During the course
of their tenure on an association’s governing board, board members will come
into possession of a seemingly endless amount of information. While owners are
entitled to access
Among those
categories of information, are information and materials that are protected by
attorney-client privilege, which was previously addressed in depth in a recent
alert. Other categories of sensitive
information that a board may come into possession of, include:
·
Delinquency
reports;
·
Reasonable
accommodation requests;
·
Employee
records; and
·
Personal
owner information.
In all of the
above-referenced categories, boards must balance their obligations to keep
owners informed of association business and safeguarding information which
could potentially expose the association to liability if improperly
disseminated.
DELINQUENCIES
The association’s
financial health depends on the proper assessment and collection of common area
fees. While owners may be informed about
the total amount of common area fees collected and outstanding, board members
should not disclose specific unit owner assessments or delinquencies, nor
should board members disclose details about negotiations with these owners,
including payment plans. Moreover, even when a lien enforcement action
to recover common area fees is pending before a court, board members are still
discouraged from discussing the same with anyone outside of the litigation.
Association
managers typically produce monthly information packages for board members
containing invoices, records of bills paid, collection totals and other
financial details. Much of this
information can be shared with owners upon request, but not all of it. To that end, board members should refrain
from disseminating and disclosing detailed information about individual
accounts (aside from that belonging to the specific owner so requesting),
including their payment histories and delinquency status. All of this owner-specific information should
be redacted before the reports are circulated to owners, inserted in the
minutes, posted on the association’s web site, or otherwise distributed outside
of the board.
REASONABLE ACCOMMODATION REQUESTS
Generally
speaking, a person is handicapped or disabled if: 1) they have a physical or
mental impairment that substantially limits one or more major life activities
(i.e. the condition limits their ability to walk, speak, hear, breath, learn or
work); 2) the person has a record of such a physical or mental condition; or
3) the person is regarded as having such a condition (meaning that the person
is viewed and/or as suffering from physical or mental disability, even if not
formally diagnosed).
The most common
types of requests made to a board for a reasonable accommodation are to keep an
emotional support or service animal in an association where animals for
prohibited, but requests for reasonable accommodations are not limited to any
specific type of accommodation or modification if the same is related to a
resident’s disability and necessary for that individual to have an equal
opportunity to enjoy and use the association. When presented with a request for
a reasonable accommodation or modification, boards must evaluate each request
fairly, uniformly, and on a case-by-case basis. While boards are entitled to
ask for certain information to verify the legitimacy of the request, there is a
limitation on the information that boards may request, and boards should not
disclose the information received to anyone outside of the board, under any
circumstances. Often times, board members are asked why another resident is
permitted to avoid strict compliance with the association’s governing
documents, i.e., in the case of a resident having an animal in a no-pet
community, and in such case, the board should simply state that a request for a
reasonable accommodation was made, and granted, without disclosing any details
about the resident’s handicap or disability or the information provided in
support thereof.
EMPLOYEE RECORDS
Employee personnel
records contain private and sensitive information, including performance
reviews, medical reports, and disciplinary actions, which should not be
disclosed to owners or anyone who does not have a legitimate need for such
information. For that reason, the
personnel file should be kept separate from payroll information (job
description, salary, promotions, etc.), which can be shared with owners.
Employees also
have general privacy rights that boards are required to protect. Like reasonable accommodations granted in the
context of housing, employee requests for reasonable accommodations in the workplace
should be treated as confidential, such as sensitive personal information such
as Social Security Numbers, bank accounts, etc. Underscoring that point, is a
recent case involving the breach of a computer system, wherein the Pennsylvania
Supreme Court ruled that “an employer has a legal duty to exercise reasonable
care to safeguard its employees’ sensitive personal information….”
Credit checks and
criminal background also checks create additional concerns. The results of these investigations should be
stored in confidential files, access to which should be strictly limited. Some
state laws also limit the extent to which employers can use information gleaned
from criminal background checks in their hiring decisions, and associations and
board members may be exposed to serious criminal and civil sanctions for
violations of the applicable laws and regulations pertaining to the same.
Owners may be entitled
to know how much employees are being paid, if the employee is being paid
directly by the association, and what duties they are expected to perform. But disclosing performance reviews,
reprimands, disciplinary actions and similar information would expose the board
to potential legal liability, because evaluations may be contested and revised
and disciplinary actions may be reversed.
Employees who are criticized unfairly or wrongly accused of infractions might
sue for defamation if those complaints are made public, published or otherwise
disclosed.
Moreover,
personnel files should remain confidential after an employee’s departure, in
order to limit an employer’s exposure to a claim for defamation by the former
employee. Conditional privilege may be
available to board employer to disclose negative information concerning an
employee when such disclosure is reasonably necessary to serve the employer’s
legitimate interests, i.e., whether an employee can actually perform the duties
of the position. However, conditional privilege does not apply (and will not be
a viable defense to a claim for defamation) if the negative statement is made
recklessly (i.e., with no effort to determine whether a statement is even true)
or if the statement is made with actual malice. Conditional privilege also does
not apply if the board employer makes the statement to people who have no
legitimate interest in the information (i.e., the discharge of a manager is
communicated to the company’s office supply vendor).
When contacted for
employment references of past employees, board employers are encouraged to err
on the side of caution and only provide neutral references (i.e., dates of
employment and positions without commentary). If an employee asks for a
substantive reference letter (and the board employer does not have an express
policy prohibiting the same), the reference letter should only be sent upon the
employee’s execution of a written reference authorization and waiver of
liability in advance of producing the same.
PERSONAL OWNER INFORMATION
Laws in most
states, including Massachusetts, require that any person whom receives, stores,
maintains, processes or otherwise has access to personal information acquired
in connection with employment or with the provision of goods or services has a
duty to protect that information. Personal information includes a surname,
together with a first name or initial, in combination with one or more of the
following three data elements pertaining to that person: Social Security
Number, driver’s license or state-issued identification card number or
financial account or credit or debit card number, with or without any other
data element, such as a code, password, or PIN, that would permit access to the
person’s financial account. The term
“personal information” does not includes information that is lawfully obtained
from publicly available information, or from federal, state or local government
records lawfully made available to the general public.
Among the
safeguards to be considered are:
- Designation
of the individuals who will oversee and maintain the information;
- Analysis of
the reasonably foreseeable risks to the security, confidentiality and
integrity of records, in any form, that contain personal information, of
the effectiveness of any current safeguards for limiting those risks, and
of the need to develop improved safeguards;
- For paper
records, adoption of policy provisions for secure storage or materials
containing personal information, including restrictions on physical access
to such records and, for electronic records, control measures that
restrict access and include secure user authentication protocols;
- Encryption of
personal information that is stored on computers, laptops or other
portable devices or is transmitted across public networks or transmitted wirelessly;
- Adoption of
policy provisions to ensure that any electronic records system that is
connected to the internet includes firewall protection and operating
system security patches, that security software includes malware
protections and virus definitions, and that all these programs are
reasonably current and updated as needed;
- Oversight of
third-party service providers who have access to personal information,
including a process to select and retain service providers that are able
to maintain appropriate security measures;
- Regular
monitoring to detect any unauthorized use of or access to personal
information, and to identify any areas where upgraded safeguards are
needed;
- Protocol is
updated whenever there is a material change in business practices that may
reasonably implicate the protection of personal information; and
- Responses to
any breach of security is document, together with all actions taken
thereafter to change practices relating to the protection of personal
information.
A partner in the litigation department of Marcus,
Errico, Emmer, Brooks, PC, Jennifer
concentrates her practice in the areas of civil and appellate litigation,
condominium law and real estate law. She can be contacted by email at jbarnett@meeb.com.
