Privacy Rights, Confidentiality, and Data Security for Homeowners’ Associations
HOAs have a responsibility to take reasonable precautions to protect members’ confidential information.
With the current prevalence of identity theft, it’s not surprising that data protection has become a significant concern of homeowners when entrusting their information to a Homeowners’ Association (HOA). And privacy should likewise be a chief concern of HOA boards. Associations, and particularly their board members, are regularly entrusted with homeowners’ sensitive, confidential materials, often including personally identifiable information like social security numbers and financial information like credit card and bank account numbers.
Many state statutes impose legal obligations for the protection of this kind of sensitive information. Even more, HOA officers and board members owe heightened legal duties to members and to the association itself, including a duty of confidentiality. A breach of those laws or duties can expose an association—and sometimes an individual board member or officer—to serious liability.
Most associations recognize the need to respect members’ privacy and avoid unauthorized disclosures to third parties. An association selling its members’ confidential information to a third party without the member’s knowledge and consent would be a fairly rare situation. Things become trickier for an association when it is forced to reconcile homeowners’ right to privacy with other owners’ right to review association records.
In most states, members of an association have a statutory right to request and review the association’s business records. And, because they are usually organized as non-profit corporations, associations are often also subject to disclosure requirements under state corporate laws. These inspection requests—which a board cannot simply ignore or refuse—could potentially result in disclosure of one member’s private information to another.
Some states have statutes dealing with precisely this scenario. See, e.g., Fla. Stat. §720.303(5)(c)(5); Tex. Prop. Code § 209.005(k). But even when a specific statute is not in play, an association needs to act with care and develop a policy (ideally drafted with the assistance of experienced counsel and embedded within the association’s governing documents) allowing for compliance with records requests without violating other homeowners’ privacy rights.
Of course, “privacy rights” are not always cut-and-dried and can vary between states. There are two broad categories of member privacy that community associations need to be cognizant of: physical privacy and data privacy. The former deals with a homeowner’s right not to be intruded upon while on his or her own private property, especially at home. Although this article will touch on physical privacy, the focus will lean more toward data privacy—the right not to have confidential personal information publicized or disclosed to third parties.
Homeowner’s Expectation of Privacy
A person intruded upon in a time and place where he or she has a reasonable expectation of privacy can potentially pursue a civil claim for invasion of privacy against the offender. See, Restatement (Second) of Torts, § 652B. In some states, intentionally observing someone who is at home with a reasonable expectation of privacy can even result in criminal liability. See, e.g., Code of Va., § 18.2 – 130; Cal. Penal Code §647. The question then becomes—when exactly does a person have a “reasonable expectation of privacy?”
According to the United States Supreme Court, an individual has a “reasonable expectation of privacy” when he or she subjectively expects something to remain private and has not knowingly exposed it to the public. Katz v United States, 389 U.S. 347, 88 S.Ct. 507, 19 L.Ed.2d 576 (1967). In other words, if you think that something is private and don’t disclose or publicize it yourself, you have a reasonable expectation of privacy.
Now, anytime a standard involves someone’s thoughts or “subjective” expectations, there’s a lot of room for interpretation. And, indeed, courts examining the question in greater detail have held that an expectation of privacy is largely dependent on the time, place, and relationship between the parties. See, Wolfson v. Lewis, 924 F. Supp. 1413, 1417–18 (E.D. Pa. 1996). Where the line is drawn varies between states. A plaintiff whose seclusion is interrupted while in his or her own home almost always has a reasonable expectation of privacy, but that expectation is reduced outdoors and especially when in a public place. Nader v. Gen. Motors Corp., 255 N.E.2d 765, 771 (N.Y. 1970).
On the other hand, courts have held that, when you purchase a home subject to a community association, you “give up a certain degree of freedom of choice which [you] might otherwise enjoy in separate, privately owned property.” Hidden Harbour Estates, Inc. v. Norman, 309 So. 2d 180 (Fla. Dist. Ct. App. 1975). In condos especially, the association typically has a right to access private property for maintenance of commons areas, subject in most cases to a requirement of providing reasonable notice to the owner. See, e.g., Fla. Stat. §718.111(5). California even allows video surveillance within homeowners’ associations and condominium associations. Cal. Penal Code §647(j). However, the cameras can’t be directed to an area where homeowners have a “reasonable expectation of privacy” (there’s that term again).
That’s not to say that members of an HOA or condo association have no expectation of privacy—it just might be a little less in relation to the association than what might otherwise be the case. As a general matter, if you’re in your home taking a shower, you have a reasonable expectation of privacy with regard to your HOA. If you’re sunbathing on your front lawn, you might not.
The “reasonable expectation of privacy” standard is usually applied in cases involving a physical invasion of privacy. Someone is peeping in someone else’s window or taking pictures from the sidewalk—that sort of thing. That standard comes up less often in cases involving informational privacy and disclosure of confidential information. In a noteworthy case, though, the U.S. Supreme Court held that an individual did not have an expectation of privacy with regard to financial records provided to a bank. United States v. Miller, 425 U. S. 435 (1976).
Of vital importance, though, the Miller case involved the Fourth Amendment and searches and seizures by the government—not disclosure of personal information by an HOA. And, perhaps even more importantly, disclosure of confidential private information by HOAs is more commonly governed by state statutes applying to data protection generally and homeowners’ associations specifically.
Confidentiality and State HOA Laws
Surprisingly few state HOA statutes include express prohibitions on disclosure of homeowner information to third parties. Nevada is a state that does; it explicitly forbids a board from disclosing members’ private information. Nev. Admin. Code § 116.405 (4). Likewise, Nevada expressly prohibits disclosure of confidential member information by property management companies, absent a court order. Nev. Rev. Stat. §116A.640.
More commonly, though, protections are either implied in HOA statutes governing what cannot be disclosed to other members or found in laws of more general application.
HOA laws throughout the country nearly universally include transparency protections allowing members to inspect association records upon request. See, e.g., Fla. Code §720.303(4), Cal. Civ. Code §5205(a). The records subject to inspection are usually defined broadly, including everything from the association’s financial records and tax returns to its governing documents, member lists, meeting minutes, and plans for commons areas improvements. Absent exclusions to the contrary, these inspection statutes are often written so as to potentially require an association to disclose homeowners’ confidential information to a member who submits a request for inspection. HOA boards would then be forced to choose between refusing to comply with the inspection statute or violating members’ privacy rights.
Recognizing this Catch-22, most states’ disclosure statutes include carve-outs precluding disclosure of members’ private information. See, e.g., Fla. Stat. §720.303(5)(c)(5). Tex. Prop. Code § 209.005(k). In Texas, for instance, private information relating to a member or HOA employee is not subject to member inspection. Tex. Prop. Code § 209.005(d), (k). Similarly, California authorizes HOAs to withhold or redact information that is sensitive, confidential, privileged, or that could lead to fraud, identity theft, or violation of a member’s privacy rights. Cal Civ. Code §5205.
Simple lists of members—typically including names and addresses—are usually within the scope of production requirements. However, some states allow HOA boards to refuse to produce member lists when the motivation of the member making the request is suspect. See A.R.S. 33-1805(B)(3) (allowing refusal if a member list is requested for a commercial purpose); Cal. Civ. Code §5225 (allowing refusal if requester’s purpose is “improper”).
Unfortunately, state homeowners’ association statutes often leave some ambiguity with regard to disclosure of member information to third parties. However, data protection laws of more general application (i.e., laws that apply to most individuals or entities, not just HOAs) offer members greater protection than what is explicitly provided by most HOA statutes alone.
State Data Protection Laws
Because identity theft has become such a wide-reaching problem, most statutes have enacted laws protecting confidential personal information and establishing standards for data security. These data-protection laws are often (but not always) included within an article or chapter of the state code dealing with consumer protection.
Florida’s Information Protection Act (Fla. Stat. §501.171, et. seq.) is representative of the confidentiality provisions established in many states. The law has a wide application, covering essentially any entity that obtains, keeps, or uses personal information—along with agents handling personal information on a covered entity’s behalf. HOAs and property management companies will usually fall within the scope of this definition if they maintain any of the data covered by the law.
Protected data is referred to by the Florida statute (and statutes in many other states) as “personally identifiable information” (“PII”). PII is defined to include (among other things) Social Security and driver’s license numbers or other identifiers relating to government-issued identification; financial information like bank account and credit card numbers; and information relating to an individual’s medical, healthcare, or health insurance records.
Covered entities must exercise reasonable precautions to ensure PII is protected, and, in the event of a breach, the entity must provide timely notice to any affected individuals and to the state—in Florida, the Department of Legal Affairs.
Florida’s Information Protection Act differs from data-security laws in some states in that the Florida law does not authorize a private cause of action—which means that private individuals may not pursue a lawsuit based solely on a violation of the statute. However, while it is generally the State of Florida’s responsibility to enforce the law, certain violations are considered “unfair or deceptive trade practices,” potentially allowing for redress under the Florida Deceptive and Unfair Trade Practices Act. Fla. Stat. 501.201, et. seq.
Many states, including California, do allow private causes of action under data-protection statutes. Under California’s Consumer Privacy Act (CCPA), a successful litigant can recover the actual damages he or she sustains as a result of an unlawful disclosure, attorney’s fees, and a civil penalty of up to $3,000 for intentional or reckless breaches, or $500 if the disclosure is inadvertent. Cal. Civ. Code §1798.84.
Privacy Under Debt Collection Laws
The federal Fair Debt Collections Practices Act (“FDCPA”) forbids disclosures to third parties of information relating to a debt (which can include HOA assessments). 15 U.S.C. §1692c(b). The FDCPA, though, applies to “debt collectors” collecting consumer debts on behalf of another person or entity. So, in most cases, HOAs are not directly covered by the FDCPA.
Where the law becomes relevant is when an HOA places unpaid assessments with an attorney’s office or collections agency. Collections agencies are almost by definition “debt collectors.” And, if a law firm attempts to collect debts as a regular part of its practice, the firm is a “debt collector” under the FDCPA. See Fuller v. Becker and Poliakoff, 192 F. Supp. 2d 1361 (M.D. Fla. 2002).
A property management company can sometimes qualify as a “debt collector,” depending on the nature of its operations. If the management company’s activities largely revolve around collecting assessments from members, it is likely a “debt collector” under the FDCPA. But if it spends a lot more of its time and effort on managing association facilities—and collecting delinquent assessments is only an incidental part of what the company does—then it is probably not governed by the FDCPA. See e.g., Alexander v. Omega Management, Inc., 67 F. Supp. 2d 1052 (D.Minn 1999); Franceschi v. Mautner-Glick Corp., 22 F. Supp. 2d 250 (S.D.N.Y. 1998).
Most states have some sort of analogous debt-collection statute, and some of those define “debt collector” to include any entity collecting debts from consumers, even if the entity is attempting to collect debts that are owed to itself. Using this more expansive definition, HOAs and condo associations can qualify as “debt collectors,” and may therefore be barred from disclosing information to a third party related to a debt (i.e., unpaid assessments) or debtor (i.e., a homeowner who owes assessments).
Under North Carolina’s Debt Collection Act, for instance, an HOA qualifying as a “debt collector” may not unreasonably publicize information relating to a debt. N.C.G.S. §75-53. Prohibited publication includes any debt-related disclosure to a third party, any communication about a debt that is reasonably likely to be overheard by a third party, and dissemination of any list that includes debt-related information. Id. Thus, an HOA that discloses information about a member’s assessments to a third party (including another member) potentially violates the North Carolina law.
The FDCPA and most state debt collections laws allow private causes of action to recover damages arising from statutory violations. Typically, a successful plaintiff can recover any damages caused by the violation, attorney’s fees, and a civil penalty. The FDCPA’s civil penalty is $1,000 per violation. State laws often use a sliding scale. In North Carolina, the penalty ranges from $500 to $4,000 per violation, depending on the nature and severity. N.C.G.S., §75-56.
Common Law Causes of Action
Improper disclosure or publication of confidential information by an HOA can sometimes give rise to claims under one or more common law theories, including breach of (1) fiduciary duty, (2) invasion of privacy, and (3) negligence.
Breach of Fiduciary Duty
A fiduciary relationship often arises in the HOA context under state HOA and nonprofit corporation statutes, or under the common law. In most states, officers and directors of an association owe a fiduciary relationship toward the HOA and its members. See, e.g., Fla. Stat. §§720.303(1); Tex. Prop. Code § 209.0052.
When a fiduciary relationship is present, “one person is under a duty to act for the benefit of the other on matters within the scope of the relationship.” Black’s Law Dictionary, 7th Ed. (1999). That is, as a fiduciary, an HOA officer or board member is charged with a standard of care higher than in most other relationships and must act reasonably within the association’s and members’ best interests, avoiding self-dealing and conflicts of interest. See, e.g., Tex. Prop. Code § 209.0052; Fla. Stat. §718.111(1)(d).
Officers’ and board members’ fiduciary duties encompass an obligation to act prudently, loyally, and in good faith. Implicit in the duty of loyalty is the responsibility to avoid divulging private information and to exercise reasonable precautions necessary to ensure confidential information is not disclosed without authorization.
Depending on the circumstances, an association, board member, or officer who makes an unauthorized disclosure of a homeowner’s confidential information can be liable for breach of fiduciary duty. While a board’s paramount duty is to the community as a whole (as opposed to individual homeowners), a breach of confidentiality or failure to safeguard confidential information could potentially implicate both the fiduciary duty owed to any affected homeowners and the duty owed to the association itself. See, Nahrstedt v. Lakeside Village Condo. Ass’n., 8 Cal. 4th 361, 386 (1994). Along with any actual damages sustained as a result of the breach, claims for breach of fiduciary duty can also sometimes support an award of punitive damages if the breach is egregious. See, e.g., Manges v. Guerra, 673 S.W.2d 180, 184 (Tex. 1984); Woods v. Mendez, 265 Va. 68, 76 (2003).
2. Invasion of Privacy
The tort of invasion of privacy includes four different recognized sub-categories: intrusion on seclusion, appropriation of name or likeness, placing a person in a false light before the public, and public disclosure of private facts. Restatement (2nd) of Torts, §652. Disclosure of sufficiently sensitive member information by an HOA could potentially create a claim for public disclosure of private facts. However, not all jurisdictions recognize that particular form of invasion of privacy. New York law, for instance, does not recognize the cause of action.
In general, a claim of public disclosure of private facts requires wide-ranging publication of facts that are not known by the general public and not of public interest. Further, the disclosure must be offensive to a reasonable person. Restatement (2nd) of Torts, §652D. There isn’t a bright-line rule as to how many persons must receive the information, though courts have found one or two people to be insufficient, and around twenty to be sufficient. Robert C. Ozer, P.C. v. Borquez, 940 P.2d 371 (Colo. 1997); Kinsey v. Macur, 107 Cal.App.3d 265, 165 Cal. Rptr. 608, 611 (1980).
Similarly, what qualifies as “highly offensive” is also subjective and needs to be determined on a case-by-case basis. A California court ruled that disclosure of a plaintiff’s HIV diagnosis was sufficiently offensive. Urbaniak v. Newton, 226 Cal.App.3d 1128, 277 Cal.Rptr. 354, 360 (1991). Simple disclosure by an HOA of a member’s SSN or birthdate is probably insufficient, but extensive dissemination of embarrassing financial information could potentially support a cause of action, depending on the law of the applicable state.
3. Negligence
Negligence is the cause of action most commonly asserted in tort cases. A negligence case arises when a defendant fails to meet the standard of care expected of a reasonable person under the circumstances, and, as a result of the failure, the plaintiff sustains injuries. See, e.g., Pearson v. Norman, 106 P.2d 361 (Colo. 1940); Terry v. Linscott Hotel Corp., 126 Ariz. 548, 617 P.2d 56 (App. 1980). Damage awards in negligence cases are measured so as to compensate the plaintiff for the actual injuries sustained and to return the plaintiff to his or her pre-injury status. U.S. Fid. & Guar. Co. v. Davis, 3 Ariz. App. 259, 413 P.2d 590 (1966).
In the HOA context, a negligence action might be available if an association was careless in failing to protect confidential member information, and, as a result of that carelessness, a member incurred actual damages. So, for instance, if an HOA negligently allowed public access to a member’s identifying information and financial account numbers, and the member became a victim of identity theft as a result, the member could potentially assert a negligence claim against the association.
Significantly, a property management company acting on behalf of an HOA will often qualify as an “agent” of the HOA. As an agent, duties of care owed by the HOA can sometimes extend to the property manager. See, e.g., Castillo v. Case Farms of Ohio, 96 F. Supp. 2d 578 (W.D. Tex. 1999). However, principal / agent relationships are a complex area of the law, and whether the relationship is present, and whether vicarious duties and liabilities arise in a given scenario, must be determined on a case-by-case basis.
HOA‘s Duty to Protect Confidential Information
Whether it’s the “reasonable person” standard applicable to negligence cases, the heightened obligations of a fiduciary, or a duty established by statute, HOAs have a responsibility to take reasonable precautions to protect members’ confidential information. Precisely what that entails could depend on a host of factors, including the information involved, the format in which it is maintained, and the association’s operations.
Protection of information kept in hard format could be as simple as locking HOA office doors to prevent physical theft of records. Or, when documents containing private information are no longer needed, they should be properly disposed of. California law recommends shredding physical documents, erasing electronic data, or otherwise modifying personal information so that it is no longer accessible. Cal. Civ. Code § 1798.81. The Federal Trade Commission suggests “burning, pulverizing, or shredding of papers containing consumer information so that the information cannot practicably be read or reconstructed.” Or, if confidential information is stored electronically, “destruction or erasure…so that the information cannot practicably be read or reconstructed.”
An HOA should have formal, written security policies laying out clear rules and procedures for maintaining data security. Rules could include limiting access of board members to private information to a “need-to-know” basis. For instance, if an association has members’ credit card or bank account numbers, limiting access to the treasurer or similar officer can protect the association from inadvertent disclosure, improper use of the information, and liability.
Policies for email use and reviewing confidential information on mobile devices are also a good idea. HOA computer systems with sensitive information should have adequate protection against unauthorized access, including password protection and encryption. And any third-party vendors with access to protected information should be required to maintain security protocols at least as rigorous as the association’s own.
Even with solid protocols in place, it’s nearly impossible to completely eliminate the risk of disclosure. With that in mind, it’s wise for HOA boards to ensure that the association’s liability insurance policy (if it has one) covers injuries sustained by members or third parties in the event of a data breach. For the most part, liability insurance is voluntary for HOAs, though it is often mandatory for condo associations. See, e.g., Fla. Stat. §718.111; A.R.S. §33-1253.
In the event an association incurs liability arising from a data breach, an insurance policy covering cyber liability will help defray the costs of compensating injured parties or—if the association’s liability isn’t clear—the cost of defending against disputed claims. By covering these costs, liability insurance allows the HOA to continue functioning financially and protects other members from being hit with a special assessment needed to make up for the costs of settling claims and paying attorneys’ fees.