Cybersecurity and PII in POAs

The advance of technology has had a great impact on the way businesses perform their day-to-day functions. Emerging software and other technology enhancements have increased efficiency and performance across a multitude of industries, but it has opened up new vulnerabilities to cyberattacks. Property owners associations (POAs) and management companies are particularly vulnerable due to their lack of a strong IT structure and the amount of sensitive homeowner Personal Identifying Information (PII) held throughout their systems. POAs should be preparing for the eventuality of a cyberattack by understanding what defines PII, the laws Texas has relating to cyberattacks and the potential ramifications for the organizations attacked, as well as steps that can be taken to protect PII and prevent cyberattacks.

What is PII?

Personal identifying information are the identifiers associated with individuals that governments assign and organizations collect to help separate records. In Texas, PII is defined by Sec. 521.002 of the Business and Commerce Code to include:

  • A person’s name, social security number, date of birth, or government-issued identification number;
  • mother’s maiden name;
  • unique biometric data, including the individual’s fingerprint, voice print, and retina or iris image;
  • unique electronic identification number, address, or routing code; and
  • telecommunication access device as defined by Section 32.51, Penal Code.
  • An individual’s first name or first initial and last name in combination with any one or more of the following items, if the name and the items are not encrypted:
    • Social security number;
    • Driver’s license number or government-issued identification number; or
    • Account number or credit or debit card number in combination with any required security code, access code, or password that would permit access to an individual’s financial account; or
  • Information that identifies an individual and relates to:
    • The physical or mental health or condition of the individual;
    • The provision of health care to the individual; or
    • Payment for the provision of health care to the individual

Texas Laws for PII

Should a breach of PII occur, Texas has outlined notice requirements in Sec. 521.053 of the Business and Commerce Code for organizations to give to the person(s) whose data was compromised. The notice must be given no later than 60 days after the data breach, and the notice is defined as: written notice to person’s last known address, electronic notice, i.e., email address, or notice as provided by Subsection (f) of 521.053. 

Sec. 521.002(f) would most likely not apply to individual POAs, but it could apply to larger management companies should a major cybersecurity attack occur. Subsection (f) states if the person required to give notice under Subsection (b) or (c) demonstrates that the cost of providing notice would exceed $250,000, the number of affected persons exceeds 500,000, or the person does not have sufficient contact information, the notice may be given by:

(1)  electronic mail, if the person has electronic mail addresses for the affected persons;

(2)  conspicuous posting of the notice on the person’s website; or

(3)  notice published in or broadcast on major statewide media.

Notice may be delayed at the request of law enforcement to not compromise an ongoing investigation.

Along with detailing how the notice should be sent to the person(s) affected by the cybersecurity breach, 521.053(i) also details how the Texas Attorney General is required to be notified as soon as practically possible, but no later than 30 days if more than 250 Texas residents are affected. The notice must be submitted using an online form, which can be found at this website, and the notice must include the following:

(1)  a detailed description of the nature and circumstances of the breach or the use of sensitive personal information acquired as a result of the breach;

(2)  the number of residents of this state affected by the breach at the time of notification;

(3)  the number of affected residents that have been sent a disclosure of the breach by mail or other direct method of communication at the time of notification;

(4)  the measures taken by the person regarding the breach;

(5)  any measures the person intends to take regarding the breach after the notification under this subsection; and

(6)  information regarding whether law enforcement is engaged in investigating the breach.

Failure to abide by the notice requirements can result in extensive financial penalties. The state may issue civil penalties up to $100 per record for each consecutive day effective notice, as outlined by Sec. 521.053(b) is not completed. Total penalties may not exceed $250,000 for all individuals in a single breach.

Cybersecurity for POAs

If the risk of sizeable civil penalties is not enough to persuade readers to update their cybersecurity plan, how about the cost of the data breach alone? On average, an organization affected by a cybersecurity attack where PII was stolen will pay an average of $150 PER RECORD. With individual POAs holding thousands of records, and management companies holding hundreds of thousands, the potential costs for a significant cyber security data breach of PII could be into the millions of dollars. This type of cost could be crippling for both the POA and management company. That is why having an effective cybersecurity plan with policies and procedures in place for those handling sensitive PII is crucial.

These plans can vary from POA to POA and management company to management company, but including training that teaches the user how to recognize the difference between spam, phishing and social engineering attacks can be effective because it reinforces best practices, highlights cybersecurity risks and users learn how to recognize threats and stop the threat from becoming a data breach.

In addition, having policies in place that require routine password changes and/or two factor authentication on software holding PII can help reduce the threat of a cybersecurity breach.

As technology and the use of technology evolves in the coming years, cybersecurity attacks and threats to PII are becoming more sophisticated. POAs and management companies will need to prepare for the inevitability that an attempted data breach will occur. By putting plans into place and working with your insurance brokers to ensure the appropriate levels of cybersecurity coverage are in place, you can ensure that the PII is secure and the POA is protected.

©2024 RMWBH Law


Eric Tonsul is a Shareholder in the firm’s Real Estate section as a leader of the Community Association Team. His practice includes representation of land developers, community associations, condominium associations and other common interest communities. Eric is Board Certified in Property Owners Association Law by the Texas Board of Legal Specialization. Eric graduated from South Texas College of Law in 2000.