House Bill 18-1128, effective on September 1, 2018, requires certain businesses to come into compliance with consumer data privacy protections. Does this law apply to associations and management companies? If so, how do you achieve compliance?
To whom does the law apply?
The new law applies to any entity/person that “maintains, owns or licenses personal identifying information in the court of the person’s business, vocation or occupation”. Most management companies and common interest communities either maintain some of these documents or could potentially come into possession of this information.
What sort of information is protected?
Social security numbers, personal identification numbers, passwords, pass codes, driver’s licenses or other government issued identifications, biometric data or employer student or military identification number. While an association or management company may not be in possession of most of this information, a ‘personal identification number’ is typically tied into most homeowner accounts. Further, an association and/or management company may be in possession of social security information relating to association employees or even copies of driver licenses if it keeps copies when notarizing documents.
What needs to be done to protect the information?
It is recommended that a policy be adopted that provides for reasonable security procedures and practices for protected information. Also, the policy needs to define what occurs in the event of a security breach including proper disclosure procedures.
Is each managed association required to maintain a policy or can the management company maintain one policy for each client?
While the law is not clear on this point, I recommend that both management companies and each, individual association maintain a separate policy. This ensures that the policy is part of the association’s official records and further guarantees continued compliance in the event of a management company change.
Given the potential liability for not complying with the new law, associations and management companies should act quickly to adopt the requisite policy. The Dupont Law Firm is here to help prepare the policy at a reasonable cost.