Q&A

HOA board could be liable for disclosure of owners' personal data

Lax handling of HOA members' personal data puts board at risk for damages

Question: A past manager used to print dozens of nonsensical pages from numerous websites, pile them all together to make it look like she was actually doing something for a paycheck, then title it "Board Packet" and present it to directors before the meeting. This useless information was a waste of association resources. No one asked her for this and it was not part of her job description. We told her to stop doing it. When she would not stop, we fired her.

Then we hired a management company that did the same thing, only this time it included banking information, copies of owners' personal checks, letters, and invoices, racking up hundreds of pages in what it, too, called a "Board Packet."

I realized we could not prevent all directors from sharing this confidential information. When these board packets were transmitted via email, the custody issue was uncontrollable. The board packet information got out, and suddenly no one knew anything, but excuses poured in.

Owners were furious their private information was shared with people they didn't know. Information was indiscriminately shared with third parties and other personnel who freely disparaged certain owners and retaliated using this newfound tool of intimidation. Banking and bank account numbers were used, as well as personal checking information, letters, owner signatures, and more. We DO NOT want board packets, we can accomplish what we need in less intrusive ways. Where's the law saying homeowner association boards require board packets?

Answer: There is no California law that says homeowner association boards require board packets. The term "board packet" does not exist in the common interest development act. There is no statutory definition for a so-called board packet, therefore a "board packet" is not statutorily mandated. As it pertains to homeowner associations under California Nonprofit Mutual Benefit Corporations laws, "board packets" do not exist.

If the term "board packet" exists in association governing documents, they will describe the term and provide directions for packet contents, methods of delivery and safeguard procedures.

Nothing prevents directors from staying informed while performing fiduciary duties, but all this can be accomplished without cumbersome, often costly "packets" that disclose sensitive and unnecessary information. Because owners are in a statutorily vulnerable position, directors as fiduciaries are held to a higher standard of care with regards to breaches of trust. Distributing such information creates a serious liability for directors.

As boards are vested with the duty of possession, custody and control of such information, directors should be cautious when creating unnecessary procedures that accumulate owners' private information without legal disclosures, disclaimers and consent. Once such information is released, even by accident, the onus is on the board. Associations must have security and custody procedures in place so records and documents can be tracked. Many association problems leading to litigation occur because there is no accountability, no viable tracking system and no consistent center of control for documents.

Often associations are too lax toward scrutinizing management contracts, supervising personnel/vendors and protecting owners'/residents' personal information. The duty to maintain confidentiality is nondelegable, and vendor disclosures are still actionable against directors and the association.

Directors who work with third-party vendors, including management companies, should request written assurances regarding safeguarding association documents, board correspondence, its titleholder information and all privacy matters.

Businesses, including associations, that improperly distribute personal information, or that experience a breach of security, are required to disclose the breach, according to Civil Code section 1798.82. The right to receive notice of a breach cannot be waived, and an individual may recover $3,000 per violation for willful, intentional or reckless violation of the requirements pertaining to personal information, or $500 per inadvertent violation and disclosure. Additionally, an individual enforcing his or her rights regarding personal information may recover reasonable attorney's fees and costs. See Civil Code section 1798.84.

Homeowner associations, their directors and third-party vendors are subject to statutory requirements governing personal information disclosures, including Civil Code sections 1798.15 to 1798.84. Associations that encourage broad distribution of information to managers, agents, even board directors, run the risk of serious violations and civil penalties.

Even if directed by the board, titleholders should NOT voluntarily provide any entity — agent or otherwise — personal information without written assurances of a chain of custody for confidentiality and use of their information.

Zachary Levine, partner at Wolk & Levine, a business and intellectual property law firm, co-wrote this column. Vanitzian is an arbitrator and mediator. Send questions to Donie Vanitzian JD, P.O. Box 10490, Marina del Rey, CA 90295 or noexit@mindspring.com.

Copyright © 2016, Los Angeles Times
68°