Data breaches and the resulting havoc for companies that must deal with them are all over the news. While most construction industry businesses do not handle large amounts of consumer data, you cannot simply ignore cybersecurity or the possibility of cybersecurity breaches. Employee data and confidential information shared by parties with whom you have a contract must be protected. Confidential project data can also be vulnerable. In short, you should be paying attention to cybersecurity.
Factors to consider in analyzing whether your company is properly protected against the risk of data breaches and other cyberattacks include:
1. You possess private and confidential information.
Even if you do not deal in sensitive consumer transactions on a day-to-day basis, your company still has confidential employee information that could be the subject of a cyberattack. When employees’ personally-identifiable information is exposed, employers must comply with state and federal regulations and the financial consequences can be severe.
2. Confidential information is vulnerable and you should consider developing plans to minimize and manage cyber exposure.
As more information and equipment become remotely accessible and controllable, a cyberattack could severely disrupt day-to-day progress on a construction project. Moreover, in the course of a construction project, you may have access to confidential information. Attackers have been known to breach security by stealing network credentials from a corporation’s contractors, leading to data breaches within the corporation. A 2014 cyber-claims study by NetDiligence estimates the average cost to a company suffering a cyber-event at more than $700,000. Depending upon the nature of the project and the contractor’s responsibilities, an updated cybersecurity policy may be essential to manage cyber risk. The policy should include a plan to avoid or minimize data breaches, as well as a plan to manage a breach. Keep in mind that cyberattacks can originate both within and outside an organization.
3. Government projects are likely to have more specific cyber protection requirements.
Government projects often involve issues of national security and require an extra layer of protection for confidential information. Per Executive Order 1336, issued by President Obama in 2013, the National Institute of Science and Technology recently released a framework for governmental agencies to establish guidelines for managing cybersecurity risks. Although the framework does not yet include mandatory requirements, at least some governmental agencies will likely use it to establish contractual standards for cybersecurity or as a basis to determine a standard of care in future cybersecurity cases.
4. Standard contract forms do not address cybersecurity issues.
Standard construction contract forms do not directly address cybersecurity issues. Accordingly, in the event of a data breach or other cybersecurity attack, the parties’ roles and responsibilities may not be clear. If you require specific protection of your electronic information or want to contractually allocate risks related to cybersecurity, you should amend the standard contract forms to address those issues.
5. Insurance for cyber losses.
If your business is at risk of cyber losses — and most businesses have some measurable degree of exposure to cyber losses — consider purchasing cyber insurance. The market for cyber coverage is relatively new and fluid. You or your broker should carefully review your needs and whether a specific policy meets them. Currently, cyber coverage is not particularly expensive, but coverage varies widely between companies. Remember that cyber losses involve more than payouts to third parties injured by wrongful disclosure of personal information. Legally required notices and other regulatory obligations are also costly. For a significant data breach, notice and credit-monitoring obligations can cost millions of dollars.
Cyber policies often require lengthy and detailed disclosures by the insured — be sure to provide accurate and complete information. Cyber policies also may contain an exclusion for failing to follow minimum required practices. One such minimum practice might be the encryption of confidential data.
If you do not have a cyber-specific insurance policy and you experience a cyber loss, review your general liability and excess policies, property coverage and, if you have one, your crime policy. Coverage for cyber losses under traditional insurance policies depends on policy language and the specific facts of the loss. For example, in a matter involving the loss of computer tapes containing personal information for some 500,000 of a company’s past and present employees, a Connecticut court ruled that because the tapes were encrypted and there was no indication that personal information on the tapes had been improperly accessed, the loss was not covered under a commercial general liability (CGL) policy.
Despite that decision (and others), CGL coverage for cyber losses may exist under Coverage A, which responds to certain losses of tangible property, or Coverage B, which responds to certain personal injuries such as invasion of privacy. However, coverage under the CGL policy is becoming less likely because the insurance industry is adding exclusions or restrictive endorsements that eliminate or narrow coverage for cyber losses. Nevertheless, the CGL policy should be closely examined in the event of a cyber loss. If you are covered by a crime policy, you may find coverage for some computer-related losses. Again, the policy needs to be carefully examined from the perspective of the loss in question. Finally, an all-risk property policy, although not typically crafted to respond to cyber losses, may provide some coverage depending on specifics of the loss.
6. The good news.
While cyber exposures are growing in frequency and severity, the good news is that cyber risk can be managed. Properly assessing your risk, developing appropriate cybersecurity measures and acquiring appropriate insurance will be helpful in managing cyber risk.