It’s 2012, and chances are, your community association has a virtual presence on the Internet. Whether your association runs its own website, has a site run by a management company or some other third-party vendor, or is active on a social media site, association leaders and Managers should take some steps in order to protect the community association from potential legal problems.
Step one: Have a plan.
All too often, communities go “online” without really having a plan. The end result is usually a disorganized free-flow of ideas and information that serves no real purpose aside from being able to say that the community is online. Instead of simply throwing content on a website, the community’s leaders should determine exactly why they want the community to be online. Determining why the community is going to be online will then automatically serve to determine what gets put online. For example, if the community’s main purpose in going online is to disseminate information relevant to the community to its member-owners, then the content that is posted should be specifically tailored to that audience. Posting content about topics unrelated to information about the community will only distract from the purpose of the association’s website and may lead to unexpected problems down the road.
Step two: Limit content.
From a liability perspective, the Achilles heel for most association websites is the failure to limit content. Content should be limited, by the association, to matters that benefit the community. A community should never allow unrestricted content to be posted to its website, whether it comes from members or non-members. In other words, the official association website is not the place to allow people to post their gripes about the association, its leadership, other owner-members, the municipality, the landscaper, the Manager or a host of other unsuspecting victims. The association website should therefore not contain an “open-posting” forum, bulletin board or other area where people can freely post anything they want to the website. Remember, this content gets posted to the association website, which means that the association can be held responsible for its content. If owner-members want the community to have an online “bulletin-board” to post garage sales, items for sale, recipes, a community calendar and other events, the community should encourage members to submit this information to the designated contact person for the community website, either by email, mail or in person. This person can then compile the information, edit if necessary, and post it to the website.
• Public v. Private Content
With respect to any content that is posted by the association to its website, the difference between public and private content must be examined very carefully by the association. In a nutshell, public content is content that the whole world can see, for example, the association name, the location of the community, amenities and photographs of common areas. Public content is generally included in an association website to show people why that community is, in fact, a great place to live. Some associations post association documents, like committee forms, budgets, meeting minutes and other items as public content. Generally, associations should post these items to a designated “owners-only” area that requires a username/login and a password for access. While people who do not live in the community might, for some odd reason, want to read the association’s budget or check out last month’s meeting minutes or a blank architectural review committee application, they are not entitled to have access to these documents. These types of documents are relevant to those who live in the community and access to them should therefore be limited to residents.
An association’s controlling documents might provide the association with the ability to post information on a community bulletin board, electronic or otherwise, including the names of owners that are more than 90 days delinquent on their assessments. This information should not be posted to the “public” portion of the website because of privacy concerns and fair credit issues. For instance, if Mrs. Jones in unit 2B is 120 days in arrears on her assessments, a quick Internet search of “Mrs. Jones, unit 2B, town of XYZ” might provide this information to a potential employer, creditor or other person that might wrongly or illegally hold it against Mrs. Jones. Sometimes sharing information becomes a problem not only for those whom are the subject of the information, but also for those who are innocently providing the information for some good-faith purpose. Remember, the general rule is that once information is out in cyberspace, it can’t be taken back or permanently deleted. Therefore, it is better to ensure that the content that is posted on the association website is really content that is safe for public consumption.
Dealing with private content is a bit trickier since there are two levels: (1) private content which all members of the community have access to; and (2) private content specific to each individual owner. All members might have access to association forms and documents. If an association wants to post its various community documents online for the benefit of its owner-members, the association can easily set up a designated area that requires a login and password to gain access to this downloadable information. The designated website administrator should be the only person able to upload documents to the website, so that the association can control which documents are posted.
Associations should also include the community’s online bulletin board, calendar and contact information for the Manager in the private members-only area rather than on the public portion of the website. While this is “private” content which only members of the community can view, associations should limit the content that goes in this area just as they limit the content that goes in the public area of the website. For example, while the association might be allowed to post the names of owners that are more than 90 days delinquent on their assessments, it doesn’t mean that the association should do it— even on the “private” portion of the website. Common sense should come into play and an evaluation of why the association is posting this information should be undertaken. Moreover, if it decided that this arrearage information will be posted to the private portion of the website, the association must uniformly apply this standard to all members of the community on a consistent basis, and not just a handful of people in a piecemeal fashion. Otherwise, the association might find themselves defending an “unequal enforcement” or defamation to reputation lawsuit brought by the owner that feels like they were singled out by the association.
The second level of private content, content that is specific to each individual owner, is an area that is ripe for potential legal problems if the information were to get into the wrong hands. This content includes, but is not limited to, banking and account information for electronic assessment payments by owners, the owner’s account history and other Personally Identifiable Information (PII) like Social Security numbers, vehicle license plate numbers, birthdays, private telephone numbers and an owner’s age. Therefore, if an association chooses to post this content on the Internet, it must do so with the understanding that this information is confidential in nature and every possible precaution must be undertaken to protect this information. Aside from the normal login & password requirements, the portion of the site should also utilize a secure connection (usually Transport Layer Security, or TLS, in the form of an “https” page over the Internet) to protect the information. Associations should use a qualified, professional management company to provide such a service or a third-party vendor that specializes in this area of information technology. Retaining a third party to handle managing and protecting the private content is a good idea, but this may not completely absolve an association from liability should there be a breach of information. However, every association should strive to be proactive when it comes to protecting private content. A failure to be proactive can lead to potentially devastating consequences for an affected owner and a strong likelihood that the association will face some sort of legal liability for the breach.
Step three: Monitor, monitor and monitor some more.
If an association decides that it wants to allow some level of interactivity or unrestricted posting on its website, then it is imperative that the association monitor what is being posted on the site. Monitoring the content that is posted to the site should be done on a consistent, timely basis by a designated moderator. The moderator should enforce the ground rules that must be listed on the site as it pertains to posting. Ideally, the association should have a policy for posting that the site visitor must agree to prior to being able to post any content to the website. Any violation of the policy can be grounds for removal of the post and a ban on all future posts on the association’s website. This type of content monitoring and moderation can also be performed on social media websites like Facebook, so long as the association sets up and runs the social media page on behalf of and in the name of the association. Never allow an owner or some other person to set up a social media page on behalf of or in the name of the association, because (a) others may think it is the official association page and (b) the association won’t be able to manage/restrict the content on the page. The future trend is for the association to create an acceptable use policy for members who want to post to an “open” association website as well as a social media policy identifying the association’s social media pages as the official page.
Finally, while implementing acceptable use and social media policies and monitoring posted site content is surely proactive behavior, these actions can’t completely relieve an association of potential liability for improper, damaging, false, inflammatory or defamatory content that is posted to the association’s website or social media page. The key is to never acquiesce, either by way of action or by a failure to act, to potentially harmful postings on the association site.
Step four: Be on the lookout for the association in cyberspace.
Cyberspace, like outer space, is a seemingly endless place. Just as exploration of outer space is possible, so is exploration of the Internet. However, rather than using spacecraft, all we must do to explore the Internet is log a few keystrokes. In other words, we can utilize the myriad of search tools available on the World Wide Web to pinpoint the exact information we need. Using sites like Google and Yahoo!, for example, we can search most of the information that is publicly available on the Internet for free and with very little effort.
Thus, my advice is to perform a search, every so often, on the association’s name. This is due to the prevalence of copycat websites which purport to be the official association site, as well as an increasing number of “anti-association” sites created by disgruntled owners, former owners, non-community member neighbors or others that have an axe to grind with the association. An association should act quickly to remove a website which purports to be the official site. This is no easy task, and it usually involves litigation against the copycat site operator.
Similarly, should an “anti-association” website be located which contains negative, inflammatory, defamatory, false, confidential or damaging information on the website, the association must take affirmative steps to try and have this website taken down or at least have the harmful information removed from the site.
On social media sites, associations may discover unofficial pages run by owners, former owners and others, related to the association. If run by current owners, the association should ask the owner to remove the non-official page and ask all owners to join, “like,” or follow the official page for the community.
The situation is a bit more problematic when groups of owners maintain their own page. These members of the community may use the social media page, which is sometimes public in nature due to a lack of privacy restrictions set up by the page administrator, to vent about issues of concern to the community. Association leaders or Managers should try to monitor these pages, if at all possible, and do the best they can to have the social media users limit their comments about the community or other owners. Of course it’s not always possible find every page that is somehow related to the community, but if one is found efforts should be made to try and protect the interests of the community.
Finally, community leaders, Board Members and Managers should avoid connecting with association members on social media sites. By limiting their virtual relationships, they can avoid issues surrounding favoritism and ever-present fiduciary duty issues. If not “friending” others in the community is simply not possible, then the community leaders and Manager must refrain from posting comments about the community or community issues on any website that is not designated as an official community site. Similarly, even if the community leaders and Manager are not posting comments about the community or community issues on their own or their friends’ social media walls, they have an obligation to look out for the best interests of the association when reading comments that are made by others about the association.
Associations must be proactive in cyberspace, in order to preserve the “virtual brand” of the association and protect the best interests of the association. When there is doubt as to what to do, association leaders and Managers should seek the advice of qualified legal counsel so the association can stay in control and stay out of court.
By Edward Hoffman, Jr., Esq.*
Originally published in the November/December 2011 issue of Community Assets.