Between data breaches at LinkedIn, Verizon, the Internal Revenue Service and, of course, the Democratic National Committee (to name just a few), cyberattacks held a prominent place in the news this past year. And 2016 was by no means the first time that big hacks made headlines. For the past several years a different group of household/brand-name companies, as well as federal agencies, have had their information security vulnerabilities exposed, making it clear that no one is immune to this danger.
The construction industry is no exception. It was part of the narrative back in 2013 with the infamous Target breach, when it was determined the initial intrusion into the big box store’s network was achieved by stealing the login credentials of an HVAC contractor who was granted access for billing purposes. The massive intrusion resulted in the theft of over 40 million customer credit and debit cards and hundreds of millions of dollars in litigation and settlements.
Breaches such as this one showcase some of the main reasons why the construction industry, while perhaps not as rich in personal or financial data as industries like banking or healthcare (which have specific privacy-related laws and regulations with which they must comply), still makes for an attractive target for cyber criminals.
First, like all companies, construction companies maintain a certain amount of personal information about its employees. Depending on how the company manages its health insurance program, this could also include more sensitive health-related information.
Second, the construction industry is a service industry, and as a result it generates and maintains information either about or belonging to its clients, many of whom may be publicly traded. Depending on the client and the project, this type of information could include proprietary information, cost and other financial data, and a variety of different types of intellectual property, such as design drawings, shop drawings, material and product data that the client may want protected. Sufficiently safeguarding this data is important not only in minimizing risk of a lawsuit, but also in avoiding the substantial reputational damage that can accompany a data breach. In the context of critical infrastructure construction, the risk may go beyond a potential dispute with the client or bad public relations, to a potential risk to national security.
For big and small construction companies alike, how to manage this risk can be overwhelming. Below are three tips to consider when securing your information and mitigating cybersecurity issues.
KNOW YOUR OBLIGATIONS REGARDING USE, DISCLOSURE AND PROTECTION OF THE DATA
Data privacy and security laws in the U.S. focus on various forms of personal information that identify an individual, such as name, social security or driver’s license number, date of birth, biometric data like fingerprint or retina image, or health and banking information. The U.S. does not currently have one over-arching law defining personal information or governing its protection that applies to all industries. Nor is there any federal law that imposes minimum information security standards across all industries. Instead, at the federal level, the collection, use, disclosure and protection of certain types of personal information is regulated through a patchwork of laws directed specifically at certain industries, such as banking, healthcare and telecommunications. Some of these laws include a security component that identifies certain minimum security requirements for the entities to which these laws apply. In addition, most states now also have laws on information privacy and security, some of which are broader and more strict than federal laws. For example, California Assembly Bill 1950, requires that a business that owns or licenses personal information about a California resident must "implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information from unauthorized access, destruction, use, modification, or disclosure."
For construction companies, these laws are probably most likely to apply, if at all, in the employment context. However, it is prudent to assess the different types of data your company maintains (including any data belonging to clients) and familiarize yourself with any federal or state privacy or security laws that may govern your business.
IDENTIFY PRIVACY AND SECURITY CLAUSES IN CONTRACTS
Given the increased utilization of BIM in the design and construction process, of the cloud for project management, of ‘smart’ devices in power and security systems, and of mobile devices both during construction and after as part of the ‘smart’ systems installed, it is highly likely data security insurance and other contractual requirements will appear more frequently in construction contracts. Keep an eye out for data privacy and security obligations and make sure you can comply with them prior to executing a contract. Data privacy and security are not extensively fleshed out in some of the more popular form construction contracts, but these types of obligations may be included by owners, along with obligations regarding use and disclosure of proprietary or confidential project documents, either in their own forms or by modifying the standard forms to include them.
Where particular standards are not identified, consider raising the issue with your client. Of course, for the reasons previously discussed, implementing data security best practices and obtaining cyber liability insurance to help manage these risks is a good idea even if it is not contractually required by your clients.
BE AWARE OF BREACH OBLIGATIONS
There is a similar patchwork of federal and state laws regulating a company’s obligations in the event of a data breach. Most are triggered by the breach of some form of personal information but some have a different and potentially broader scope. Indeed, in October of last year the Department of Defense published a final rule outlining "cyber incident" reporting requirements for defense contractors. A "cyber incident" must be reported when it results in an actual or potentially adverse effect on unclassified information (breach and reporting related to classified information is governed by other rules) relating to the contractor’s performance under the contract and the system that processes, stores or transmits such information. The obligations in these breach notification laws, including who must be notified and the time frame for doing so, vary so developing a data breach protocol to ensure the laws are timely complied with could go a long way to mitigate exposure in the event of a breach.
The ubiquitousness of data breaches in the country’s mainstream consciousness has resulted in a growing expectation for companies to address vulnerabilities, develop robust cybersecurity and prepare for the worst case scenario. As the awareness of threats continues to grow, so do the laws governing it. Knowing what your obligations are under the law, and establishing a program that implements best practices for cybersecurity and breach response will only become more important as technology continues to further integrate itself into the construction process.
Jessica Neufeld is a member of the Litigation Section of Munsch Hardt Kopf & Harr, a Houston Chapter member, and a Certified Information Privacy Professional for U.S. privacy law (CIPP/US). She advises companies and organizations on legal compliance, negotiates contracts and helps clients prevent, prepare for and minimize the impacts of security breaches and cyberattacks. Neufeld also maintains an active construction practice through which she represents owner, developer, contractor, subcontractor and supplier clients in the transactional and dispute resolution aspects of the law for that industry. She may be reached at firstname.lastname@example.org. Visit www.munsch.com.