How cyber-secure are our vertical villages?

Technology has changed the landscape of when, where and how crimes are committed – and our vertical villages have already been breached!

While central to the way we live our lives, our increased use of technology has also seen dramatic increases in the frequency and reach of many crimes. According to the World Economic Forum, cyberattacks, together with data fraud or theft, make up two of the top 10 global risks facing the world today.

Generically referred to as cyber-crimes, Victoria Police uses this term to describe a broad range of offences against both “the person” (such as stalking and extortion) and against property (such as hacking and online scams).

And our residential strata sector has already been targeted. 

Take the instance of SSKB (a Queensland-based body corporate and community management firm). On October 27, 2022, SSKB reported that a third party had accessed its IT network, downloaded data and demanded a ransom. 

A statement from SSKB said, “as soon as we became aware of the unauthorised access, we deactivated the systems involved and secured our IT environment.” 

“We are working as swiftly as possible to determine what, if any, personal or sensitive information may be contained in the dataset that was downloaded.”

While the unauthorised access of any organisational data is disturbing, recent incidents have shone a light on the range of personal information that organisations are collecting and keeping – even long after you part ways.  

As for us vertical villagers, we ask the question “what personal information about us is being captured and kept – and by whom?” 

Unsurprisingly, our starting point is the Owners Corporation Act 2006. As clearly stated by Consumer Affairs Victoria, an owners’ corporation (OC) is required by law to keep certain records. They must, for example, ensure they have “records from the developer” (such as the plan of subdivision). They must also establish, maintain and have “easily accessible and available in English” an OC register. This is a summary of an OC’s activities, undertakings and membership (including the full name and address of each lot owner). And this register must be made available for inspection upon request to authorised parties (with specific exclusions made regarding commercial use). 

The Act also stipulates how long OCs must keep specific records, for example voting papers and ballots must be kept for at least 12 months. And there is also a general stipulation regarding protecting privacy wherein OC may only collect and use personal information in a fair and lawful way and that the personal information it holds must be accurate, up-to-date and secure.

Two questions now come to mind. 

First;  “what other data is being collected?” For instance, our management systems record such information as our payment history (including arrears), breach notifications, grievances and related legal correspondence. Added to this, our building management systems typically record delivery notifications, resident access activity and information regarding requested mobility assistance (eg for emergency evacuation). And there is also our growing CCTV network.  

Added to this, there may be a number of “informal databases” (likely set up with the best intentions). Here are bits of information relating to, for instance, pet ownership (name and breed), your birth date (so staff can wish you a happy day) and in-house surveys (which seek to help planning). And this information may reside, unprotected, on multiple personal computers. 

This now leads to the second question, which is how well managed and secure are these various systems that contain our personal information – keeping in mind that a system is only as secure as its weakest link – and this includes staff’s home computers (how up to-date is their anti-virus software?). Additionally, we need to know whether our vertical village, and our management companies, have policies and procedures ready to enact in the event of a cybercrime – will you / they pay a ransom demand? 

The key point is that vertical villages must now take a more proactive approach towards managing and securing information. Rather than relying on assurances from our various service providers that their respective systems are “secure”, we must each develop strategies – govern, protect, detect and respond – which strike a balance between ensuring the capture and leveraging of needed data (to best manage our villages and comply legally) and minimising the risks associated with being the custodian of this critical asset. •