There has been an increase in the frequency of reported cyberattacks against companies in the United States. In February 2016, Hollywood Presbyterian Medical Center, a hospital in Los Angeles, paid hackers $17,000 to regain control of its computer system, which had been locked by ransomware. A month later, MedStar Health Inc. suffered a cyberattack which shut down the records systems of 10 hospitals in Maryland and Washington, D.C.
Given that any company with access to the internet is at risk of a cyberattack, contractors and others in the construction industry should be aware of the attendant risks and take steps to mitigate those risks.
A cyberattack and/or data breach could result in significant internal costs, including costs associated with hardware and electronically stored information (for example, IT expenses; data loss and restoration expenses; and extortion costs); costs associated with regulatory compliance (including fines and penalties); and costs arising from third-party claims for privacy breaches (including contract and tort liability).
Businesses of all sizes are collecting increasing amounts of personal, confidential, and proprietary information which is accessible via the internet or the cloud. The construction industry is no different.
Given the increasing popularity of practices such as Building Information Modeling, Integrated Project Delivery, and file sharing between participants in a construction project, contractors may be at increased risk of liability in the event of a data breach. A hacker may be able to access architectural designs, including the designs of security systems and features; financial information; confidential project-specific information; and personal information of employees.
This holds true for both ongoing and completed projects. History indicates that hackers may target critical infrastructure facilities such as hospitals and energy facilities, as well as secure government systems. Existing, ongoing, or planned construction projects in Florida fall into these categories, including the expansion of Baptist Health System South Florida, planned expansion at Turkey Point in Homestead, and new energy facilities in Osceola and Citrus counties.
In November 2013, hackers gained access to credit and debit card information for tens of millions of Target customers in the U.S. The source of the data breach was a small HVAC contractor that provided services to Target. The HVAC contractor had suffered a data breach from which the hackers were able to obtain the network credentials that the contractor used to remotely access Target’s network.
A construction company can take several steps to mitigate the risk of a cyberattack and/or data breach.
Internally, the contractor should develop and enforce a Written Information Security Program (WISP), which sets forth a protocol for protecting personal and other sensitive information and complying with regulatory requirements. The Florida Information Protection Act of 2014, Section 501.171 of the Florida Statutes, governs how covered entities (i.e., any commercial entity that acquires, maintains, stores or uses personal information) must prepare for and respond to data breaches.
The contractor should also prepare a preemptive Incident Response Plan in order to maximize the efficiency and effectiveness of the contractor’s response in the event of a cyberattack. These proactive measures could result in cost savings and reduced exposure to liability.
A contractor may consider purchasing cyber insurance to cover the costs of data restoration, business interruption, extortion and other associated losses. Given that data breaches may remain undiscovered for some time, the contractor may want to consider retroactive coverage for unknown losses that occurred prior to the policy period.
Effective contract management is another key component in risk mitigation. A contractor may be required by contract to implement specific data security measures, carry cyber insurance and/or indemnify the owner for costs arising from a data breach. A careful review of the operative contract is critical.
Optimally, cyber insurance should be coordinated in order to cover any potential liability the contractor assumes under the contract. Downstream, the contractor should include hold harmless and indemnity clauses in contracts with subcontractors and third-party vendors who have access to confidential, proprietary and/or sensitive data.
Given the increasing frequency of cyberattacks and resulting data breaches, contractors and others in the construction industry should be proactive in order to mitigate the attendant risks. A coordinated effort between IT, management, and in-house and outside counsel is key to an effective cyber-defense strategy.