Homeowners Association Privacy and Data Security
Many homeowners associations collect license plate and vehicle information. Some may even use a license plate reader to record license plates to control access and track vehicles within the neighborhood or on the property. Clients may not realize that data protection standards and data disposal laws apply to the aggregation of such driver’s license data and vehicle license plate information in a database. Lack of compliance with these laws and standards may result in investigations, fines or civil actions. The risks are the same even if an association were to provide driver’s license and vehicle plate information to a third party service provider. The association is responsible for ensuring third parties maintain the data in compliance with applicable law.
This alert outlines (i) basic information that every homeowners association collecting this kind of data should know and (ii) actions that each association should take to comply with state laws and standards. The Privacy and Data Security Practice Group can provide further assistance with identifying the laws relevant to each client and implementing the action steps detailed below.
Driver's License Data
State security breach laws, data disposal and data protection standard regulations set out specific requirements concerning the storage and retention of driver’s license data.
- Security breach laws: In the event that personally identifiable information, including a driver’s license number in combination with a first name or first initial and last name, is at risk of exposure to an unauthorized person in a data security incident, an association may be obligated to report the incident to (i) the individual whose information is at risk of exposure and (ii) a state attorney general, other state agency, or the consumer reporting agencies. Examples of suspected “unauthorized access” or “unauthorized access” include a lost laptop containing names and corresponding driver’s license data, or a paper print-out in the hands of a person not authorized to handle the driver’s license or vehicle plate information.
- Data disposal: At least 31 states and Puerto Rico require entities to destroy, dispose, or otherwise make personal information unreadable or undecipherable. Most state disposal requirements are similar in nature and generally apply to entities that conduct business within the state.
- Data protection standards: Massachusetts’ regulation is widely considered the most comprehensive data protection regulation in the United States. The regulation establishes minimum standards to be met in connection with the safeguarding of personal information in both paper and electronic records. If an association were to possess the personal information, including name and driver’s license number, of a Massachusetts resident, it would be subject to this regulation.
Vehicle License Plate Data
The collection of vehicle license plate data is regulated by individual states through the automated license plate reader (ALPR) laws. Only Utah specifically regulates the collection of ALPR data by private entities; it is not clear whether laws in the states of Arkansas, Colorado, or Minnesota apply to homeowner associations and other private entities, or only to law enforcement. Regardless, these laws likely only apply to entities operating within the state. Maine, however, has a blanket prohibition on the use of ALPR, and it is unclear whether the laws only apply to entities operating within the state of Maine or whether it also applies to entities collecting Maine residents' information by using ALPR elsewhere.
What actions should a homeowner's association take to comply with state laws and regulations?
- Prepare a written incident response plan defining when a data security incident occurs and outlining action steps for the association to follow to meet any regulatory reporting obligations.
- Comply with the disposal laws of a comparatively restrictive state.
- Implement a written information security program (“WISP”) as set out in 201 Mass. Code Regs. 17.03(2). Such a program will likely comply with similar standards under other states’ laws.
- Restrict access to driver’s license and vehicle plate information only to those employees who require such access to perform their job responsibilities. Develop a well-documented training of the association's employees or vendors who handle drivers’ license information tailored to the purpose for which the association collects driver’s license and vehicle plate information. Periodically review employee access credentials to the database containing this information to ensure access is appropriate to the employees’ job responsibilities.
- Set out in policies and vendor contracts specific data retention and disposal guidelines consistent with ALPR laws and laws governing collection of driver’s license number information. Require notification to the association of any data security incident within 24 hours of the incident.
For more information, contact:
The articles published in this newsletter are intended only to provide general information on the subjects covered. The contents should not be construed as legal advice or a legal opinion. Readers should consult with legal counsel to obtain specific legal advice based on particular situations.