Community schemes insurance and information risks

6 August 2021 | Mike Addison

It is fair to say that POPIA (“Protection of Personal Information Act”) and PAIA (“Promotion of Access to information Act”) are the two Information Laws, and which the writer sees as the “information spectrum” with PAIA dealing with the access of information, and POPIA dealing with the privacy aspect, or protection of information.

In other words, PAIA is there to ensure that a person has the right to information which may be needed in order to protect their rights, and POPIA deals with the protection of personal information i.e. privacy to avoid harm, damages or losses, which might occur if such information was not protected. In essence, the information officer will oversee both aspects. In the community scheme space, this will pertain to the information of the managing agency itself (the managing agent will have their own information officer) as well as the scheme i.e. Body Corporate, Homeowners Association or Share-Block Company will need to appoint their specific information officer.

The information officer will need to be aware of a few risks regarding PAIA while providing information requested, such as:

1. Not to provide somebody’s personal information i.e., information about a third party.

2. Not to divulge any trade secrets or confidential commercial information which could compromise a third party or business.

3. Should not provide information which could lead to the harm of a third party.

4. Should not provide information which could cause a breach of an agreement.

5. Should not breach client-attorney privilege.

Of most concern, are POPIA breaches i.e. where information is shared either voluntarily, ignorantly, by coercion, and/or by being tricked into providing such information, and/or having confidential, and/or sensitive data lost, and/or stolen, where such personal information lands up in the wrong hands.

One can lose data in many ways such as, hard drive failure, accidentally deleting information, viruses and malware, power failure, water damage, fire, theft and/or loss.

In this computer age, we refer to loss of data primarily in respect of computer data losses.

The primary causes of data loss are human failure, human error, software corruption, hardware breakdown or destruction, theft and computer viruses. Phishing and data breaches are commonplace and a real cause for concern. Email hacking by sophisticated perpetrators resulting in losses is now on the rise as we have seen this happen to community scheme clients.

Much of the body corporate’s data is stored on personal computers, laptops, hard drives, flash drives or cloud software. Trustees, directors and portfolio managers usually have such information on these devices, one way or another and in some cases, very sensitive information. Email submission of invoices, electronic fund transfers, beneficiary information are particularly, high risk areas.

The liability attached to such data breaches or losses can be devasting for a managing agency or community schemes – commonly referred to by insurers as cyber liability.

Cyber liability and cybercrime usually occur through the same or similar means, the former pertaining to economic losses flowing from the breach and the latter resulting in direct losses such as the criminal transfer of funds.

Commercial Crime, Computer Crime, Cybercrime – direct losses through trickery, fraudulent transfer, theft of funds – direct losses.

Cyber Crime, Cyber Liability and Data Loss usually being losses from claims being made following a breach (liability for someone else’s loss), reinstatement and management of the crisis costs.

How Does a Community Scheme Transfer this risk to an insurer?

There is presently no requirement in the Sectional Titles Scheme Management Act (“STSMA”), Community Schemes Ombud Services Act (“CSOSA”), nor their regulations which compels a scheme to hold such cover.

More recently, specialist insurers have added Loss of Data and Computer Crime to their previously termed Fidelity Policies, now often called Commercial Crime Policies with Data Protection included.

The schemes insurance advisor, in recognising the scheme’s risk, should advise the scheme to have a level of Commercial Crime and Loss of Data cover.

Larger schemes, managing a higher volume of data, can also consider buying a particular policy for this purpose rather than just a section of a policy with limited benefits and conditions.

How does a Managing Agent protect themselves by way of insurance?

The challenge is that many insurers (underwriters) do not yet fully understand the dynamics of community scheme handling of funds i.e. the trust account system, releasing of such payments and, the collection of levies. Some underwriters still expect a premium from individual schemes where managing agents essentially control the receipts, and payments of scheme money. This leads to duplication in certain areas. Others have onerous conditions and high excesses.

We do expect a few new products to emerge shortly which will be more all encompassing for the managing agent in terms of the risks they face in this regard. Meanwhile, it is important for the managing agent’s own commercial broker to look at a suite of products including Professional Indemnity, Fidelity/Commercial Crime, Cyber Liability, Public Liability and other risks that may be applicable, such as business interruption and loss of income.

Mitigation

Most of the risk reduction is “mitigation” or prevention by taking precautions. There is much information, and many articles available on prevention strategies such as educating one’s staff, being aware of the “tricks”, taking care with logging in, encryption of data, changing and use of passwords, storage devices, locking and securing computers, using safe connectivity, and so on.

Being aware of phishing, particularly spear phishing is where particular precautions, mainly via education and awareness, can be taken.

Awareness is key as it is normally via staff, or oneself, that a perpetrator has managed to “get through”.

Reducing published information is a good start. For example, the practice of including policy schedules with policy numbers, building addresses, names of owners and section numbers, bondholder details etc. and then including in AGM packs immediately opens the door to fraud and phishing. Minimalise information.

Publishing the name of your financial director on your webpage can easily attract phishing. This is where social engineering starts.

As technology has developed, so have the risks associated with cybercrime and cyber liability. POPIA and PAIA formalises the “law of information” and thus businesses, entities and community schemes need to formalise mitigation against these very real risks, and where possible, transfer these risks by way of appropriate insurance products

Should you wish to find out more about a specific point made and/or require our assistance, please contact us on 061 536 3138 or email info@tvdmconsultants.com.

About the Author: Mike Addison owns Addsure (FSP 15269), a specialist sectional title insurance and financial advice service provider.