Stepping Up Your Building’s Data Security 5 Tips to Level Up Your Practice

Stepping Up Your Building’s Data Security

A decade ago, I was elected onto the board of a condo of a fairly young building that was plagued with assessments, lawsuits, and other issues.

A previous board member—happy to pass on the troubled torch—came over to hand me a binder as part of the transition. Within this binder were printouts of emails with the sponsor about early issues, emails with an attorney about a sponsor lawsuit, copies of invoices from vendors we still needed to chase down to get work finished, and some of the key sections of the condo offering plan. I was ready to go to work, but our data governance made it essentially impossible to be successful. (More on that later.)

As a technology professional, I thought, ‘This cannot be how institutional knowledge is passed down when managing real estate assets’. I quickly set us up with a building email address and cloud storage account to capture all communications moving forward–something that wasn’t common practice at the time.

Over 10 years later, and now in my work supporting thousands of properties, I’ve come to learn that that binder was more than many other building management teams get during a transition. Institutional knowledge and data retention practices are still very much in personal email inboxes, or in a property manager’s personal file cabinet. Outside of an ‘email log,’ data practices are often an afterthought for boards, and even for managers. 

But just because this is how it’s always been done doesn’t make it acceptable. Especially as more data shifts to the cloud, management teams and owners need to take a serious stance on their data storage practices.

Why do your data practices matter?

Securing Sensitive Data

Building operations contain sensitive data. From applications containing social security numbers and resident contact information to meeting minutes and governance documentation, consider the information you would not want to get leaked or lost. Along these lines, board members and management teams should be mindful of where communications happen in the case those communications (e.g. your entire email inbox) are subpoenaed in litigation.

Another way to look at it: buildings often spend up to tens of thousands of dollars annually on securing the physical building itself: fobs, locks, building access, security cameras, and so forth. But fall far short when it comes to investing equally in the less visible ‘back door’ that is their data.

Passing Along Institutional Knowledge

Turnover is inevitable, whether with your community manager or board members. Whenever that happens, does it feel like you’re starting from scratch? Good knowledge management means retaining important historical data—getting it out of someone’s head, and into a knowledge center that can then be accessed and made use of by subsequent administrators.

Organizing Your Data

Sure, by now you may have a lot of information tracked in the cloud—via emails, text messages, or cloud storage—but when you need to track that information down, is it easy to find? Try tracking down what happened on a single issue that happened last year... I’ll wait. 

All jokes aside, when you systematically centralize all of your board/management team’s communications, files, and documentation, this will become a much easier exercise.

So how do you get started? Here are 4 tips for establishing strong data practices:

Establish Your Protocols

Managing data is a team effort. Align on how all participants—management, board, staff, and even residents—will play a role in securing, maintaining, and organizing your data. This includes documenting where your data will be housed, what data goes where, and identifying methods for centralizing communication channels.

Vet Your Vendors

As part of your protocols, understand which vendors have access to or will store data, such as resident contact information or payment details. If they can obtain or are responsible for any sensitive data, it’s critical to know their data security practices.

Some things to look for? First and foremost, confirm that your data is not being resold or used for other purposes than supplying the service. Read their policies and ask for what security measures they put in place, any past data breaches, and what their response protocols are. When it comes to data security, services with access to important data must be proactive—simply saying “it hasn’t happened before” is not good enough. 

Be Wary of How Your Data is Being Used

Free and off-the-shelf tools also count as vendors. As the prevalence of open source tools like ChatGPT rises, and as alluring as it is to save a few dollars here and there, remember that ‘free’ is never truly free. Be aware of the trade off, and educate your entire team. 

When it comes to tools to which you provide data (think email, messaging, content) if you’re not paying for a license, most likely you are the product—meaning that any data you are providing can be either used for resale, advertising, or, in this new AI-world, large language model training. For instance, ChatGPT’s free platform uses inputs from users to train the model further, which means those inputs enter their knowledge library. 

These tools can be huge time savers. So instead of simply barring access to them, it may be worth identifying what people are using and setting a budget accordingly.

Look for System and Organization Controls (SOC)

A good shortcut is to look for System and Organization Controls (SOC) certification. The gold standard of SOC compliance with the highest measures of controls is SOC 2 Type 2.

Developed by the American Institute of CPAs (AICPA), organizations that care deeply about their data security practices can voluntarily engage an independent third-party auditor to evaluate their approach to security, availability, processing integrity, confidentiality, and privacy. 

It’s an extensive, ongoing effort—the company I started after my previous board experiences, Super, has chosen to put ourselves under this microscope. Each evaluation cycle covers 12 months of extensive checks on all aspects of the business, from our hiring practices to detailed engineering logs.

More Reasons to Take Control of Your Data

There is a saying: ‘A chain is only as strong as the weakest link.’ That certainly applies to data security and access control. But taking control of your data isn’t just about mitigating risk. There are real and lasting operating efficiency benefits to doing so as well.

For instance, you will gain access to insights that previously would never have been available, such as data points on volume of issues, systemic problems vs the squeaky wheels, and history with your vendors. No more finger pointing or guessing; the audit trail will be there.

The day-to-day will also become more efficient as teams have fewer bottlenecks on obtaining context, and as a result decision-making will not just be faster but more informed.

And of course, transitions will become easier. It will make it more appealing for new team members to join, and offboarding and onboarding will no longer become a barrier to entry. All of that should help you sleep a little better at night. 

While property managers and boards may not need to undergo such a rigorous certification as SOC 2, I can’t stress enough the importance of having your own protocols in place, and to select vendors that will uphold—or even elevate—your data practices.

To bring it all full circle, I learned all of this the hard way so you hopefully don’t have to. That building I mentioned at the start? We spent thousands of dollars on attorney fees–only to realize too late that one specific piece of paperwork hadn’t been filed in time to make a warranty claim by the previous board. It was all a waste of time and money we didn’t have to spare. With better data practices, we can make these types of fumbles a problem of the past.

Lindsay Liu is the co-founder and CEO of Super, an AI communications and workflow hub for property management. She may be reached at lindsay@hiresuper.com

Related Articles

Woman lips with hand whispering in mans ear with speech bubble. Pop Art style, comic book illustration. Secrets and gossip concept. Vector.

Q&A: Improper Disclosure?

Q&A: Improper Disclosure?

Q&A: Privy to Policies

Q&A: Privy to Policies

Q&A: Privy to Policies

Woman lips whispering in mans ear with speech bubble. Pop Art style, comic book illustration. Secrets and gossip concept. Vector.

Q&A: Private Number?

Q&A: Private Number?

Condos and private docs on a waterway in New Jersey

The Case of the Unwillingly Shared Walkway

NJ Condo Association Argues Against Public Access

Co-op/Condo/HOA  Instructions Included

Co-op/Condo/HOA Instructions Included

The Importance of Governing-Document Literacy

A person is using a leaf blower to clean up a sidewalk in the city. Colorful leaves are swirling around.

Q&A: Contract Transparency

Q&A: Contract Transparency