driver's license number, account number, credit or debit card number, in combination with any required security code, access code, or passwords, medical information and family information. An HOA should then take all reasonable steps to destroy (or arrange for the destruction of) a homeowner’s records within your custody or control that contain personal information which no longer needs to be retained. Methods for destroying these records include:

  1. Shredding all paper copies of the records
  2. Erasing the information from computer managed documents
  3. Modifying the unnecessary personal information within records to make it unreadable or undecipherable (redaction)

Personal Information Security Policy

Establishing an information policy is an HOA's next step to achieving information security. The policy can exist either on the association's or the management company's side, and should provide a detailed description on what is considered confidential information. The policy should be communicated to board members and employees alike. Board members and employees should also know how to properly disclose information to members. 

Preparing for the Worst

While these steps can help prevent personal information theft, they are not a guarantee. Your HOA or management company should be prepared to manage a security breach by...

  • Making sure the association has the most current contact information for homeowners so that notices can be delivered (should they be needed).
  • Purchasing liability insurance, just in case records are stolen or become compromised.

Managing the Crisis of Failed Data Protection

The risk of comprising data is huge for any HOA or management company. But even with all the preventative measures in place, this crisis could still happen. Without proper management of the situation, your HOA or management company could suffer from a number of negative consequences, including:

  • Lawsuits, either from an association client or from a homeowner.
  • Major loss of confidence by the client in a management company’s ability to protect association records.
  • Tarnished reputation in the marketplace that could lead to loss of buyers or a loss of current or future clients.
  • Depending on federal, state, and/or local regulations, the association and the management company may be in violation of laws that carry strict fines and penalties.
  • Vulnerability to increases in association or management company insurance premiums if your claims are excessive.

With so much at stake, take time to ask yourself a couple of questions. Does the HOA or management company allow employees or board members to remove hard copy association records or electronic data from the office? Are board members or employees working from home and storing homeowner personal information on home computers or in non-secured file cabinets?

If homeowner personal information is stolen, despite your best efforts, these steps can help your HOA recover with as little damage as possible.

How to Manage Information Theft

Implement steps to determine the scope of the breach of information and what measures are in place to restore the integrity of the system.

Provide quick response to the compromised homeowners with information on what is being done to help protect them from identity theft.
Know what your obligation is for notifying the homeowners in a timely manner, including what, if any, state laws are in place that outline specific deadlines.
Safeguard your organization and your owners and residents from negative publicity by immediately releasing pertinent information. Be helpful, not a hindrance.
Contact your insurance agent immediately to determine if there are things that should be done to reduce further losses.
Review the required laws and regulations to comply with the crisis management.

If your association or management company has not taken the time to review your vulnerability in protecting individual privacy for your homeowners, today is a good time to get started. Each day that passes is a gamble that you are taking with these records. There are many consulting services and technology vendors that can provide assistance in developing a comprehensive plan for protecting homeowner personal information.


Adapted from an article by Patti Jo Lewis, that was originally published by Association Times, a web resource sponsored by Associa. Image courtesy of Stuart Miles at FreeDigitalPhotos.net