Securing residents’ property and personal safety has always been of primary concern for shared interest communities, be they high-rises, townhomes, or suburban HOAs. A generation ago, security technology was pretty much limited to human guards and closed-circuit cameras—but in today’s world, any discussion of security must also include the handling and protection of digital information and personal data. Hacking events affecting banks, credit card companies, and government agencies are highly publicized, but any organization possessing closely held personal information must be aware of the growing threat of data theft and take all appropriate steps to protect themselves and their constituents. 

Condo and co-op administrators are routinely entrusted with sensitive information, including banking details, owner contact information, assessment records and legal documents. A single breach or mishandling of such data can have significant legal, financial, and reputational consequences for both boards and managers.

The Bigger Picture

In today’s digital landscape, safeguarding resident and financial data is not only a fiduciary responsibility but a fundamental component of maintaining community trust and operational integrity. 

Bruno Bartoli, senior director of management services at Evergreen Management, located in Bedford, New Hampshire, stresses that “we recognize that data security must be proactive, not reactive. This involves continuously assessing risks, investing in secure technology platforms, and maintaining stringent protocols to protect both electronic and physical records. Our role extends beyond compliance; we must lead by example in setting high standards for confidentiality and data protection across all levels of HOA governance.”

“Bad actors are launching cyberattacks frequently,” says Carl Mazzanti, president of eMazzanti Technologies, a national and international supplier of cyber-related technology based in Hoboken, New Jersey. “And, they’re using artificial intelligence to enhance their attacks. Co-op and condo management companies in particular collect a great deal of sensitive information about residents, so they’re a rich target.”

The threat of data theft comes from the most innocent-appearing places, explains Nir Hemed, CTO of Daisy, a real estate management firm with clients in New York and New Jersey. “Boards, residents, everyone, are using hackable systems all the time,” he says. “Attacks can be direct or indirect. A direct attack might be on your managing agent. An attack through a vendor would be an example of an indirect attack. Someone may impersonate [a legitimate vendor or service provider] online, asking for rerouting of bank accounts, for instance. The attack becomes active when payment comes due.”

Strategies for Security

Effective data protection begins with robust infrastructure and secure, industry-specific platforms designed for community association management. According to cybersecurity and management pros, these systems should feature multi-factor authentication, role-based access controls, and encrypted data transmission—all of which are essential in minimizing vulnerability to unauthorized access.

“Password policies must be rigorously enforced,” says Bartoli, “and require complexity standards and routine updates. Management staff and residents, as well as board members, should receive ongoing training on phishing prevention, software use, and cyber hygiene. Most importantly, access to sensitive data should be limited strictly to those whose roles necessitate it. Board members, for example, may have portal access tailored to their responsibilities, without granting visibility of broader internal systems. Implementation must be consistent and well-documented. Work closely with IT professionals and software providers to ensure all updates, patches, and backups are timely and secure.”

According to Hemed, there are three primary questions boards should ask about their management company’s commitment to data protection: “Does your management company have a dedicated security team? Does the company have a phishing filtering system? Is the technology your management company uses for payments, notifications and other communications compliant with the New York City Data Shield Act, and/or similar compliance requirements in other locales?”

Mazzanti adds that it’s also vitally important to monitor and limit who has access to software and proprietary information—both with the management firm, and within client associations. “Work with your providers to apply strict access controls based on the principle of least privilege, where only authorized personnel have access,” he says. “That access is limited to job-related responsibilities. For example, accounts payable personnel should not have access to salary data. Permissions should also be periodically reviewed. The last thing you want is for a former employee to retain access to your systems. Software manufacturers and vendors periodically issue patches or updates that target vulnerabilities and other conditions.Your management or security provider can help you implement automated solutions that will download patches as soon as they are available.”  

Data Storage

Not so long ago, management companies kept physical paper files on their client communities. These days, sensitive records, including things like financial statements, governing documents, or owner information, must be stored in secure, access-controlled digital environments with reliable backup systems.

“In the event of a suspected or confirmed data breach,” says Bartoli, “we follow a strict incident response protocol. This includes immediate isolation of affected systems, internal investigation, notification of association leadership, and engagement with cybersecurity IT experts if needed. Transparency with our client communities is paramount, and we ensure any communication is factual, timely, and instructive.”

Mazzanti says, “Sensitive digital data should be encrypted both at rest and in transit, using strong cryptographic standards (like AES, RSA) and robust key management practices. You should regularly back up sensitive data, encrypt the backups, and store them in a secure, off-site location. Backups can be automated to reduce human error and ensure recoverability. Sensitive physical records should be kept in locked, access-controlled rooms or cabinets, and critical documents should be stored in fireproof containers. For higher security and compliance, you might consider placing sensitive and critical records with off-site storage maintained by professional information management partners.” 

If There’s a Breach

If your association or management firm is the victim of a data breach, as in any crisis situation, the first step is to keep calm. Then, turn it over to the professionals. “Whether you have a dedicated team or a provider, there is a structured way to handle a breach,” says Hemed. “This includes bringing in an investigation team, who will make sure at that point that all records are logged and locked to contain the situation. It’s really important to understand how it happened. This is work for professionals. Often the origin is a simple phishing attack. The question is how to prevent attackers from accessing the system going forward. Once they have the access, it’s basically over and you have to take new measures to secure the system. Sadly, the human element is the weakest link here. Anyone, be it an owner, or a  board member or a manager, even a vendor can be the crack that lets [a data thief] in.”

Education is a key element in keeping systems safe. Board members and residents, even those renting units, should have a basic knowledge of how to avoid scams, phishing, and the like. “Education is an essential defense against cyber threats,” says Bartoli. “Many of the communities we serve include older adults who may be particularly vulnerable to phishing, spoofing, or identity fraud. If this is the case in your community, we suggest you regularly distribute plain-language bulletins on topics such as recognizing fraudulent emails, securing personal devices, and avoiding unsolicited information requests. When appropriate, tailor materials to accommodate varying levels of digital literacy, using examples that are relatable and emphasizing the importance of caution when handling emails, texts, or online requests for personal information. Managers should be trained to recognize signs that a resident may have been targeted or compromised and be prepared to refer them to appropriate support resources.”

There are many ways to keep residents in the loop. “Share information and tips through newsletters and bulletin boards, and host in-person or virtual workshops at community spaces,” says Mazzanti. “One method to garner resident attention is to gamify the information by incorporating interactive activities such as “Fraud Bingo” or scam detection challenges, which improves scam recognition among older adults. Highlight common scams, such as phishing emails, grandparent scams, and romance scams, and explain how to verify identities and avoid acting hastily on unsolicited offers.”

In the end it boils down to education. Everyone today interfaces with many systems and they need to be aware of the risks, so keep it simple, and be very transparent. While your management company may not be directly responsible for educating your members, they should at minimum notify residents of risks when one presents itself; like not opening a specific email because they’ve determined it’s dangerous.

Along that line, Mazzanti says, “Cybersecurity professionals can help you to design and offer interactive training modules that cover topics such as recognizing phishing emails, avoiding dangerous attachments and links, and understanding social engineering tactics. These models can and should be regularly updated and tailored to the needs of the community and its many components.”

Costs

Data storage can become expensive. A lower cost answer may be to use ‘the Cloud.’ eCloud based platforms allow your organization to scale resources up or down instantly, adapting to changing business needs without heavy investments in physical infrastructure. Cloud-based platforms also enable your teams to collaborate in real-time from any location, which improves productivity and supports remote work, document sharing, and project management. But a cloud platform is only as secure as its weakest link. Cybersecurity professionals can help you choose providers that offer multi-factor authentication, encryption at rest and in transit, and firewalls. Also, look for compliance with standards like GDPR, HIPAA and others.

Cybersecurity is no longer a luxury, anymore than functional door locks and working cameras. There are a lot of bad actors out there looking for ways to get into your proprietary data. Don’t let them.

A.J. Sidransky is a staff writer/reporter for CooperatorNews, and a published novelist. He may be reached at alan@yrinc.com.