0
Construction Industry and Cyber AttacksWhy the Construction Industry Is Being Impacted By Cyber-Attacks, and What To Do About It

Why the Construction Industry Is Being Impacted By Cyber-Attacks, and What To Do About It

By Jennifer A. Beckage, Esq., CIPP/US, CIPP/E
and Daniel Parziale, Esq., CIPP/US

Introduction

For many years, the construction industry has appeared almost immune from cyber events because of the limited personal information it keeps. However, the last 12 months directly negate this view, reminding the industry that this perspective no longer carries weight. The construction industry is one of the leading industries impacted by data security incidents. This begs the question: why? And what can the industry do to address this rise in cyber threats?

Threat actors know that the construction industry is, in some areas, behind in data security and privacy initiatives. This is in large part because this industry, to date, avoided heavy regulation in data security and privacy laws. The limited regulation and guidance in the construction industry may have contributed to less focus on cybersecurity than in other industries.

Additionally, many in the construction industry are leveraging artificial intelligence technologies (AI) such as machine learning (ML) and robotics, among others. These new technologies still require data security and privacy risk assessments and proper controls in place, something that may be a second thought for those in the construction industry that, historically may not have had cybersecurity top of mind.

Lastly, the threat actors seek to extort money, and the construction industry presents a big, lucrative target. The exposure of cyber-attacks in construction, in part, is amplified by the amount of confidential and proprietary information digitally stored and shared across projects and their long information technology (IT) chains. Infrastructure, financial accounts, as well as the data of employees, projects, and business- sensitive information may be at risk. Accordingly, the number of cyber-attacks in the construction industry are growing exponentially.

The legal and threat landscapes are constantly changing, requiring those in the construction industry to be familiar or associate themselves with experienced tech and legal providers who can assist in navigating these rushing river waters.

 

Some of the Largest Cyber Risks Facing the Construction Industry

While the risks of cyber-attacks are not unique to the construction industry, their impact on the industry is distinctive.

For example, on January 30, 2020, French construction behemoth, Bouygues, announced that threat actors were holding 200GB of data ransom. See Naveen Gourd, Maze Ransomware hits Bird Construction and Bouygues Construction, https://www.cybersecurity-insiders.com/maze-ransomware-hits-bird-constriction-and-bouygues-construction/. Ultimately, the ransomware event caused a delay to various projects as Bouygues shut down various operating systems to prevent the propagation of the attack. See Bouygues, Press Release – Information on a Cyber-Attack, https://www.bouygues.com/wp-content/uploads/2020/01/prbouyguesconstructioncyberattack01-31-2020-pdf.pdf.

Unfortunately, Bouygues is not alone in their suffering. Bird Construction, a large Canadian construction company, suffered a similar ransomware attack in December 2019, where the threat actors were demanding $9,000,000 CAD in exchange for decrypting the 60GB of data they were holding for ransom. See Naveen Gourd, Maze Ransomware hits Bird Construction and Bouygues Construction, https://www.cybersecurity-insiders.com/maze-ransomware-hits-bird-constriction-and-bouygues-construction/.

These events are, unfortunately, very common in the construction industry.

There are five main cyber-attacks that could impact a construction company: i) ransomware; ii) fraudulent wire transfer; iii) downtime or business interruption; iv) breach of intellectual property; and v) breach of bid data. Each presents its impact and harm.

  • Ransomware: Ransomware, when a threat actor holds a computer system hostage for payment, can limit a construction company’s access to critical systems and potentially delay work at a project. Moreover, a construction company may be left with little choice but to incur the financial responsibility of paying the ransom. However, damage from a ransomware event is not simply limited to the payment of the ransom but may also include reputational damage.

 

  • Fraudulent Wire Transfers: Fraudulent wire transfers, often the result of social engineering, present a substantial risk to the construction industry, which is often moving large sums of capital around. Falling victim to fraudulent wire transfer not only presents dire fiscal issues for a construction company but can also lead to severe reputational harm.

 

  • Downtime or Business Interruption: The construction industry is heavily reliant on the ability to deliver projects on a deadline. A cyber-attack on a construction company’s software or equipment could potentially cause a delay in the project while the cyber-attack is properly addressed.

 

  • Breach of Intellectual Property: If a construction company is holding highly sensitive blueprints or schematics in its computer system, breach of these computer systems could result in major reputational damage and potential lawsuits.

 

  • Breach of Bid Data: If a construction company holds information regarding its bidding strategies on a computer system, access and acquisition of these files could lead to a loss of a competitive edge.

 

What Happens In A Data Breach

The fast-moving cyber threat landscape above is juxtaposed with emerging data security and privacy laws. In the United States, there is no overarching data security and privacy law(s). Instead, we have a patchwork of federal and state laws that may apply to an organization.

For example, let’s pretend that Company XZY suffers a data breach that not only seizes access to systems, but one such system is a human resources program that contains all of the employee’s personal information (whether hosted internally or with a third-party provider). Perhaps another system is a client management program that has a sensitive design or tenant plans or city or government projects with confidentiality treatment requirements. Assuming in this scenario that the threat actor accessed and then exfiltrated the human resource system and client management program data, then Company XZY would have to provide notice to all potentially impacted persons (the employees in our scenario) under a myriad of state and perhaps federal laws, but also under contract to the third parties whose confidential business information was impacted.

As it relates to the employees, it is important for the legal counsel for Company XZY to review where each employee resides to determine applicable laws that will direct notification requirements for employees. As one can imagine, in a data breach with hundreds or thousands or more employees who are impacted, this could become complicated, but there are seasoned professionals who can help the organization prepare and respond. Unfortunately, most organizations are not prepared.

Besides operational setbacks from a data security incident and notifications to potentially impacted persons, there could also be revenue loss, reputational harm, legal fees, technical costs, call center expenses, credit monitoring costs, regulatory reporting, third-party claims, and more.

There are, however, ways that this risk can be shifted.

 

Actionable Steps the Construction Industry Can Take to Mitigate Cyber Risk

There are several methods your organization can leverage to limit its exposure to cyber risks. These include but are not limited to: 1) building a team of trusted advisors; 2) picking the plan that is right for you; 3) evaluating risk so it is properly allocated through contract; 4) evaluating whether your organization has a strong cyber liability insurance policy; and 5) implementing good cyber hygiene and best practices.

1. Build A Team of Trusted Advisors

Cybersecurity preparedness will require knowledge and awareness across many roles within the organization. The leaders of the organization, information technology, legal, and most likely also marketing, sales, customer service, accounting, finance, human resources, and other groups to the extent they exist at the organization.

Third parties will likely need to be engaged as the legal and technical areas are emerging at rapid speeds. Further, the market is oversaturated with vendors, providers, partners of all types and sizes. Organizations should take time to validate credentials, years of experience, contractual terms, insurance carried, and more before engaging third-party partners to assist with cybersecurity program development.

2. You Pick the Plan

The organization’s team should, through a risk assessment, determine its cybersecurity program goals. Too often organizations are “sold” by a vendor as to a plan, but if a breach occurred such a plan would do very little to prevent legal and technical risk.

Some in the construction industry have robust experience with information technologies and others rely heavily on third parties. If the latter, find a trusted partner to help you manage your third-party providers if your organization does not fully understand technically what they are doing. Just like an employee, those third parties should be reviewed regularly (more on that soon).

3. Contract with Strong Data Security & Privacy Provisions

Another method of mitigating cyber risk is through contract. When reviewing your company’s agreements with third-party vendors and subcontractors, it should pay close attention to indemnification and insurance procurement provisions for how they might allocate cyber risk between the parties. A data security incident at one of your company’s vendors may have serious consequences when it exposes your business’ information. To that end, your company may want to consider including language in its third-party contracts which require vendors and subcontractors to indemnify your company in the event the third-party vendor or subcontractor suffers a data breach. Similarly, your company might want to consider requiring a third-party vendor or subcontractor to name your company as an additional insured on its cyber liability insurance policy. Both of these steps help in the event your third-party vendor suffers a data security incident, as the financial impact on your business would be minimal.

4. Cyber Liability Insurance

If the third parties the organization is using do not want to (or they should not) carry certain risk, one potential method of mitigating risk associated with cyber-attacks are a cyber liability insurance policy. These policies generally provide coverage for the following types of attacks:

  • Data Breach Expenses: When a threat actor accesses or acquires Personal Identifiable Information as defined by applicable law, your company has suffered a data security incident. Cyber liability insurance policies typically cover the costs of hiring lawyers, forensic IT security vendors, public relations, or crisis communication costs to assist you in handling your response. Moreover, cyber liability insurance policies cover the cost associated with notifying individuals and state regulators, providing identity and/or credit monitoring services to affected individuals, and running a call center.

 

  • Cyber Extortion or Ransomware: When a threat actor acquires access to your company’s systems and encrypts or otherwise locks you out of the network, demanding the payment of a ransom to unlock the system. Cyber liability insurance policies typically cover the cost of negotiating with the threat actor as well as potentially paying part of the ransom.

 

  • Fraudulent Wire Transfer: When a threat actor misdirects a wire transfer from your company to a vendor, your company is a victim of a fraudulent wire transfer. Cyber liability insurance policies will normally cover such fraudulent wire transfers if your company took certain steps to prevent them. Coverage for fraudulent wire transfers is generally limited to the amount of the wire transfer itself.

 

  • Business Interruption: When a threat actor executes a cyber-attack, some cyber liability insurance policies provide coverage for the loss of business income as a result of being locked out or shut down as part of the cyber-attack.

As provided above, cyber liability insurance policies generally cover the major types of cyber-attacks a construction company may face; however, cyber liability insurance is not the only means of mitigating the risk of a cyber-attack.

Cybersecurity insurance can provide first-party and third-party damages. Other insurance such as Tech Errors & Omissions may be options for some organizations to consider as well.

5. “What’s Good for the Goose is Good For The Gander” Policies and Practices

a.) Policies & SOPs

Applicable here is the old proverb “what’s good for the goose is good for the gander.”

If an organization is going to require that its vendors and third-party partners have certain controls and practices, then that organization should perhaps think about its practices. In fact, its insurance carrier may require it. Also, the organization may have requirements under laws and regulations, under contract, or other duties owed.

This is where most organizations are paralyzed – it sounds overwhelming. Or they find some stock policies, modify them slightly, and place the policies on a virtual shelf.

In creating policies, the team charged with building a construction cybersecurity program will identify first the laws that apply to the organization, IT standards it wishes to follow, along with other guiding principles – organization mission, vision, codes of conduct, or company ethics policies, and more.

Policies and standard operating procedures can come in a myriad of shapes and sizes, which makes creating them sometimes difficult for organizations – too many choices – so they pick and choose from numerous templates and the result is, frankly, often a mess.

Organizations should plan to take time to put together written policies and procedures that reflect the organization’s goals, vision, standards, controls, and more – not some other organization’s that is in a template found online.

What are some good cybersecurity controls and practices? The National Institute of Standards and Technology’s (“NIST”) Cybersecurity Framework Version 1.1 offers for some a good place to start looking at what a cybersecurity program may look like on the technical side for your organization. See NIST, Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1 (available at https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf).

b.) Controls

The organization will need a variety of physical, administrative, and technical controls.

Physical controls include safeguarding server rooms to video monitoring of secure areas (*be careful if you are collecting biometric information, this is also a fast-moving area).

Administrative controls include the policies and SOPs discussed earlier, but also that there are folks responsible for these duties, there is training, review, auditing, discipline, and more.

Technical controls can take many forms but include changing passwords regularly, implementing two-factor authentication where possible, and regularly informing employees of the dangers of social engineering. Good cyber hygiene can prevent a cyber-attack from occurring in the first place, and in that regard is one of the most effective means of mitigating cyber risk.

6. Construction Cyber Culture

One final method of mitigating cyber risk is through fostering good cyberculture across the organization.

An organization is on its way to great construction cyber culture through the actionable items above: 1) team of trusted advisors, 2) selecting a plan, 3) third-party contracting and auditing, 4) cybersecurity insurance, and 5) policies and procedures.

Great construction cyberculture begins with a buy in at the top and demonstrating by example (so no exceptions!).

 

Conclusion

Unfortunately, organizations in almost every industry are navigating cyber threats and the construction industry is no exception. There are, however, a number of risk mitigation strategies that can be reviewed for applicability to an organization. As discussed, the first step is to find those experienced trusted advisors to help navigate this complex and sophisticated legal and technical terrain.

Subscribe to our newsletter.

*Attorney advertising. Prior results do not guarantee similar outcomes.

 

Force Majeure Contract Provisions Amid the COVID-19 Pandemic

Force Majeure Contract Provisions Amid the COVID-19 Pandemic

As COVID-19 puts pressure on companies trying to comply with their contractual obligations, it is time to take a look at the provision that might excuse performance: the Force Majeure provision.  This provision works to excuse parties from performing their obligations when an unforeseen event occurs.  COVID-19 may fall right into the description of that unforeseen event, but whether a party can take advantage of performance excusal depends on the Force Majeure provision itself.  Given the ever-changing landscape around COVID-19,organizations may want to consider the following to understand what terms come into play for a Force Majeure event:

1.     Review Your Force Majeure Provision

What events are covered?

Look at the events listed in the Force Majeure provision.  Most Force Majeure provisions state that Force Majeure events occur when the event is “beyond the party’s control.”  If an organization is claiming Force Majeure, it should be prepared to make the argument that federal and state mandates pursuant to COVID-19 are beyond its control.  If specific events are listed in the provision, organizations should review whether the event aligns with COVID-19.  For example, “acts of God,” public health emergencies, epidemics, or pandemics maybe listed. It is worth noting in light of the COVID-19 pandemic that a virus/bacteria may be excluded if it is a contract for health-related services.

Are any events carved out?

Review whether any specific events are carved out of the provision.  Savvy contract drafters will carve out certain events that are more likely to impact performance for the specific services being provided to ensure the performance is not excused.

How is the event triggered?

The occurrence of Force Majeure events does not necessarily trigger the provision.  Some provisions may require formal declarations from federal or state entities declaring emergencies.  Organizations should evaluate whether the Force Majeure provision has any such prerequisites for excusing performance.

It is also possible that reactions to COVID-19 will greatly frustrate an organization’s performance,rather than making it so impossible that the performance is excused under a Force Majeure provision.  In these cases, there is no clear-cut answer of how to handle, so the parties will need to work together to come up with solutions that make complying with contractual obligations easier.

2.     Review Requirements for Claiming Force Majeure

The contract may include specific deadlines and notice requirements for claiming Force Majeure. Organizations should review the requirements for making such a claim to avoid missing the relevant window of time.

3.     Consider Contracts Being Currently Negotiated

If an organization is in the middle of negotiations for an agreement, it should review the Force Majeure provision and consider adjusting to contemplate complications arising from COVID-19.  The organization can also consider adding additional termination rights or longer periods for cure to combat further fallout from the virus.

Our Beckage Team continues to closely monitor the legal and business implications associated with the COVID-19 pandemic.  It is critical that companies align with experienced counsel to proactively assess their existing contractual obligations and the obligations of their counterparts.  The Beckage Team can help assess liability coverage, using their expertise to help map out a nuanced cyber liability insurance plan for your business in the event coverage is needed.  

*Attorney Advertising: Prior Results Do Not Guarantee a Similar Outcome

Subscribe to our newsletter.

Important Privacy Developments in New York State

Important Privacy Developments in New York State

**Alert Update: The SHIELD Act has been signed into law, and is effective in New York State on March 22, 2020.

As always, Beckage lawyers are available to assist in addressing any questions you may have regarding data security developments. Please feel free to contact us.

There are two important privacy developments in New York State that companies should take note of: the Stop Hacks and Improve Electronic Data Security (SHIELD) Act and the New York Privacy Act (NYS5642).  If passed, these pieces of legislation will impose more stringent data security requirements on companies that collect information from New York residents.

1.       THE SHIELD ACT

Passed by the State’s legislature, the SHIELD Act updates New York’s general business law (GBL 899-aa) governing notification requirements, consumer data protection obligations, and broadens the Attorney General’s oversight regarding data breaches impacting New Yorkers.

Specifically, the Act purports to:

  • Expand the scope of information subject to the current data breach notification law to include biometric information, email addresses, and corresponding passwords or security questions and answers;  
  • Broaden the definition of a data breach to include unauthorized “access” to private information from the current “acquired” standard;
  • Apply the notification requirement to any person or entity with private information of a New York resident, not just to those that conduct business in New York State;  
  • Update the notification procedures companies and state entities must follow when there has been a breach of private information; and
  • Create reasonable data security requirements tailored to the size of a business.

STATUS

Passed by the legislature, awaiting signature by the Governor. Additionally, amendments to the Act are currently pending. 

**Alert Update: The SHIELD Act has been signed into law, and is effective in New York State on March 22, 2020.

2.       THE NEW YORK PRIVACY ACT (NYS5642)

This bill, which has passed the Senate, was proposed by State Senator Thomas and is currently pending before the Senate Consumer Protection Committee. It has been compared to the General Data Protection Regulation and California Consumer Protection Act but differs in certain respects. Among other things, it purports to apply to most entities doing business in New York State, and includes those businesses outside the state that produce products or services targeted to NYS residents. Unlike the CCPA, there is no monetary or revenue threshold that must first be met to be included in the Act’s jurisdictional scope. 

This Act governs (and in some instances, limits) the collection and use of personal data by those entities. It requires consent, provides for certain data subject rights (correction, deletion), and includes a private right of action against companies processing jurisdictional PD. The bill does purport to exempt from its reach data sets governed by HIPPA/HITECH.

STATUS

Pending in Senate Consumer Protection Committee.  

PREDICTION

This bill is likely to pass the Senate.  However, as there is no same-as bill in the Assembly, the bill likely will not be passed this session. That said, it is a priority bill for Sen. Thomas and we expect more pressure next year to pass it.

Beckage PLLC continues to monitor privacy bills and regulations pending in New York State, including:

  • Proposed NYS Biometric Privacy Act;
  • Department of Financial Services regulations impacting credit reporting agencies;
  • New York Department of State Emergency Regulations on Identify Theft prevention and mitigation;
  • Proposed legislation relating to the New York State Cyber Security Advisory Board, a Cyber Security Action Plan for the State, and Periodic Cyber Security Reports.

Have questions? Our team at Beckage is uniquely positioned to advise on emerging privacy laws at both the state and national level. Contact us today for a consultation.

*Attorney Advertising: Prior results do not guarantee a similar outcome.

Wooden mazeEvolving Privacy Paradigms

Evolving Privacy Paradigms

Privacy paradigms all over the world are quickly evolving, starting with the European Union’s adoption of the General Data Protection Regulation (GDPR), Brazil’s General Data Protection Law, India’s pending Personal Data Protection Bill, and California’s just-passed Consumer Privacy Act. While the specifics vary, the international trend in adopting a comprehensive privacy law to govern all sectors, industries and emerging technologies remains. What’s more, the international paradigm is shifting away from a US-backed view of personal data as a commodity, and towards the EU’s view of personal data as an extension of self, with a range of human rights implications for data subjects. From the right to notice, access and correction to the right to portability and even erasure, companies subject to international privacy laws must have processes in place to identify personally identifiable information and respond expeditiously to the requests of individuals.

Depending on past data practices, businesses may also be faced with legacy archives of personal data now subject to international regulation. Inventorying your company’s data archives, classifying that data based on its content and sensitivity, and processing or destroying it appropriately are all necessary steps that businesses will need to take in the near term. Businesses should also consider whether de-identification and anonymization of personally identifiable information provides an avenue to avoid the strictures of some of these international privacy regimes.

To successfully operate in a multi-jurisdictional world businesses must appreciate the evolving privacy paradigms currently in play and adapt to them within the requisite time frames. With penalties nearing 4% of annual worldwide revenues for the GDPR, compliance is key. Beckage attorneys know the difference between being in compliance with privacy laws, and being able to demonstrate that compliance to the satisfaction of a national or international regulator. Call experienced counsel on whether and how your company can comply with the GDPR or national and international privacy laws.

DISCLAIMER: This client advisory is for general information purposes only. It does not constitute legal advice, and may not be used and relied upon as a substitute for legal advice regarding a specific issue or problem. Advice should be obtained from a qualified attorney or practitioner licensed to practice in the jurisdiction where that advice is sought.