The true meaning of malicious
by Adam Cottini and Brian Cooper
December 19, 2018

As businesses become increasingly reliant on technology, they are exposed to cyberrisk, regulatory oversight and, potentially, liability for their employees’, clients’ and business partners’ data violations. New tools and technologies help contractors manage data, control systems and deliver services, while improving collaboration and efficiency between engineers, architects, building owners and contractors.

However, that data and the systems that run it are vulnerable to human error and malicious attack, and the contractor can be liable for the consequences—even if the data is held by a third party, such as a subcontractor, information technology (IT) vendor or cloud provider.

Construction companies are responsible for the safekeeping of data entrusted to them. That data could be employee information, including personally identifiable information (PII), such as names, addresses, Social Security numbers, credit card information, etc. It also includes intellectual property, contracts, project data, bids, plans, specifications, business information modeling (BIM) systems, and equipment controlled by supervisory control and data acquisition (SCADA). 

Potential for a Breach

Employee negligence or malicious acts, or the failure of internal processes, can lead to a breach of private information or unauthorized access to systems and data. Employees must be trained regularly to spot and report phishing attempts. They must also be reminded not to access unauthorized third-party applications, social media accounts, etc.

Construction businesses not only have potential liability to others whose data they hold, but they are also exposed to their own loss due to failure of computer security or a breach of privacy. Of course, contractors also face threats from outside the organization—from criminals: hackers, corporate espionages and nation states. Motives for malicious acts vary, but the damage caused can be severe.

For example, while the aim of many ransomware attacks is to look for easy money, some disguise attempts to take intellectual property that will shortcut their own development, and others attempt to disrupt our whole society. This year, the United States government has blamed North Korea for the WannaCry ransomware attacks and Russia for the cyberattacks that targeted American and European nuclear power plants, water and electric systems.

Contractors should make sure that their vendors (for which they are likely responsible, contractually or otherwise) manage their own security and privacy risk. Construction companies can be particularly exposed in this area through their reliance on IT consultants, cloud providers and other business partners—all of which have the potential to lead to the interruption of projects and the introduction of liability to contractors.

Increasingly, principals and owners require their vendors to match the privacy/security obligations that apply to them. This imposes good security/privacy practices on the vendor and passes responsibility and liability down the contractual chain.

Privacy Regulations

Construction businesses are similar to those in other sectors in that they are entrusted with data that belongs to their employees and business partners—PII like health and financial information. However, engineering and construction organizations face additional cyberrisk through their use of specialized technologies and applications in the management and delivery of projects and services.

Those tools and applications include the use of cloud providers to store data and run software; mobile devices to facilitate on-site tracking, reports, logistics and analytics; 3D and 5D BIM; Intelligence Community Standards (ICS); SCADA; drones and other autonomous machinery; robotics and biometrics. These tools and applications help with productivity, collaboration and margin, but they bring risk that impacts projects, relationships and completion schedules.

Construction businesses are particularly vulnerable to claims alleging breach of confidential business information (bid and project data/specifications, owner processes and project management); unauthorized access and interference with project plant, data and specifications in SCADA and BIM; bodily injury and property damage through failure of devices; robotics, and remote control of processes and physical security; and liability for delay and business interruption caused by unauthorized access to project data and systems.

Additionally, organizations are exposed to their own costs of responding to a breach in terms of notification to affected individuals; the cost of forensic investigation to establish the cause and extent of the incident; data restoration; and business interruption.

In the U.S., the construction industry overlaps with nearly every other sector of the economy, and all states now have privacy regulations that require notification of breaches of personal information. Clients include regulated entities, such as financial institutions and healthcare entities, that are subject to strict cybersecurity and privacy regulations.

Even some government agencies have been hacked in recent years, including the 2015 and 2016 hacks of the U.S. Office of Personnel Management (OPM), Federal Bureau of Investigation (FBI), Department of Homeland Security (DHS) and Internal Revenue Service (IRS). The now take an increasing interest in enforcing data and privacy requirements on contractors.

In a 2017 amendment, the Federal Acquisitions Regulations (FAR), defined PII and required that a contractor train their employees on maintaining proper records and ensuring that subcontractors comply similarly before giving employees access to sensitive information.

In addition to the state breach-notification and data-security laws, construction companies are further subject to numerous state and federal laws and regulations. Examples include DHS, Homeland Security Acquisition Regulation (HSAR) and, as business associates, the Health Insurance Portability and Accountability Act (HIPAA).

Combatting the Risk

Cyber insurance is one part of a planned risk management program and assists not only with risk transfer, but with loss of income, breach response and post-breach services as well. Traditional insurances, such as property or general liability, were not designed to address cyberrisk, so a specific cyber policy is needed to address the unique risks surrounding data privacy and computer security.

The construction industry’s use of and reliance upon new technologies brings cyberrisk that must be actively managed though policies and procedures, contractual terms and risk transfer. Regulations increasingly overlay contractual responsibilities in this area, and principals (including government agencies) are rapidly imposing requirements on contractors that are becoming new industry standards. 

It is incumbent upon construction businesses to take steps to manage and mitigate their cyberrisk. Set the tone from the top by establishing policies, procedures and standards for ethics and integrity; data encryption; employee training and awareness; segregation of data; proper funding for systems and their maintenance; contract negotiation with subcontractors and vendors; and incident response plans.