Online Section 8 Application Software Provider Not Responsible for Damages in Case of Data Breach

We reached out to HAPPY yesterday via email with the following questions:

1.  When will the waiting list portal be back up?

2.  We know that Stamford, CT (Charter Oak Communities) has extended their closing due to the outage.  Rockford, Illinois will be opening on Monday, April 6.  It is expected that the portal will be back online by then?

3.  If someone applied immediately prior to the outage, will they need to reapply once it’s back up?

4.  On waitlistcheck.com, on 3/30/15 you reported that there was recently a large number of attempts to “probe” your system and go on to say you “hired a security consulting firm to conduct an in-depth scan of our systems so we can identify and address any issues”.

Given recent data breaches like Target, Home Depot and others, and the fact that every applicant that uses your system submits their Social Security number and those of their family, our users are very concerned about identity theft and privacy.

Were any of these “probes” successful?  Why did you decide to hire an outside consulting firm instead of using in-house data security staff?  Has the consulting firm found any thing to be concerned about?  Has the consulting firm said you are in the clear?  Will you be contacting individual users regarding any possible risks to their privacy?  If it is confirmed that a breach did take place, due you have a plan on how to handle applicant privacy and data security?

HAPPY responded to our email saying:

The legal language removing any liability from HAPPY is contained in 2 sections: 7. Limitation of Liability and 9. Security.

In Section 7, it says:

Under no circumstances shall HAPPY Software, Inc. be liable for any damages suffered by you, including any incidental, special or consequential damages (such as lost funds, damages for business interruption, or loss of information, programs or other data) that result from the use of this Web site, breach of security associated with the transmission of information through the Internet or inability to access this Web site.

Additionally, in Section 9 it reads:

Data transmitted to and from client Web sites is encrypted for the user’s protection. However, the security of information transmitted through the Internet can never be guaranteed. HAPPY Software, Inc. is not responsible for any interception or interruption of any communications through the Internet or for changes to or losses of data.

The most concerning legal language in the Terms of Use is “Under no circumstances shall HAPPY Software, Inc. be liable for any damages suffered by you…that result from the use of this Web site.”  That is very broad language that seems to imply that HAPPY is not responsible for damages suffered by a housing assistance applicant, even if the loss was due to HAPPY’s action or inaction.

Since Affordable Housing Online started tracking Section 8 Housing Choice Voucher waiting list openings in May of 2014, thirty one (31) housing authorities that opened their Section 8 waiting lists have used, or currently use the HAPPY Software’s WaitListCheck service.

An unknown number of housing authorities use the software to manage Project-Based Section 8, Public Housing and other housing program waiting lists as well. All applicants to all of these programs are subject to the same Terms of Use document. It is unclear if housing authorities who have contracted with HAPPY Software to manage their housing waiting lists are aware of the limitation of liability in the case of a security breach.  We are reaching out to a number of these housing authorities for comment.

One thing is clear.  In most cases, WaitListCheck is the only way to apply for this Federal housing assistance program in many major cities.  Given these housing programs are Federal programs being administered on behalf of HUD, it is unclear if any specific Federal privacy or data security laws are relevant or would require liability to be placed on a contractor providing an end to end software solution for managing that Federal assistance.  We have reached out to HUD’s Section 8 Housing Choice Voucher office in Washington, DC for more information on what if any protections Federal regulations (either general privacy/data security or specific HUD Section 8) provide to low income housing assistance applicants in the case of a data breach.

In full disclosure, we operate an online business and serve over 1 million users each month on our websites and Facebook page.  We take privacy and data security very seriously. If a breach were to occur (as Sony, Target and Home Depot have demonstrated recently, it can to any company) we would make sure that our users were protected and properly compensated for any losses they incurred as a result of a weakness in our systems or practices, as any company should.

We are big supporters of online housing assistance applications.  It streamlines the process for everyone and we wish every housing authority used online applications.  We do, however, believe that any party charged with collecting and maintaining applicants personal data should not only take extreme actions to protect that data but be willing to properly compensate persons in the case that personal information is compromised and the person suffers financial consequences.What do you think? Are you willing to provide your family’s personal information including Social Security numbers knowing that the party collecting it has already told you they won’t accept responsibility if their system’s security protocols are inadequate to stop a hack attack?