0
Data Security and Privacy Due DiligenceData Security and Privacy Must Play a Part in M&A Due Diligence

Data Security and Privacy Must Play a Part in M&A Due Diligence

In the past, acquiring companies engaged in M&A activity paid little attention to a target company’s data security & privacy (DSP) posture during due diligence. The acquiring companies learned that their failure to fully evaluate the target company’s DSP posture led to the target company inheriting more work than ever anticipated. These risks manifested in two costly areas: undisclosed cybersecurity incidents (which could lead to costly litigation and negative publicity), and poor cybersecurity and privacy infrastructure (which would delay integration).

These negatives are well documented. A 2019 Forescout report found that, “[j]ust under half (49%)” of the transactions analyzed “encountered unknown or undisclosed cybersecurity incidents, issues, or risks when integrating the acquired company’s information and technology that delayed the integration timeline.” Another well-known example was Verizon’s $350 million purchase price reduction of Yahoo!’s to cover costs of ongoing government investigations and private litigation for historic cybersecurity incidents that were not fully disclosed or evaluated in the due diligence phase.

Things have changed. Gartner reported that by 2022 sixty percent of organizations will consider a target company’s cybersecurity posture as a critical factor in their due diligence process. Acquiring companies have made DSP due diligence a priority because they understand the costly risks of inheriting a target company’s DSP liabilities.

Target companies must proactively address and disclose DSP risks to avoid renegotiation of the purchase price, delay the closing date, or at worst, the acquiring company backing out of the deal. M&A parties often retain sophisticated DSP attorneys to assist in all phases of the deal, including conducting DSP posture analyses, evaluating DSP-specific risks, and guiding the company through the diligence process.

This article addresses some of the key privacy and security issues, and strategies target companies should undertake to prepare for privacy reviews in due diligence.

 

Understand Data Privacy and Cybersecurity Obligations

The acquiring company’s goal during diligence is to understand whether the target company: (a) is in compliance with all applicable privacy and cybersecurity obligations, (b) has controls in place to avoid future regulatory or litigation exposure, and (c) has no undisclosed cybersecurity incidents that could lead to future exposure. Thus, the target company should be prepared to respond to diligence requests that focus on these key areas.

Context Matters. Cyber and privacy due diligence are heavily dependent on the target company’s profit model and industry because those factors heavily drive the evaluation of the transaction’s risk stemming from the target company’s cybersecurity posture. A purely regional business-to-business (B2B) company will generally have lower obligations than a company that handles personal health information (PHI), does significant business in California, or has international operations. A seller should focus on the following core area and consider whether it is in compliance with all standards-based on its position in that core area:

  • Profit-Model. Understand how the target company’s profit model subjects it to privacy and cybersecurity obligations. Consumer-facing companies are likely to have higher privacy obligations than those with an exclusively B2B model.  Additionally, companies who collect or trade consumer information will have higher privacy obligations, particularly when that information includes financial or health information.
  • Location. Understand the obligations imposed on the target company based on where it conducts business. Businesses in Europe or California may subject the business to specific obligations under the General Data Privacy Regulation (GRPR) or California Consumer Privacy Act (CCPA). Each has a specific requirement and harsh penalties for non-compliance. It is equally important to know if the target company is not subject to the CCPA and GRPR so that the target company does not unnecessarily expend resources to comply with those laws, and to adequately respond to misdirected diligence inquiries about GRPR and CCPA compliance.
    Cybersecurity incident notification laws also vary by state, so the company should understand could create obligations for historic cybersecurity incidents.
  • Industry. Understand whether the target company’s industry creates unique security obligations. Broadly, a company that operates in: (a) financial services, (b) healthcare, (c) government contracting, (c) consumer data collection, and (d) consumer credit card transactions. State laws may also impose industry-specific obligations.

Understand the impact of historic cybersecurity incidents. Any historic cybersecurity incidents will very likely be the subject of the acquiring company’s diligence inquiry. The target company should consider the root cause of the incident (i.e. system vulnerabilities or policy gaps).

 

Strategies to Maximize Price and Avoid Concerns During Diligence

Again, acquiring companies are evaluating potential transaction risk based on the target companies’ compliance obligations and cybersecurity risks. Strong documentation reflecting a target company’s understanding of its obligations and implementation of necessary policies and programs is a target company’s strongest asset in alleviating an acquiring company’s concerns (and in turn maximizing the purchase price).

Implement Privacy Policies. Implement compliance privacy policies to the extent necessary based on the target business’ profit model, location, and industry (as discussed above). If the target company determines its business does not require implementation of a specific policy, demand the rationale for that decision, and maintain a policy that requires a review of the target company’s privacy compliance requirements: (a) periodically, (b) based on material changes in the company’s business, and (c) based on material changes in the law.

Implement Data Governance Programs. Even if the target company has determined that specific privacy laws do not apply to the company, many acquiring companies will require that the target company understands the data it collects. Understanding the collected data allows the target company to show that: (a) it has analyzed potential risks of a cybersecurity incident, and (b) is well-positioned to comply with future privacy requirements following the acquisition (or based on future changes in the laws).

Implement Cybersecurity Policies. Maintain a cybersecurity and compliance infrastructure that require conducting penetration testing, vulnerability assessments, and corrective follow-up. An acquiring company is likely to be skeptical about a target company’s representations about a lack of prior incidents because a company that does not conduct regular testing and assessments may not even be aware of prior intrusions.

Analyze Contracts and Maintain Insurance. The target company should analyze vendor and customer contracts relating to indemnification for cyber or privacy incidents.  As the acquiring company may be inheriting these contracts, they will want to ensure that these contracts don’t create unnecessary risk. Maintaining cybersecurity insurance covering past incidents will further alleviate concerns.

Analyze Past Incidents. Analyze past incidents to determine what system vulnerabilities, policy or training gaps led to the incident, and document the steps taken to correct those issues.

Partner with Technologists Who Understand the Legal Requirements. There is no need to reinvent the wheel.  Work with experienced partners who can help assess the need for privacy and cybersecurity programs, and help you navigate due diligence requests from an acquiring company.  Beckage retains privacy attorneys and security professionals with a deep understanding of the technology in the law.

For more information on this topic, contact Beckage attorney Chirag H. Patel.

Subscribe to our newsletter.

*Attorney Advertising.  Prior results do not guarantee future outcomes.

0
CaliforniaCalifornia Privacy Protection Agency: Updates on Rulemaking Timeline, Agency Staffing, and What Privacy Practitioners Can Expect in the Months to Come

California Privacy Protection Agency: Updates on Rulemaking Timeline, Agency Staffing, and What Privacy Practitioners Can Expect in the Months to Come

On Tuesday, October 5th, Jennifer M. Urban, Board Chair of the newly formed California Privacy Protection Agency (CPPA), joined the Privacy Law Section of the California Lawyers Association for a fireside chat about CPRA rulemaking, agency staffing, and what privacy practitioners can expect in the months to come.

 

Approved through ballot proposition back in November 2020, the California Privacy Rights Act (CPRA) created the CPPA, which is the first state-level agency dedicated to consumer privacy regulation. With the CPPA having full administrative power, authority, and jurisdiction to implement and enforce the CCPA and CPRA, privacy practitioners and businesses are keeping a close eye on the new agency’s rulemaking timeline as the July 1st deadline to adopt final regulations quickly approaches.

 

The CPPA had its first public board meeting on June 14th (agenda and meeting materials available here). The agency then followed up with a two-day, public virtual meeting on September 7th and September 8th (agenda and meeting materials available here) as well as a closed session regarding hiring matters on September 24th (agenda available here).

 

Some of the topics discussed by the CPPA Board during its September 7th and 8th public meetings include: (1) the Bagley-Keene Open Meeting Act; (2) the Administrative Procedures Act; (3) other administrative updates; (4) initial hiring strategy, timelines, and duties; (5) delegations of authority for limited administrative functions; (6) the agency’s conflict of interest code; (7) member handbook drafts; (8) subcommittee assignments; (9) board office location; (10) notice to the Attorney General to assume rulemaking authority; (11) future meeting schedule; and (12) public comments.

 

In continuing with some of the above-mentioned topics, the fireside chat primarily covered the agency’s proposed rulemaking timeline, agency staffing needs, and subcommittee assignments.

 

With preliminary public comments on proposed rulemaking due by November 8th, the CPPA is looking to publish notice of proposed rulemaking, an initial statement of reasons, and text of regulations sometime in Winter 2021-2022 (aiming potentially for January 2022). In Winter/Spring 2021-2022, the CPPA is planning to hold public hearings. Furthermore, the CPPA is planning to submit draft regulations to the Office of Administrative Law by May 2022.

 

The CPPA proposes to form three new subcommittees to divide up the work: (1) New CPRA Rules Subcommittee; (2) Update of CCPA Rules Subcommittee, and (3) Rulemaking Process Subcommittee.

 

The New CPRA Rules Subcommittee will cover topics such as cybersecurity audits, risk assessments, automated decision-making, and agency audit authority. The suggested members for this subcommittee are Vinhcent Le and Lydia de la Torre.

 

The Update CCPA Rules Subcommittee will cover opt-out requests (including preference signals), accessibility, rights to erase/correct/know (look-back period, definition of “specific pieces of information obtained from the consumer, etc.), and use of PI by contractors/service providers. The suggested members for this subcommittee are Jennifer Urban and Angela Sierra.

 

The Rulemaking Process Subcommittee will coordinate pre-rulemaking and rulemaking activities (e.g., informational hearings, collection of comments, etc.), make recommendations as to whether rules are needed for certain topics, coordinate reports on the scope of privacy rules that currently apply to insurance corporations, and suggest additional topics for rulemaking and secure resources. The suggested members for this subcommittee are John Christopher Thompson and Lydia de la Torre.

 

Please see additional information regarding the agency’s proposed course of action here.

 

Economic considerations regarding the operational cost of compliance are also likely to be considered during the rulemaking process.

 

What’s next? The deadline for the adoption of final regulations is July 1, 2022. The CPRA becomes effective on January 1, 2023. The CPPA will also continue to hold meetings as the rulemaking process continues.

 

Beckage’s California Privacy Team continues to actively monitor updates to the privacy landscape as well as the impacts that new CPRA regulations will have on businesses. To learn more about the impact the CCPA and the CPRA may have on your business, reach out to our team of highly skilled attorneys.

 

*Attorney advertising: prior results do not guarantee similar outcomes.

Subscribe to our newsletter.

 

0
Cybersecurity AwarenessCybersecurity Awareness Month – 10 Tips for Improving Your Organization’s Cyber Hygiene

Cybersecurity Awareness Month – 10 Tips for Improving Your Organization’s Cyber Hygiene

October is Cybersecurity Awareness Month – a month-long event with the goal of raising awareness of good cybersecurity practices.

As a law firm focused only on technology, data security, and privacy, Beckage is dedicated to helping organizations create robust cybersecurity programs that help prevent or lessen the impact of potential cyber attacks. This starts with helping organizations, and their employees understand the important role they play in protecting their systems and safeguarding data.

In recognition of this important educational opportunity, we have compiled some of our top cybersecurity tips to help your organization improve your cyber hygiene. Do your part, #BeCyberSmart!

1. Use Multi-Factor Identification  

Add multi-factor authentication to your accounts. These tools require you to grant access to your accounts every time someone tries to log in.   

 

2. Update your Systems  

Updates may be a pain, but they are important. Updates often include patches for recently identified security issues. Neglecting updates may leave you vulnerable to threat actors exploiting these vulnerabilities.  

 

3. Emphasize Employee Education  

Human error is one of the most commonly cited causes of cyber incidents. Conduct regular cybersecurity trainings, including tabletop exercises testing your incident response plan, to help employees understand their role in incident response and prevention.  

 

4. Use Strong Passwords  

Choose unique passphrases as an alternative to passwords (ie. Myd0g1sth3b3st! vs. Fido123). Use a different password for each account. To help keep your credentials straight, consider using a password manager.   

 

5. Examine Emails Carefully  

Scammers often mimic a legitimate site or email address by using a slight variation in spelling. Pay attention to email and website addresses and independently verify links and attachments before clicking. Know where/how to report any suspect emails because you may not be the only one who received it.  Sharing is caring! 

 

6. Avoid Public or Unsecure Wi-Fi Networks  

Do not connect to a public or unsecure Wi-Fi network, such as at a coffee shop or hotel. Any sensitive information transmitted over these unsecure connections can be accessed by other users on the network. When a secure network is not available, opt to use your mobile hotspot.  

 

7. Create Email Forwarding Alerts  

Set up alerts when forwarding rules are added to your e-mail account and routinely check email forwarding rules. If threat actors gain access to an email account, they may create account rules to hide their activity.      

 

8. Do Not Use Personal Devices to Access Sensitive Data  

Personal devices, such as your phone or personal computer, are often not as secure as devices in the workplace. Downloading or accessing sensitive information on those devices could lead to the information being compromised. Unless your Security Officer says otherwise, never access sensitive information from personal devices.    

 

9. Keep Track of your Backups  

Make sure to have backups of important backups in place and these backups are stored separate from your normal environment. Check the integrity of your backups regularly. 

 

10. Find A Data Security Team  

Creating data security policies, procedures, and plans be daunting. Partnering with a team that understands the legal and threat landscape surrounding data security is a great first step towards improving your cyber preparedness. 

 

 

*Attorney advertising – prior results do not guarantee future outcomes.

Subscribe to our newsletter.

BiometricsIllinois Appellate Court Finds that Statute of Limitations for BIPA Claims Could be as Much as Five Years, Adding to Already Considerable Class Action Exposure

Illinois Appellate Court Finds that Statute of Limitations for BIPA Claims Could be as Much as Five Years, Adding to Already Considerable Class Action Exposure

On September 17, 2021, the First District of the Illinois Appellate Court issued the first appellate opinion regarding the applicable statute of limitations for claims arising under Illinois’ Biometric Information Privacy Act (“BIPA”).  In a mixed decision, the First District found that the limitations period could range from 1 year to as much as 5 years depending on the nature of the alleged violation at issue.

 

The implications of the First District’s decision are momentous, because many BIPA lawsuits are class actions.  In addition to expanding the pool of potential plaintiffs, a five-year limitations period greatly increases the potential class size and, consequently, defendants’ potential damages exposure.

 

Background

By way of background, Illinois enacted BIPA in 2008 after a company called Pay-by-Touch started a pilot program at Chicago-area retail stores to enable customers to pay for purchases using fingerprint scans linked to their credit cards. When Pay-by-Touch subsequently filed for bankruptcy after collecting customers’ biometric and financial account information, the bankruptcy trustee listed the customers’ biometric information as an asset and sought to sell it to pay off creditors.  This motivated the Illinois legislature to enact BIPA.

 

BIPA’s Requirements

BIPA contains five different subsections regulating the use of biometric information.  The differences between the following five subsections were critical to the First District’s decision:

  • First, anyone in possession of biometric information must develop a publicly-available retention policy.

 

  • Second, prior to collecting any biometric information, the collecting party must disclose the purpose and length of time for which the information will be used, and obtain a release from the subject of the information.

 

  • Third, biometric information cannot be disclosed without the authorization of the subject.

 

  • Fourth, a party cannot profit from the sale of biometric information under any circumstances.

 

  • Finally, a party must protect biometric information using the standard of care in the industry, and at least the same protection measures that the party uses for other personal and confidential information.

 

Debate Over Limitations Period

BIPA itself does not specify the applicable statute of limitations, and the plaintiff and defense bars have disagreed on the applicable limitations period.  Prior to the First District’s decision, the litigation in the trial courts has centered around three potential limitations periods, including the following:

  • One-year period for actions based on “publication of matter violating the right of privacy.” 735 ILCS 5/13-201;

 

  • Two-year period for personal injuries or “statutory penalties.” 735 ILCS 5/13-202; or

 

  • Five-year period for “all civil actions not otherwise provided for.” 735 ILCS 5/13-205.

 

The Subject Lawsuit

An employee sued his former employer alleging that his employer required him to clock-in for work using a biometric time clock, and that his employer violated BIPA by failing to obtain his informed consent, failing to have a retention policy, and disclosing his information to third parties such as the time clock vendor.

 

The plaintiff stopped working for the defendant in January 2018, and he filed suit in March 2019.  The employer moved to dismiss the lawsuit, arguing that the suit was time-barred because the one-year limitations period for “publication of matter violating the right of privacy” applied.  The plaintiff of course disagreed and argued that the five-year period for “civil actions not otherwise provided for” applied.  The trial court agreed with the plaintiff but certified the question for interlocutory appeal.

 

The Appellate Court’s Decision

On appeal, the First District found that the applicable limitations period depends on which of the five BIPA subsections is at issue.  More specifically, the First District found that the one-year limitations period is limited to matters involving “publication.”  Using this framework, the First District found that only two of BIPA’s subsections involve publication: the prohibition of unauthorized disclosure and the prohibition of the sale of biometric information.  On the other hand, the First District found that the other three requirements (the retention policy requirement, informed consent requirement, and standard of care requirement) can be violated without any publication, and therefore are subject to the five-year limitations period.

 

For the case at hand then, applying the First District’s decision means that the plaintiff’s allegations regarding his employer’s failure to obtain his informed consent and failure to have a retention policy were subject to the five-year limitations period and therefore timely.  In contrast, the plaintiff’s allegations of unauthorized disclosure were subject to the one-year limitations period and therefore barred.

 

Not the Last Word

The First District’s decision likely will not be the last word on the limitations period for BIPA claims.  A separate appeal regarding the limitations period for BIPA claims – Marion v. Ring Container Technologies – is pending in Illinois’ Third District. (The First District covers Chicago, and the Third District covers North-Central Illinois and Chicago’s southern suburbs). The parties to both cases are likely to seek further appeal to the Illinois Supreme Court, and the Supreme Court will have a good reason to weigh in on the novel issue, especially if the Third District reaches a contradictory decision.

 

It is also noteworthy that the First District’s decision did not address the potentially applicable two-year limitations period for “statutory penalties.”

 

Potential Legislative Reform

In addition to these appellate decisions, the Illinois legislature could also take action.  In its spring term, the legislature advanced a bill out of committee that would dramatically reform BIPA.  The legislature did not hold a final vote on that bill before the conclusion of its spring term, but new appellate decisions could motivate the legislature to renew the reform effort.

 

Beckage will continue to monitor any developments regarding BIPA and will update its guidance accordingly.  Our team of experienced attorneys, who are also devoted technologists, are especially equipped with the skills and experience necessary to not only develop a comprehensive and scalable biometric privacy compliance program but also handle any resulting litigation.

Subscribe to our newsletter.

*Attorney Advertising.  Prior results do not guarantee future outcomes.

0
Construction Industry and Cyber AttacksWhy the Construction Industry Is Being Impacted By Cyber-Attacks, and What To Do About It

Why the Construction Industry Is Being Impacted By Cyber-Attacks, and What To Do About It

By Jennifer A. Beckage, Esq., CIPP/US, CIPP/E
and Daniel Parziale, Esq., CIPP/US

Introduction

For many years, the construction industry has appeared almost immune from cyber events because of the limited personal information it keeps. However, the last 12 months directly negate this view, reminding the industry that this perspective no longer carries weight. The construction industry is one of the leading industries impacted by data security incidents. This begs the question: why? And what can the industry do to address this rise in cyber threats?

Threat actors know that the construction industry is, in some areas, behind in data security and privacy initiatives. This is in large part because this industry, to date, avoided heavy regulation in data security and privacy laws. The limited regulation and guidance in the construction industry may have contributed to less focus on cybersecurity than in other industries.

Additionally, many in the construction industry are leveraging artificial intelligence technologies (AI) such as machine learning (ML) and robotics, among others. These new technologies still require data security and privacy risk assessments and proper controls in place, something that may be a second thought for those in the construction industry that, historically may not have had cybersecurity top of mind.

Lastly, the threat actors seek to extort money, and the construction industry presents a big, lucrative target. The exposure of cyber-attacks in construction, in part, is amplified by the amount of confidential and proprietary information digitally stored and shared across projects and their long information technology (IT) chains. Infrastructure, financial accounts, as well as the data of employees, projects, and business- sensitive information may be at risk. Accordingly, the number of cyber-attacks in the construction industry are growing exponentially.

The legal and threat landscapes are constantly changing, requiring those in the construction industry to be familiar or associate themselves with experienced tech and legal providers who can assist in navigating these rushing river waters.

 

Some of the Largest Cyber Risks Facing the Construction Industry

While the risks of cyber-attacks are not unique to the construction industry, their impact on the industry is distinctive.

For example, on January 30, 2020, French construction behemoth, Bouygues, announced that threat actors were holding 200GB of data ransom. See Naveen Gourd, Maze Ransomware hits Bird Construction and Bouygues Construction, https://www.cybersecurity-insiders.com/maze-ransomware-hits-bird-constriction-and-bouygues-construction/. Ultimately, the ransomware event caused a delay to various projects as Bouygues shut down various operating systems to prevent the propagation of the attack. See Bouygues, Press Release – Information on a Cyber-Attack, https://www.bouygues.com/wp-content/uploads/2020/01/prbouyguesconstructioncyberattack01-31-2020-pdf.pdf.

Unfortunately, Bouygues is not alone in their suffering. Bird Construction, a large Canadian construction company, suffered a similar ransomware attack in December 2019, where the threat actors were demanding $9,000,000 CAD in exchange for decrypting the 60GB of data they were holding for ransom. See Naveen Gourd, Maze Ransomware hits Bird Construction and Bouygues Construction, https://www.cybersecurity-insiders.com/maze-ransomware-hits-bird-constriction-and-bouygues-construction/.

These events are, unfortunately, very common in the construction industry.

There are five main cyber-attacks that could impact a construction company: i) ransomware; ii) fraudulent wire transfer; iii) downtime or business interruption; iv) breach of intellectual property; and v) breach of bid data. Each presents its impact and harm.

  • Ransomware: Ransomware, when a threat actor holds a computer system hostage for payment, can limit a construction company’s access to critical systems and potentially delay work at a project. Moreover, a construction company may be left with little choice but to incur the financial responsibility of paying the ransom. However, damage from a ransomware event is not simply limited to the payment of the ransom but may also include reputational damage.

 

  • Fraudulent Wire Transfers: Fraudulent wire transfers, often the result of social engineering, present a substantial risk to the construction industry, which is often moving large sums of capital around. Falling victim to fraudulent wire transfer not only presents dire fiscal issues for a construction company but can also lead to severe reputational harm.

 

  • Downtime or Business Interruption: The construction industry is heavily reliant on the ability to deliver projects on a deadline. A cyber-attack on a construction company’s software or equipment could potentially cause a delay in the project while the cyber-attack is properly addressed.

 

  • Breach of Intellectual Property: If a construction company is holding highly sensitive blueprints or schematics in its computer system, breach of these computer systems could result in major reputational damage and potential lawsuits.

 

  • Breach of Bid Data: If a construction company holds information regarding its bidding strategies on a computer system, access and acquisition of these files could lead to a loss of a competitive edge.

 

What Happens In A Data Breach

The fast-moving cyber threat landscape above is juxtaposed with emerging data security and privacy laws. In the United States, there is no overarching data security and privacy law(s). Instead, we have a patchwork of federal and state laws that may apply to an organization.

For example, let’s pretend that Company XZY suffers a data breach that not only seizes access to systems, but one such system is a human resources program that contains all of the employee’s personal information (whether hosted internally or with a third-party provider). Perhaps another system is a client management program that has a sensitive design or tenant plans or city or government projects with confidentiality treatment requirements. Assuming in this scenario that the threat actor accessed and then exfiltrated the human resource system and client management program data, then Company XZY would have to provide notice to all potentially impacted persons (the employees in our scenario) under a myriad of state and perhaps federal laws, but also under contract to the third parties whose confidential business information was impacted.

As it relates to the employees, it is important for the legal counsel for Company XZY to review where each employee resides to determine applicable laws that will direct notification requirements for employees. As one can imagine, in a data breach with hundreds or thousands or more employees who are impacted, this could become complicated, but there are seasoned professionals who can help the organization prepare and respond. Unfortunately, most organizations are not prepared.

Besides operational setbacks from a data security incident and notifications to potentially impacted persons, there could also be revenue loss, reputational harm, legal fees, technical costs, call center expenses, credit monitoring costs, regulatory reporting, third-party claims, and more.

There are, however, ways that this risk can be shifted.

 

Actionable Steps the Construction Industry Can Take to Mitigate Cyber Risk

There are several methods your organization can leverage to limit its exposure to cyber risks. These include but are not limited to: 1) building a team of trusted advisors; 2) picking the plan that is right for you; 3) evaluating risk so it is properly allocated through contract; 4) evaluating whether your organization has a strong cyber liability insurance policy; and 5) implementing good cyber hygiene and best practices.

1. Build A Team of Trusted Advisors

Cybersecurity preparedness will require knowledge and awareness across many roles within the organization. The leaders of the organization, information technology, legal, and most likely also marketing, sales, customer service, accounting, finance, human resources, and other groups to the extent they exist at the organization.

Third parties will likely need to be engaged as the legal and technical areas are emerging at rapid speeds. Further, the market is oversaturated with vendors, providers, partners of all types and sizes. Organizations should take time to validate credentials, years of experience, contractual terms, insurance carried, and more before engaging third-party partners to assist with cybersecurity program development.

2. You Pick the Plan

The organization’s team should, through a risk assessment, determine its cybersecurity program goals. Too often organizations are “sold” by a vendor as to a plan, but if a breach occurred such a plan would do very little to prevent legal and technical risk.

Some in the construction industry have robust experience with information technologies and others rely heavily on third parties. If the latter, find a trusted partner to help you manage your third-party providers if your organization does not fully understand technically what they are doing. Just like an employee, those third parties should be reviewed regularly (more on that soon).

3. Contract with Strong Data Security & Privacy Provisions

Another method of mitigating cyber risk is through contract. When reviewing your company’s agreements with third-party vendors and subcontractors, it should pay close attention to indemnification and insurance procurement provisions for how they might allocate cyber risk between the parties. A data security incident at one of your company’s vendors may have serious consequences when it exposes your business’ information. To that end, your company may want to consider including language in its third-party contracts which require vendors and subcontractors to indemnify your company in the event the third-party vendor or subcontractor suffers a data breach. Similarly, your company might want to consider requiring a third-party vendor or subcontractor to name your company as an additional insured on its cyber liability insurance policy. Both of these steps help in the event your third-party vendor suffers a data security incident, as the financial impact on your business would be minimal.

4. Cyber Liability Insurance

If the third parties the organization is using do not want to (or they should not) carry certain risk, one potential method of mitigating risk associated with cyber-attacks are a cyber liability insurance policy. These policies generally provide coverage for the following types of attacks:

  • Data Breach Expenses: When a threat actor accesses or acquires Personal Identifiable Information as defined by applicable law, your company has suffered a data security incident. Cyber liability insurance policies typically cover the costs of hiring lawyers, forensic IT security vendors, public relations, or crisis communication costs to assist you in handling your response. Moreover, cyber liability insurance policies cover the cost associated with notifying individuals and state regulators, providing identity and/or credit monitoring services to affected individuals, and running a call center.

 

  • Cyber Extortion or Ransomware: When a threat actor acquires access to your company’s systems and encrypts or otherwise locks you out of the network, demanding the payment of a ransom to unlock the system. Cyber liability insurance policies typically cover the cost of negotiating with the threat actor as well as potentially paying part of the ransom.

 

  • Fraudulent Wire Transfer: When a threat actor misdirects a wire transfer from your company to a vendor, your company is a victim of a fraudulent wire transfer. Cyber liability insurance policies will normally cover such fraudulent wire transfers if your company took certain steps to prevent them. Coverage for fraudulent wire transfers is generally limited to the amount of the wire transfer itself.

 

  • Business Interruption: When a threat actor executes a cyber-attack, some cyber liability insurance policies provide coverage for the loss of business income as a result of being locked out or shut down as part of the cyber-attack.

As provided above, cyber liability insurance policies generally cover the major types of cyber-attacks a construction company may face; however, cyber liability insurance is not the only means of mitigating the risk of a cyber-attack.

Cybersecurity insurance can provide first-party and third-party damages. Other insurance such as Tech Errors & Omissions may be options for some organizations to consider as well.

5. “What’s Good for the Goose is Good For The Gander” Policies and Practices

a.) Policies & SOPs

Applicable here is the old proverb “what’s good for the goose is good for the gander.”

If an organization is going to require that its vendors and third-party partners have certain controls and practices, then that organization should perhaps think about its practices. In fact, its insurance carrier may require it. Also, the organization may have requirements under laws and regulations, under contract, or other duties owed.

This is where most organizations are paralyzed – it sounds overwhelming. Or they find some stock policies, modify them slightly, and place the policies on a virtual shelf.

In creating policies, the team charged with building a construction cybersecurity program will identify first the laws that apply to the organization, IT standards it wishes to follow, along with other guiding principles – organization mission, vision, codes of conduct, or company ethics policies, and more.

Policies and standard operating procedures can come in a myriad of shapes and sizes, which makes creating them sometimes difficult for organizations – too many choices – so they pick and choose from numerous templates and the result is, frankly, often a mess.

Organizations should plan to take time to put together written policies and procedures that reflect the organization’s goals, vision, standards, controls, and more – not some other organization’s that is in a template found online.

What are some good cybersecurity controls and practices? The National Institute of Standards and Technology’s (“NIST”) Cybersecurity Framework Version 1.1 offers for some a good place to start looking at what a cybersecurity program may look like on the technical side for your organization. See NIST, Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1 (available at https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf).

b.) Controls

The organization will need a variety of physical, administrative, and technical controls.

Physical controls include safeguarding server rooms to video monitoring of secure areas (*be careful if you are collecting biometric information, this is also a fast-moving area).

Administrative controls include the policies and SOPs discussed earlier, but also that there are folks responsible for these duties, there is training, review, auditing, discipline, and more.

Technical controls can take many forms but include changing passwords regularly, implementing two-factor authentication where possible, and regularly informing employees of the dangers of social engineering. Good cyber hygiene can prevent a cyber-attack from occurring in the first place, and in that regard is one of the most effective means of mitigating cyber risk.

6. Construction Cyber Culture

One final method of mitigating cyber risk is through fostering good cyberculture across the organization.

An organization is on its way to great construction cyber culture through the actionable items above: 1) team of trusted advisors, 2) selecting a plan, 3) third-party contracting and auditing, 4) cybersecurity insurance, and 5) policies and procedures.

Great construction cyberculture begins with a buy in at the top and demonstrating by example (so no exceptions!).

 

Conclusion

Unfortunately, organizations in almost every industry are navigating cyber threats and the construction industry is no exception. There are, however, a number of risk mitigation strategies that can be reviewed for applicability to an organization. As discussed, the first step is to find those experienced trusted advisors to help navigate this complex and sophisticated legal and technical terrain.

Subscribe to our newsletter.

*Attorney advertising. Prior results do not guarantee similar outcomes.

 

1 2 3 25