After another client contacted us inquiring about the Corporate Transparency Act (CTA), we thought it was time to write a brief summary on this law and what it means to community associations.
The CTA was enacted by the United States Congress on January 1, 2021. The stated purpose of the law is to generally address “the disclosure of corporate ownership and the prevention of money laundering and the financing of terrorism”. I know, you’re asking – how in the world does this apply to community associations? The simple answer is, it wasn’t really intended to, and community associations appear to be “stuck in the middle” of it (as is often the case). A *very* brief summary and discussion about the CTA is below.
It appears that associations are “Reporting Companies”, for the most part.
The exemptions listed in the CTA do not appear to apply.
It appears that as of now, Board members would qualify as “Beneficial Owners” under the CTA because in their capacity as Board members (or the governing body as a whole), they exercise “substantial control” over the association as a Reporting Company.
Reporting Companies must provide general information (name, address, tax ID, formation info, etc.) as well as specific information on each Beneficial Owner (i.e., Board member) – name, DL or passport, DOB, etc.
A failure to report may result in civil fines and/or criminal fines for fraudulent reporting or a purposeful failure to report.
Based upon our review of the current iteration of the CTA and agency Rule(s) related to same, we believe that the vast majority of Pennsylvania community associations (especially those registered as a non-profit corporation with the PA Department of State) will likely be subject to the law, as it currently stands. But don’t panic, we still have some time to figure this out – the filing requirement becomes effective on January 1, 2024 (and the report must be filed by 1/1/25 for existing Reporting Companies).
We will continue to monitor the CTA and will update the Hoffman Law Blog as soon as we learn any new information.
Those of you who follow Hoffman Law LLC may remember our post from a few years back reminding you to get your Decennial (i.e., 10 year) Reports filed with the PA Department of State to save your name:
NEWS ALERT – THIS HAS ALL CHANGED – EFFECTIVE BEGINNING IN 2025 AN ANNUAL REPORT IS REQUIRED! What does this mean to your Community Association? The Pennsylvania Department of State has provided the following guidance (in pertinent part(s)):
On November 3, 2022, Governor Wolf signed into law Act 122 of 2022, and the law became effective on January 2, 2023. Among the many changes made by this legislation, Act 122 created an annual report requirement (like that imposed by most states) for domestic and foreign filing associations. The long-time decennial report requirement for these associations has been repealed. The new annual report filing is required for many types of entities, including domestic nonprofit corporations (which includes many Community Associations).
Here is the good news – we have some time. The annual report requirement begins in calendar year 2025. Similar again to other states, failure to file the annual report will subject a nonprofit corporation Community Association to administrative dissolution/termination/cancellation and loss of the protection of its name.
The annual report will include the following:
Community Association Name
Jurisdiction of formation
Registered office address
Name of at least one director, board member, etc., depending on type of Ass’n
Names and titles of the principal officers, if any
Address of the principal office
Entity number issued by the Pennsylvania Department of State
The fee for the new annual report is $0 for nonprofit corporations (which includes many Community Associations) and the deadline for filing the annual report is June 30 of each year.
The Department of State will mail notice to the registered office address of each nonprofit corporation Community Association required to make an annual report at least two months prior to the respective deadline, reminding it of the need to make an annual report. It is critical that affected nonprofit corporation Community Associations keep all information on file with the Department up-to-date, particularly registered office address, to ensure that they receive notice of how and when to make annual reports. Nonprofit corporation Community Associations also have the ability to provide emails for additional notifications. However, failure by the Department to deliver notice to any party, or failure by any party to receive notice, of an annual report filing requirement does not relieve the nonprofit corporation Community Association of the obligation to make the annual report filing.
The new annual report requirement is a significant change for Pennsylvania. Therefore, Act 122 requires that the Department provide nonprofit corporation Community Associations with a transition period before imposing any dissolution/termination/cancellation for failure to file annual reports. Beginning with annual reports due in 2027, nonprofit corporation Community Associations that fail to file annual reports in the 2027 calendar year will be subject to administrative dissolution/termination/cancellation six months after the due date of the annual report.
Should a nonprofit corporation Community Association discover that it has failed to make a required annual report and has been dissolved or terminated, it has the opportunity for reinstatement, with no limitation on the period of time for such reinstatement. Such reinstatement must be accompanied by the application for reinstatement fee and a fee for each delinquent annual report that was not previously paid (if a fee is then applicable, as it is currently listed to be $0).
During the time of administrative dissolution/termination/cancellation, the nonprofit corporation Community Association’s name is made available to any other entities. If another entity has taken the name of the existing (senior/original) nonprofit corporation Community Association seeking reinstatement, the other nonprofit corporation Community Association that has appropriated the name may keep the name and the existing (senior/original) nonprofit corporation Community Association seeking reinstatement must choose a new name.
IT IS THEREFORE CRITICAL TO FILE AN ANNUAL REPORT BEGINNING IN 2025 TO CONTINUE TO PREVENT DISSOLUTION/TERMINATION/CANCELLATION OF YOUR COMMUNITY ASSOCIATION … AND TO CONTINUE TO SAVE YOUR NAME!
Source for this Blog Post: https://www.dos.pa.gov/BusinessCharities/Business/Resources/Pages/Annual-Reports.aspx
Many clients of Hoffman Law LLC are aware that Ed Hoffman serves as the current Chair of the Community Associations Institute (CAI) Pennsylvania Legislative Action Committee (PA LAC) and have increasingly been inquiring about PA House Bill 1795 which was signed into law on November 3, 2022 and becomes effective on May 2, 2023. The Amendments, now known as Act No. 115 of 2022, made various changes and additions to the three Pennsylvania common interest community statutes: the Uniform Condominium Act (UCA), the Uniform Planned Community Act (UPCA) and the Real Estate Cooperative Act (RECA) (we will discuss the changes to the UCA and the UPCA below). While it’s not on the level of Peter Frampton, House Bill 1795 has indeed come alive!
Independent Reviewer
To begin, for condominium associations and master associations that have over 500 units, votes in an election of the association must be submitted to an “independent reviewer” pursuant to amendments to Sections 3303(e)(3) of the UCA and 5222(e.1) of the UPCA. (It is noted that §5222 of the UPCA specifically applies to “master” associations, so if the intent was to have it to apply to all planned communities, the UPCA will presumably need to be amended once again).
What is an independent reviewer? An independent reviewer is defined in §3103 of the UCA and §5103 of the UPCA as a person who is selected by the Executive Board of a condominium and/or planned community and satisfies all of the following:
(1) Holds a certificate as a certified public accountant issued by the Commonwealth, is
licensed to practice law in this Commonwealth, or is a “vote management system”. (A “vote management system” is defined in §3103 of the UCA and §5103 of the UPCA as “a third-party vendor who operates a digital or subscription service that securely manages the conduct of elections and voting procedures” – in other words, a commercial, association voting management solutions provider).
(2) Is not a unit owner of the condominium or planned community, directly or indirectly.
(3) Has no immediate family relationship (i.e., parent, child, spouse, brother or sister) with a unit owner of the planned community or the condominium or planned community manager.
(4) Has no financial interest shared with a unit owner of the condominium or planned community manager.
(5) If compensated by the declarant, a director, the association or the condominium or planned community manager, has disclosed the terms of the compensation to all unit owners of the condominium or planned community at a scheduled meeting.
While the above provisions related to an independent reviewer apply to all condominium associations and master associations that have over 500 units, Sections 3303(e)(3) of the UCA and 5222(e.1) of the UPCA also allow condominium associations and master associations that are under 500 units to essentially “opt in” to utilize an independent reviewer, when approved by a vote of at least 51% of the unit owners.
Finally, Sections 3303(e)(3) of the UCA and 5222(e.1) of the UPCA provide that the board shall (i.e., must) present the official election results based on the certified election report from the independent reviewer at a meeting of the unit owners and shall (i.e., must) enter the results in the meeting records.
Removal of Board Members in Condominium Associations
Section 3303(g) was added to the UCA to clarify how board members can be removed with 2/3 of vote of the unit owners:
Removal of member of executive board.–Notwithstanding any provision of the declaration or bylaws to the contrary, the unit owners, by a two-thirds vote of all persons present and entitled to vote at any meeting of the unit owners at which a quorum is present, may remove any member of the executive board with or without cause, other than a member appointed by the declarant, provided notice of the intention to remove a member of the executive board is given with the notice of the meeting at which such removal is considered, as provided under section 4303(g) (NOTE: TYPO IN AMENDMENT? – the referenced section is from a different statute) (relating to executive board members and officers).
(It is noted that the UPCA already had a similar parallel provision at Section 5303(f)), therefore a new section was not required to be added to the UPCA).
Removal of Board Members and Officers – Required Bylaw Language
Section 3306(a)(3) of the UCA and Section 5306(a)(3) of the UPCA both provide that the Bylaws for an association must provide for the qualifications, powers and duties, terms of office and manner of electing executive board members and officers and removing executive board members and officers under section 3303(g) and 5303(f) (relating to executive board members and officers) and filling vacancies.
Good Standing
As it applies to condominiums and master associations, Sections 3303(e)(3) of UCA and Section 5222(e.1) of the UPCA now provide that “in order to be eligible to vote in the election, a unit owner shall be in good standing with the association.” (It is noted that a “unit owner in good standing” is already defined in §3103 of the UCA and §5103 of the UPCA as a unit owner who is current in payment of assessments and fines, unless the assessments or fines are directly related to a complaint filed with the Bureau of Consumer Protection in the Office of Attorney General regarding §3308 of the UCA or §5308 of the UPCA (relating to meetings); §3309 of the UCA or §5309 of the UPCA (relating to quorums); §3310 of the UCA or §5310 of the UPCA (relating to voting; proxies); and §3316 of the UCA or §5316 of the UPCA (relating to association records)).
Electronic Meeting Notices
A unit owner can now receive meeting notices for a condominium or planned community by electronic means if the unit owner has agreed in writing (opts in) to accept the notice by electronic means or where the bylaws permit electronic notices. See §3308(a) of the UCA and §5308(a) of the UPCA.
Electronic Meetings
Board and association meetings in condominiums and planned communities can be now be held using remote technology, i.e., virtually or by telephone conference, unless the bylaws provide otherwise. See §3308(c) of the UCA and §5308(c) of the UPCA.
While the bylaws must still require that a meeting of the association occur at least once each year, the requirement that the yearly meeting be held in person was eliminated. See §3308(a) of the UCA and §5308(a) of the UPCA.
Participation in Board or Association Meetings By Remote Technology
Unless the bylaws provide otherwise, an individual may now participate in a meeting of the board or association by means of a conference telephone or other remote electronic technology, including the internet, which allows participants in the meeting to hear each other. Participation in such a meeting shall be deemed in-person attendance at the meeting. See §3308(c) of the UCA and §5308(c) of the UPCA.
Bylaw Requirements for Delivery of Notice of Virtual Meetings
Pursuant to Sections 3308(b) of the UCA and Section 5308(b) of the UPCA, Bylaws in condominium associations and planned communities must [now] require that notice of virtual meetings of the association be given by:
(1) First class or express mail, postage prepaid, or courier service, charges prepaid, to the
mailing address of each unit or to any other mailing address designated in writing by the unit owner. Notice shall be deemed to have been given to a unit owner when deposited in the United States mail or with a courier service for delivery to the unit owner.
(2) Facsimile transmission, e-mail or other electronic communication to the unit owner’s facsimile number or address for e-mail or other electronic communications supplied by the unit owner, provided that the unit owner has agreed in writing to accept the notice by electronic means or where the bylaws expressly permit means of delivering electronic notice. Notice shall be deemed to have been given to the unit owner when sent.
Approved Methods of Voting – Now Includes Electronic Voting
Sections 3310(e) of the UCA and 5310(e) were added to the UPCA related to approved methods of voting, and provide as follows:
(1) Except to the extent expressly prohibited in an association’s declaration or bylaws, the voting rights of a unit owner may be cast or given in the following ways:
(i) in person or by proxy at a meeting of the association;
(ii) by absentee or electronic ballot; or
(iii) by another method of voting expressly provided in the association’s declaration or bylaws.
(2) An absentee or electronic ballot may:
(i) Be counted as a unit owner present and voting for the purpose of establishing a quorum, and otherwise, only for agenda items appearing on the ballot.
(ii) Not be counted even if properly delivered, if the unit owner attends the meeting to vote in person. A vote cast at a meeting by a unit owner supersedes a vote submitted by absentee or electronic ballot previously submitted for that agenda item.
(3) The term “electronic ballot” means a ballot cast or given by electronic transmission
over the internet, vote management system or the association’s community network, whether by direct connection, intranet, telecopier, electronic mail or other technological means, if the identity of the unit owner submitting the ballot can be confirmed and a receipt of the electronic transmission and ballot can be made available to the unit owner.
Acclamation (for an uncontested election)
Section 3310(f) was added to the UCA and Section 5310(f) was added to the UPCA with respect to acclamation for uncontested elections. Unless the bylaws of the association provide otherwise, these new statutory provisions provide that in the event that an election for a position on the board is uncontested, the officer or chair presiding at the election meeting may declare the nominee(s) elected by acclamation after determining there are no further nominations.
Pre-Election Sessions (Meet the Candidates) for Contested Elections
Pursuant to Sections 3308(d) of the UCA and Section 5308(d) of the UPCA, Bylaws in condominium associations and planned communities must require that in the event that there are more candidates than open positions on the executive board (i.e., a contested election), then, upon request of one or more of the candidates, the association shall hold a special session at least seven days before the election of a board member to allow the unit owners to meet each candidate for an executive board position. Each candidate for an executive board position shall have equal time to address the unit owners during a special session.
Recorded Meetings
Pursuant to Sections 3308(e) of the UCA and Section 5308(e) of the UPCA, unless the bylaws provide otherwise, meetings of the association may be recorded by the board via audio or video technology, provided that an announcement is made by the presiding officer at the commencement of the meeting that the meeting will be recorded. A recorded meeting shall be maintained and available to unit owners for a period of no less than six (6) months after the date of the meeting.
Quorum for Association Meetings After Multiple Attempts
Pursuant to Sections 3309(a)(2) of the UCA and Section 5309(a)(2) of the UPCA, except as otherwise provided in the declaration or bylaws of the association, if the association can’t obtain a quorum for any meeting of the association and fails to meet a quorum at two subsequent meetings, the association may utilize the following provisions contained in Section 5756(b) of the PA Non-Profit Corporation Law (relating to quorum) to meet quorum requirements:
(b) Exceptions.–Notwithstanding any contrary provision in the articles or bylaws, those members entitled to vote who attend a meeting of members:
(1) At which directors are to be elected that has been previously adjourned for lack of a quorum, although less than a quorum as fixed in this section or in the bylaws, shall nevertheless constitute a quorum for the purpose of electing directors.
(2) That has been previously adjourned for one or more periods aggregating at least 15 days because of an absence of a quorum, although less than a quorum as fixed in this section or in the bylaws, shall nevertheless constitute a quorum for the purpose of acting upon any matter set forth in the notice of the meeting if the notice states that those members who attend the adjourned meeting shall nevertheless constitute a quorum for the purpose of acting upon the matter.
Amendments of Bylaws
Sections 3306(a)(6) of the UCA and Section 5306(a)(6) of the UPCA were amended to clarify how bylaws may be amended, as follows:
(i) The bylaws may be amended only by vote or agreement of unit owners of units to which at least:
(A) fifty-one percent of the votes in the association are allocated;
(B) any larger majority as specified in the bylaws; or
(C) a smaller majority as specified in the bylaws if all of the units are restricted
exclusively to nonresidential use.
(ii) The vote may be taken only at a scheduled meeting and following notice to the unit owners as provided under sections 3308 of the UCA or 5308 of the UPCA (each relating to meetings) that was advertised 14 days in advance to the unit owners. Absentee voting shall be permitted to unit owners provided that the ballots must be submitted to an independent reviewer by the commencement of the scheduled meeting.
Retroactivity
At this stage it is not entirely clear what the desired intent was with respect to retroactivity of the amendments to communities that precede the enactment of the UCA and/or the UPCA, or with respect to general principles of statutory retroactivity in general. It is expected this may become an issue that will arise during the 2023-2024 legislative session, especially if challenges to the applicability of any of the amendments begin to be raised by communities.
Parting Words
This discussion of PA House Bill 1795, now known as Act No. 115 of 2022, and specifically, the various changes to the UCA and the UPCA, is intended to provide a summary of the current state of the statutory amendments as of the posting date of this Hoffman Law LLC Blog post on January 30, 2023. (The amendments, as passed, can be found here). It is expected that certain provisions may change or be further amended during the 2023-2024 legislative session – in other words, House Bill 1795 will continue to stay alive! Stay tuned.
The first question that Board members usually ask is – what is fiduciary duty?
The Merriam-Webster Dictionary defines fiduciary duty as follows:
“A duty obligating a fiduciary (as an agent or trustee) to act with loyalty and honesty and in a manner consistent with the best interests of the beneficiary of the fiduciary relationship (as a principal or trust beneficiary).”
There are various duties associated with fiduciary duty, and depending on the jurisdiction these duties may include:
Duty of Care;
Duty of Loyalty;
Duty of Confidentiality;
Duty to Act Within Scope of Authority;
Duty of Good Faith;
Duty of Prudence; and
Duty of Disclosure.
How does fiduciary duty apply to community associations?
In the context of a community association, a fiduciary duty entails the duty that a Board of Directors (and/or a member thereof) owes the Association (which is typically a non-profit corporation). The Board has a fiduciary duty to act in the best interests of the Association with every decision that it makes.
What standard of review do the courts utilize as it relates to fiduciary duty?
Courts in most jurisdictions utilize some form of the “business judgment rule” (BJR) as it relates to fiduciary duty issues. Under the BJR, board members must make decisions within the scope of their given authority, in good faith, using ordinary care and in the best interest of the Association.
Under the BJR, courts do not substitute their judgment for that of the board of directors and will not interfere with the internal management of the Association unless the acts complained of constitute fraud, bad faith or gross mismanagement, or are unlawful. Kelso Woods v. Swanson, 692 A.2d 1132 (Pa. Cmwlth. 1997), Mulrine v. Pocono Highland Community Association, 616 A.2d 188 (Pa. Cmwlth. 1992).
In order to establish a cause of action for breach of fiduciary duty against an association for actions taken by its board members under the BJR, the party complaining must allege facts which would establish that the actions of the board members were unauthorized, or that the actions had been taken fraudulently, in bad faith, or constituted self-dealing. Lyman v. Boonin, 635 A.2d 1029 (Pa. 1993).
In Pennsylvania, the Non-Profit Corporation Law of 1988, 15 Pa.C.S. § 5101 et seq. (NPCL), addresses the standard of care related to board members of non-profit corporations, which include Associations:
§ 5712. Standard of care and justifiable reliance.
(a) Directors. — A director of a nonprofit corporation shall stand in a fiduciary relation to the corporation and shall perform his duties as a director, including his duties as a member of any committee of the board upon which he may serve, in good faith, in a manner he reasonably believes to be in the best interests of the corporation and with such care, including reasonable inquiry, skill and diligence, as a person of ordinary prudence would use under similar circumstances. In performing his duties, a director shall be entitled to rely in good faith on information, opinions, reports or statements, including financial statements and other financial data, in each case prepared or presented by any of the following:
One or more officers or employees of the corporation whom the director reasonably believes to be reliable and competent in the matters presented.
Counsel, public accountants or other persons as to matters which the director reasonably believes to be within the professional or expert competence of such person.
A committee of the board upon which he does not serve, duly designated in accordance with law, as to matters within its designated authority, which committee the director reasonably believes to merit confidence.
(b) Effect of actual knowledge.–A director shall not be considered to be acting in good faith if he has knowledge concerning the matter in question that would cause his reliance to be unwarranted.
(c) Officers.–Except as otherwise provided in the bylaws, an officer shall perform his duties as an officer in good faith, in a manner he reasonably believes to be in the best interests of the corporation and with such care, including reasonable inquiry, skill and diligence, as a person of ordinary prudence would use under similar circumstances. A person who so performs his duties shall not be liable by reason of having been an officer of the corporation.
15 Pa.C.S. § 5712.
The NPCL also speaks to the personal liability of directors:
§ 5713. Personal liability of directors.
General rule.–If a bylaw adopted by the members of a nonprofit corporation so provides, a director shall not be personally liable, as such, for monetary damages for any action taken unless:
The director has breached or failed to perform the duties of his office under this subchapter; and
The breach or failure to perform constitutes self-dealing, willful misconduct or recklessness.
Common Interest Community Statutes — In Pennsylvania, pursuant to both the Uniform Condominium Act, 68 Pa. C.S. § 3101 et seq. and the Uniform Planned Community Act, 68 Pa.C.S. § 5101 et seq., board members stand in a fiduciary relation to the association and shall perform their duties, including duties as members of any committee of the board upon which they may serve, in good faith in a manner they reasonably believe to be in the best interests of the association. See 68 Pa.C.S. § 3303(a) and § 5303(a). Under the Pennsylvania Uniform Acts, Judicial review of board decisions is available even when a condominium or HOA was organized prior to the adoption of the Uniform Condominium Act, 68 Pa. C.S. § 3101 et seq. and/or the Uniform Planned Community Act, 68 Pa.C.S. § 5101 et seq.
Finally, a large percentage of community association Bylaws also speak to board members’ responsibilities and duties, and what standard is utilized to determine if a board member has acted appropriately. To wit, many Bylaws provide for indemnification for actions filed against the board and/or its members and specify when indemnity would apply given how a board member is to act on behalf the association (and at times, Bylaws will specify what actions would lead to no indemnification occurring, i.e., self-dealing, failure to act in the best interest of the association, etc.).
Insurance and claims.
Obtaining appropriate insurance to cover potential breach of fiduciary duty claims is critical for every association. Associations should work with insurance professionals that specialize in association matters in order to ensure that the association is receiving the best possible insurance product and coverage available.
As it relates to fiduciary duty claims, these claims can be brought under many legal theories (and for which it appears that the list of such potential legal theories is constantly growing), including:
Use of association property;
Buying/selling property;
Expenditure of association funds;
Hiring/firing;
Vendor and bidding issues;
Staff issues;
Election issues;
Member issues;
Collections disputes;
Operation of the association;
Self-dealing;
“Out of Control” board or board member(s) and Declaratory action(s) to remove;
Maintenance issues;
Design/Architectural issues;
Defamation;
Premises liability issues for an alleged failure to maintain;
Discrimination;
Failure to hold Annual Meeting;
Business decisions – insurance, reserve issues, FHA mortgage approvals; and
Enforcement of covenants/selective enforcement.
Fiduciary duty claims should be submitted to the association’s carrier for review under the association’s Officers (D&O) Liability Coverage. The D&O coverage part is generally drafted to include a myriad of potential claims, coverage for many of which may include a “wrongful act”. Board members must be considered an “insured” under the policy and required that the “insured” be acting in the scope of their capacity as a board member. There are also exclusions, defense cost issues and other issues pertinent to insurance that must be reviewed. The moral of the story is that D&O policies vary tremendously, so it is crucial that the association review their specific policy with its insurance professional in order to clearly understand their policy terms, conditions and exclusions.
Defense of fiduciary duty claims.
Typically, the threshold issue with the defense of breach of fiduciary duty claims is whether the BJR applies. The BJR is applied, in some form, whether through common law or statute, in the vast majority of jurisdictions. Standing to sue will be analyzed, as will the duties owed (i.e., is the duty owed to the association or is it also owed to individual members/owners?), conflicts/potential conflicts of interest, privilege and immunities and other issues like offers of judgment should be considered.
Claims, threats and suits should be submitted to the association’s D&O carrier so the carrier can make a coverage determination. It is important to notify the carrier as soon as possible so a defense can be provided, if applicable. Carriers will often open a file to “monitor” a fiduciary duty claim in the event the claim escalates and so defense to the claim may be provided to the association by the carrier.
Best practices.
How can associations attempt to avoid claims based upon an alleged breach of fiduciary duty? In a nutshell, board members should: (a) act within the scope of their given authority; (b) act in good faith; (c) use ordinary care; (d) act in the best interest of the association; (e) act reasonably with respect to enforcement of covenants and rules and regulations; and (f) act reasonably when making management and business decisions. Of course, each situation a board will face may be different, but at the day, acting reasonably will go a long way to overcome an allegation of a breach of fiduciary duty.
– Edward Hoffman, Jr., Esq., CCAL
* A version of this Blog post was drafted by Edward Hoffman, Jr., Esq., CCAL and originally included in his portion of the written materials for his presentation at CAI’s 2018 Community Association Law Seminar in Palm Springs, CA.
Time flies. Since about 2010, I have been counseling community associations on risks involving potential breaches of personal information and the fact that Pennsylvania has a specific statute related to such breaches, literally called the “Breach of Personal Information Notification Act” (“BPINA”). BPINA was recently amended and signed into law by Governor Wolf on November 3, 2022 (and effective in 180 days).
As a general BPINA primer, community associations qualify as “businesses” under BPINA and are covered “entities” which do business in the Commonwealth of Pennsylvania. BPINA defines “Personal information” as follows:
(1) An individual’s first name or first initial and last name in combination with and linked to any one or more of the following data elements when the data elements are not encrypted or redacted:
(i) Social Security number.
(ii) Driver’s license number or a State identification card number issued in lieu of a driver’s license.
(iii) Financial account number, credit or debit card number, in combination with any required security code, access code or password that would permit access to an individual’s financial account.
(iv) Medical information. (Added as amended on 11/3/22)
(v) Health insurance information. (Added as amended on 11/3/22)
(vi) A user name or e-mail address, in combination with a password or security question and answer that would permit access to an online account. (Added as amended on 11/3/22)
Most community associations do not keep social security numbers, medical information and/or health insurance information (and likely should not be if they are), but many have access to and keep records of driver’s licenses, financial accounts and credit/debit cards. Many also have portals which contain a user name or e-mail address, in combination with a password or security question and answer that would permit access to an online account (usually an association account of some kind). (Note: the last section re: email addresses and login information was added as amended on 11/3/22 so community associations should use due diligence to protect the information and comply with BPINA as amended, even if they were properly handling records of driver’s licenses, financial accounts and credit/debit cards prior to the recent BPINA amendments).
Hopefully any and all of this personal information is being properly handled and kept (maintained) offsite on properly encrypted systems run by third-party providers and/or contactors to attempt to offset and/or limit liability (I note that managing agents also keep this information as well, and there should be similar considerations/protections for maintaining such data).
BPINA has always required notification of the breach of the security of the system, but the November 3, 2022 BPINA amendments added additional notification requirements, including the following new Section 3(a.3):
(a.3) Electronic notification.–In the case of a breach of the security of the system involving personal information for a user name or e-mail address in combination with a password or security question and answer that would permit access to an online account, the entity, to the extent that it has sufficient contact information for the person, may comply with this section by providing the breach of the security of the system notification in electronic or other form that directs the person whose personal information has been materially compromised by the breach of the security of the system to promptly change the person’s password and security question or answer, as applicable or to take other steps appropriate to protect the online account with the entity and other online accounts for which the person whose personal information has been materially compromised by the breach of the security of the system uses the same user name or e-mail address and password or security question or answer.
Accordingly, community associations should be aware of not just the general (preexisting) notification requirements pertinent to a breach of personal information, but associations should also understand how to handle notification involving the breach of the security of the system involving personal information for a user name or e-mail address in combination with a password or security question and answer that would permit access to an online account in accord with BPINA as amended.
Finally, this post was not intended to serve as a discussion of how to properly handle a breach of personal information nor was it intended to be an exhaustive review of BPINA in general and/or as amended; rather, the intent was to notify our community association clients and industry colleagues of changes in the law, so proper due diligence can be undertaken. For some reason lawyers [still] love to use a dead language – Latin – to make their points. Our question is therefore: parati estis? … or, are you ready?
To get ready, we recommend that community associations review BPINA as amended, which can be found here, discuss with their counsel, managing agents, any service providers that handle personal information (especially association software providers), and confirm proper insurance coverage with association insurance professionals. As it relates to insurance, community associations should obtain adequate cyber-liability insurance to offset risk and cover a breach incident (it is noted that the cost of proper notification is tremendous, especially if the breach involves notification to over 1,000 persons at one time (because all consumer credit reporting agencies must also be notified)).
![The [Federal] Corporate Transparency Act is Here… and it Looks Like it’s Coming to Community Associations](https://i0.wp.com/hoffmanhoalaw.com/wp-content/uploads/US-Capitol-Official-Photo.jpg?resize=1072%2C675&ssl=1)
