Data Security and Privacy

By Jessica C. Engler

Canada’s new data breach law, the Personal Information Protection and Electronic Documents Act (“PIPEDA”), became effective on November 1, 2018. The Office of the Privacy Commissioner of Canada released new guidance providing explanations of the breach reporting requirements for private-sector businesses that operate in Canada or do business with Canadian customers. The new requirements of this law, particularly the breach notification requirements, should be on the radar of any United States-based businesses that also do business in Canada.

Under PIPEDA, organizations must report security incidents to the Privacy Commission of Canada if an incident carries “a real risk of significant harm” to consumers.[1] Regardless of the size of the breach or number of affected persons, the breach must be reported if the business determines that there is a real risk of significant harm resulting from the breach. The guidance provided by the Privacy Commissioner clarifies that the organization that controls the data is the organization required to report and notify individuals of a breach. Even when an organization has transferred the data to a third party processor, the organization is still responsible for reporting and notification.

Naturally, a standard such as “real risk of significant harm” is a standard that is open to some level of subjectivity and interpretation; however, the Privacy Commissioner has offered guidance to assist businesses in their review. Significant harm is defined as “bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on credit record and damage or loss of property.” Factors to be considered in determining whether the breach creates a real risk of significant harm include: (1) the sensitivity of the personal information involved in the breach; and (2) the probability the personal information has been/is/will be misused. “Sensitivity” is not defined by PIPED, but the concept is discussed in Principle 4.3.4 and provides some general considerations:

Although some information (for example, medical records and income records) is almost always considered to be sensitive, any information can be sensitive, depending on the context. For example, the names and addresses of subscribers to a news magazine would generally not be considered sensitive information. However, the names and addresses of subscribers to some special-interest magazines might be considered sensitive.

Notification must be given “as soon as feasible” after the organization has determined a breach occurred. The notification must be conspicuous, understandable, given directly to the individual, and include several pieces of information including:

  • A description of the breach circumstance and, if known, its cause
  • The day or time period when the breach occurred
  • A description of the personal information subject to the breach
  • A description of the organization’s risk mitigation measures
  • A point of contact
  • The number of individuals affected
  • A description of how the organization will notify individuals

Organizations are required to maintain records of each data breach for at least 24 months after the date on which the breach was discovered. The records must contain sufficient information to allow the Office of the Privacy Commissioner to confirm that the organization has complied with the law.

The new law, which has been in the works for quite some time, includes extensive requirements and regulations in the event of a breach. In the event that a business determines that the sensitive information of a Canadian customer has been breached, the business would be well advised to consult with an attorney knowledgeable about PIPEDA and Canada’s data security laws.

***********************************************

[1] “What you need to know about the mandatory reporting of breaches of security safeguards”, Office of the Privacy Commissioner of Canada (available at https://www.priv.gc.ca/en/privacy-topics/privacy-breaches/respond-to-a-privacy-breach-at-your-business/gd_pb_201810/#_Part_1).

By Sarah W. Anderson

On November 1, 2018, Senator Ron Wyden, a democrat from the state of Oregon, introduced a bill that attempts to create a stronger consumer privacy act.[1] The draft legislation, referred to as the Consumer Data Protection Act, SIL18B29 (the “Bill”), amends and increases the powers of the Federal Trade Commission (“FTC”).[2]

According to Senator Wyden’s webpage, he drafted the Bill due to “[t]he explosive growth in the collection and sale of consumer information enabled by new technology poses unprecedented risks for Americans’ privacy,” which he believes the Federal Government continually fails to address. [3]  Therefore, Senator Wyden’s Bill both imposes greater security protection standards and sharpens the FTC’s teeth in terms of enforcement.

The Bill permits the FTC, as the “nation’s main privacy and data security regulator” to fine and yes, even jail, American executives for failure to protect consumer information. Specifically, the Bill proposes the following powers and tools for the FTC, which Senator Wyden hopes will give Americans greater privacy and control over their own personal data:

  1. Establish minimum privacy and cybersecurity standards.
  2. Issue steep fines (up to 4% of annual revenue), on the first offense for companies and 10-20 year criminal penalties for senior executives.
  3. Create a national Do Not Track system that lets consumers stop third-party companies from tracking them on the web by sharing data, selling data, or targeting advertisements based on their personal information. It permits companies to charge consumers who want to use their products and services, but don’t want their information monetized.
  4. Give consumers a way to review what personal information a company has about them, learn with whom it has been shared or sold, and to challenge inaccuracies in it.
  5. Hire 175 more staff to police the largely unregulated market for private data.
  6. Require companies to assess the algorithms that process consumer data to examine their impact on accuracy, fairness, bias, discrimination, privacy, and security.”[4]

Additionally, businesses with annual revenue exceeding $1 billion, which also store data of more than 50 million consumers, will have to submit an annual data protection report to the FTC detailing its compliance with relevant security regulations. What’s more, in proposed §1352(b), entitled “Failure of Corporate Officers to Certify Data Protection Reports,” Chief Executive Officers, Chief Information Security Officers, and Chief Privacy Officers may be jailed for failure to certify and file annual reports to the FTC that document company efforts to comply with the Bill.

An executive’s first offense of this section will result in a fine “not more than the greater of $1,000,000.00 or 5 percent of the largest amount of annual compensation the person received during the previous 3-year period…imprison[ment] not more than 10 years, or both[.]” The same section prescribes that “intentional[ly]” certifying false statements for annual reports will result in a fine of “not more than the greater of $5,000,000.00 or 25 percent of the largest amount of annual compensation the person received during the previous 3-year period” or imprisonment “not more than 20 years, or both[.]”[5]

If passed, the Bill would represent a massive overhaul and increase in the FTC’s powers and available punishments. Generally, the FTC currently only has privacy protection powers under theories of “unfair trade practices.”

*****************************************************

[1] https://www.wyden.senate.gov/news/press-releases/wyden-releases-discussion-draft-of-legislation-to-provide-real-protections-for-americans-privacy

[2] https://www.wyden.senate.gov/download/11012018-wyden-privacy-bill-discussion-draft

[3] https://www.wyden.senate.gov/news/press-releases/wyden-releases-discussion-draft-of-legislation-to-provide-real-protections-for-americans-privacy

[4] https://www.wyden.senate.gov/download/11012018-wyden-privacy-bill-one-pager

[5] https://www.wyden.senate.gov/download/11012018-wyden-privacy-bill-discussion-draft

By Sarah W. Anderson

While an ocean away, supermarket Morrisons’ loss in the United Kingdom’s appellate court should act as a warning to all United States-based and international companies. On October 22, 2018, Morrisons lost its recent appeal in a landmark high-court ruling, being held vicariously liable for a former employee, Andrew Skelton’s intentional actions that lead to the leak of more than 100,000 of its employees’ personal information. This decision came down despite Morrisons’ demonstration that it had lawfully discharged its obligations under the United Kingdom’s Data Protection Act of 1998. In July 2015, Skelton was sentenced to eight years in prison.

This decision represents the United Kingdom’s warning that organizations have a significant duty to protect the personal data of their customers and employees that is beyond the applicable data breach protection rules issued by varying countries. And with 5,558 members of the Class Action, it is expected that Morrisons will face a hefty compensation ruling. According to Nick McAleenan, a partner and data privacy law specialist at JMW Solicitors, who represented the class, “Large corporations take responsibility when things go wrong in their own business and cause harm to innocent victims.   It is important to remember that data protection is not solely about protecting information – it is about protecting people.”  A spokesperson for Morrisons publicly stated that they will now appeal this decision to the Supreme Court.

Going forward, compliance officers for various corporations should anticipate legal responsibility for any type of data breach under the legal theory of vicarious liability if the Morrisons decision crosses the Atlantic. This is yet another signal of the importance to improve security protocols for company data, as well as additional screening for employees entrusted with that data.

Indeed, on October 26, 2018, the Middle District of North Carolina approved a class-action settlement for a 2016 disclosure of personal identifying information of employees of HAECO Americas, Inc. (“HAECO”), after W-2 statements were leaked in response to a phishing scheme. See David Linnins, et al v. HAECO Americas, Inc., 2018 WL 5312193 (M.D.N.C., 2018). The class action plaintiffs “asserted claims for negligence, invasion of privacy, and violation of the North Carolina Unfair and Deceptive Trade Practices Act[,] which included an alleged violation of the North Carolina Identity Theft Protection Act.” Id. at *1. According to published details of the settlement agreement, HAECO agreed to the following terms:

  • Provide affected parties with 2 years of Experian Protect MyID Elite services;
  • Reimbursement of $350 for members of the class that previously purchased similar identity theft monitoring programs;
  •  Establish a claim fund in the amount of $312,500 to compensate class members for damages, expenses, and inconveniences they incurred; and
  • HAECO agreed to take data and cyber security steps, including mandatory cyber security training for all employees, for at least three years. Id. at *1-*2.

The Middle District of North Carolina further ordered that the Plaintiffs’ counsels’ request for $150,000.00 in additional attorneys’ fees was reasonable. Id. at *4.

By Sarah Anderson

Adding publicity to the recent string of security breaches, Gemalto’s Breach Level Index released information on October 9, 2018 stating that for the first half of 2018, approximately 291 records were stolen or exposed every single second.[1]  Gemalto estimates that 945 data breaches led to the release of 4.5 billion data records being compromised worldwide, which increased approximately 133% in the last year.  These data breaches came from varying industries, with health care representing 27% of data breach incidents and the financial sector following with an estimated 14% of the data breach incidents.  Of all the data and records stolen, it is estimated that just 1% of this data was encrypted and only 9% of the security breaches were the result of an accidental loss.

This information comes as more than just a P.S.A. Both threatened and actual data security breaches pose a significant legal threat to all types of businesses – large and small, global and local. Therefore, many forward thinking organizations are increasing their security systems and updating policies to mitigate potential legal claims for security breaches.

While the question of whether or not the fear of identity theft following a data breach is sufficient to constitute standing for a class action is largely undecided in the United States, the United Kingdom’s High Court already answered in the affirmative. More than 5000 current and former employees of Morrison’s, an online supermarket, are suing their former employer in a class action for damages related to a data leak that resulted in exposure to potential identity theft and financial losses. In 2014, a former Morrison’s employee leaked 100,000 names, addresses, bank account details and salaries of his co-workers online and sent it to a newspaper.[2] While Morrison’s spent more than 2 million pounds to mitigate the effects of and remedy the breach, the issue of monetary damages that it may owe its former employees remains outstanding.

The Morrison’s matter was the first data leak class action in the United Kingdom.[3] In 2017, the High Court ruled that Morrison’s was vicariously liable for this criminal data breach by its former employee and allowed those affected by the data breach to claim compensation for distress. Morrison’s is presently appealing this ruling.[4]

No similar legal battle has yet played out so openly in the United States, as Target’s 2017 data breach resulted in a multi-million dollar settlement with the affected customers.  However, with the ongoing and ever increasing number of cyber threats and attacks on both private and public organizations, it is expected that victims of data breaches may become the next wave of class action plaintiffs.

If you have questions on how to protect your business and/or mitigate such claims in the future, please contact Sarah Anderson and Erin Kilgore.

____________________________________________

[1]https://www.gemalto.com/press/Pages/Data-Breaches-Compromised-4-5-Billion-Records-in-First-Half-of-2018.aspx

[2] https://www.bbc.com/news/uk-england-42193502

[3] https://www.theregister.co.uk/2018/10/09/morrisons_data_breach_appeal/

[4] https://www.bbc.com/news/uk-45793598

 

By Sarah W. Anderson

On September 27, 2018, Gov. John Bel Edwards declared October to be Cybersecurity Awareness Month in the State of Louisiana, signing a Proclamation in front of members of the Louisiana Cybersecurity Commission.  By signing this Proclamation, Gov. Edwards is simultaneously kicking off a Cybersecurity Awareness Campaign promulgated by the Louisiana Cybersecurity Commission.   The goal of the Louisiana Cybersecurity Commission, the Proclamation, and Cybersecurity Awareness Month Campaign is to enhance and improve Louisiana’s cybersecurity ecosystem.  Gov. Edwards stated at the Proclamation signing that, “There is no doubt that Louisiana is a leader in cybersecurity.”  He emphasized that “No state has more protections for its citizens and its businesses than Louisiana.”  Gov. Edwards referenced upcoming proposed legislation concerning cybersecurity protections for Louisiana citizens and businesses during his remarks following the Proclamation signing.  The Proclamation signing and the formation of the Louisiana Cybersecurity Commission follow Louisiana’s recently updated data breach notification laws that went into effect earlier this year. Copies of both the Proclamation and Cybersecurity Awareness Campaign Model can be found on the Louisiana Cybersecurity Commission’s website found here.

Kean Miller attorneys will continue to update their clients on relevant cybersecurity news and changes in any relevant legislation and regulations.  If you have any questions concerning this, please contact Sarah Anderson and Jessica Engler from Kean Miller.

By James R. “Sonny” Chastain, Jr.

In a recent Supreme Court decision involving the Fourth Amendment, Justice Roberts noted that there are 396 million cell phones accounts in the United States for a nation of only 326 million people.  The cell phone provides numerous functions including access to contacts, data, information and the internet.  Some studies suggest people check cell phones every ten minutes and are less than five feet away from the phone most of the time.  It seems the cell phone has become an integral part of daily living. While the development may be productive in terms of the overall access to information, it also creates certain risks that employers should consider.

In many instances companies operate on a platform of bring your own device to work (“BYOD”).  Employers should consider what business information may be available to that employee on his or her personal cell phone.  An employer is vulnerable if an employee is connected to the employer’s computer system and can access valuable confidential information through the cell phone.   The risk is that the employer’s business information may “walk” out the door with the employee.  Moreover, if the information gets comingled with the employee’s personal information, there could be a problem in terms of “unscrambling” or wiping the phone on departure.   Certainly one approach is to not permit the employee to have access to the information on the phone.   However, an employee may need access in order to perform his or her job responsibilities.  Employers should consider whether to have a cellular phone policy that addresses how employees should use the phone, any issues regarding expectation of privacy, ownership of information, and wiping upon termination.

Additionally, a cell phone may cause distracted driving. Whether ringing, beeping, vibrating – the cell phone may cause drivers to lose focus.  A driver’s perceived belief that the ever important text/email may have just come in can create an overwhelming desire to check/respond.  To the extent an employee is on the road, the temptation to text, call or open an app may create serious risks.   Distracted driving is alleged to be a contributing factor in 80% of the automobile accidents on the road today.  Employers need to recognize this risk and be proactive in addressing it.  Employers should consider having a policy regarding the use of cell phones while driving.

Cell phones are integrated into our daily activities – just look around at any restaurant, getting on an elevator, or at a stop light.  No matter the time, place or circumstances, staying connected seems to be of utmost importance.  A cell phone is certainly very beneficial in terms of facilitating access to people and information.  However, cell phones may also bring about certain risks.  Employers may want to consider the risks which that may be applicable to it and any policies to put in place to address them.

By Sarah W. Anderson

Companies using Apache Struts 2.0 should be aware of a possible security breach risk that could give rise to breach notification duties.  On August 22, 2018, the Apache Software Foundation posted updates regarding the correction of a vulnerability recently found in its web application platform called Apache Struts.

Apache Struts is an open source web application framework that uses model-view-controller architecture. A security bulletin was placed on https:\\cwiki.apache.org by Man Yue Mo from the Semmle Security Research team, which noted a flaw in the Struts 2 application that would allow a hacker to perform a remote code executive “attack when namespace value isn’t set for a result defined in underlying configurations and in same time, its upper action(s) configurations have no or wildcard namespace[.]”[1] There is a similar possible attack “when using [an] url tag which doesn’t have value and action set and in same time, its upper action(s) configurations have no or wildcard namespace.”[2]  This web application and vulnerability may affect any entity using Apache Struts, from small businesses to Fortune 100 companies.

The description of the vulnerability has been posted online, and this “blueprint” is suspected to provide an easy “how-to” guide for attackers. Attackers may exploit websites running the Struts 2.0 program by sending requests to hosted sites, to which the web servers will respond by running code commands of the attacker’s choosing. This would allow cyber attackers to undertake malicious acts such as copying and/or deleting consumer data or initiating other malware. Indeed, Equifax was forced to disclose a similar vulnerability in its Apache Struts software in 2017 after 143 million people had their sensitive information compromised in a July 29, 2017 security breach.

If you suspect that your company uses Apache Struts 2.0 and security has been breached in Louisiana, please review and consider your potential obligations under the recent changes to Louisiana’s Database Security Breach Notification Law and contact your data security attorney.

******************************************

[1] https://cwiki.apache.org/confluence/display/WW/S2-057.

[2] https://cwiki.apache.org/confluence/display/WW/S2-057.

By Jessica C. Engler, CIPP/US

To say that privacy regulations have been in the news lately is a bit of an understatement. The European Union’s new General Data Protection Regulation has had privacy professionals and businesses scrambling to meet the May 25, 2018 deadline for compliance. While the GDPR may be dominating the national news circuits, the EU is not the only one making changes to their privacy laws. The Louisiana Legislature has passed, and Governor Edwards signed on May 20, 2018, amendments to Louisiana’s Database Security Breach Notification Law (Louisiana Revised Statutes 51:3071, et seq.), at Act 382.[i] Act 382 becomes effective on August 1, 2018.

A.  Expansion of “Personal Information”

The first major change is the expansion of the definition of “personal information” under the statute. Louisiana previously defined personal information for the purposes of the breach notification law as an individual’s first name or initial and last name in combination with any of the following additional data elements when the name or data element is not encrypted or redacted: (1) social security number; (2) driver’s license number; or (3) account number, credit or debit card number, in combination with the applicable password, security code, or access code that would allow access to an individual’s financial account. Act 382 adds the following additional pieces of data to this list: state identification card number; passport number; and “biometric data.” “Biometric data” is defined as “data generated by automatic measurements of an individual’s biological characteristics” and includes markers such as fingerprints, voice prints, eye retina or iris, or other unique biological characteristics that are used to authenticate an individual’s identity when accessing a system or account. In this change, Louisiana joins a growing trend of expanding personal data beyond ID numbers and financial accounts into more unique and personal identifiers. At the time of this writing, at least twelve other states have enacted laws that include biometric markers as personal information.[ii]

B.  New Data Protection Requirements

Act 382 imposes new requirements on Louisiana businesses to protect personal information. These changes affect companies that conduct business in the state of Louisiana or own or license computerized data that include personal information of Louisiana residents and for agencies that own or license computerized data that includes Louisiana residents’ personal information (collectively “Subject Entities”). Under Act 382, Subject Entities will be required to implement and maintain “reasonable security procedures and practices appropriate to the nature of the information” to protect the personal information from breaches, destruction, use, modification, or disclosure.

Subject Entities will also be under new requirements for data destruction. Subject Entities will be required to take reasonable steps to destroy or arrange for the destruction of records within its custody or control containing personal information that is no longer to be retained by the Subject Entity by shredding, erasing, or otherwise modifying the personal information to make the information unreadable or undecipherable.

C.  Data Breach Notifications

In the event of a breach, the revisions to Section 51:3073 have now implemented a time limit within which Subject Entities must notify the Louisiana residents’ whose data was affected. Originally, the statute provided that notice must be done “in the most expedient time possible and without unreasonable delay.” The revised statute retains that language, but now includes that notification must be made no later than 60 days from the discovery of the breach. The revisions maintain the original exception to this rule in the case of delay necessitated by the needs of law enforcement or measures necessary to determine the scope of the breach, prevent further disclosures, and restore the reasonable integrity of the data system. However, if a Subject Entity does delay notification for one of these reasons, it must provide written notice to the Louisiana Attorney General of this delay and the reasons for same within the 60 day period. Upon receipt, the Attorney General will grant a reasonable extension of time for notification.

The revisions preserve the ability for a Subject Entity to investigate whether the breach is reasonably likely to cause harm to Louisiana residents, and, if the breach is unlikely to cause harm, the Subject Entity is not required to notify affected Louisiana residents of the breach. This situation commonly arises when the breached data was encrypted, provided the encryption key was not also breached. If the Subject Entity decides not to report under this section, then the entity must document that decision in writing and retain the written decision and supporting documentation for five years from the date of discovery of the breach. The Attorney General can request a copy of this documentation and the written determination, and the Subject Entity must provide the documentation within thirty days of the Attorney General’s request.

Last, violations of these provisions are now deemed an unfair trade practice under R.S. 51:1405(A). During testimony on this bill, the Attorney General’s Office commented that their Office has already been treating violations as an unfair trade practice, so this language only codifies their current practice.

D.  General Comments

Many of the changes made to Louisiana’s data security laws echo similar revisions in other states. Several states have opened their data security laws to expand beyond notification procedures to now requiring “reasonable” security practices and destruction of outdated data. Unlike Alabama’s new data security law, Louisiana’s revised law does not define what security practices qualify as “reasonable”, which may cause some concern amongst Subject Entities looking for guidance when updating their security practices.

It is possible that the new revisions may lead to increased litigation for data breaches. The Attorney General currently is and remains the primary enforcer of the data breach laws; however, private rights of action are permitted. Codifying violations of these statutes as an unfair trade practice may lead to an increase in suits filed under these statutes. However, a potential plaintiff will likely still be required to provide that he or she was injured by the breach, which has been a difficult task for plaintiffs that have not suffered an identity theft.

The new law becomes effective on August 1, 2018. Until that time, Subject Entities that have not recently reviewed their data security policies and practices may want to consider an update.

***********************************************

[i] Act 382 of the 2018 Regular Session can be found at the following address: https://www.legis.la.gov/legis/ViewDocument.aspx?d=1101149.

[ii] These states include, but are not limited to Arizona, Delaware, Illinois, Iowa, Maryland, Nebraska, New Mexico, North Carolina, Oregon, South Dakota, Wisconsin, and Wyoming.

phish

By Jessica C. Engler

The IRS has sent an urgent alert to employers this month that a W-2 phishing scam that many companies fell victim to in 2016 is back in full force for 2017. The IRS warns that this scam is emerging earlier this year and is targeting school districts, tribal organizations, and nonprofits in addition to businesses.

The “W-2 Scam” is carried out by persons who disguise (“spoof”) an email to make it look like it came from a top executive or the receiver’s business colleague. The dummy email is sent to (typically) the organization’s accounting and human resources department, and will ask for a list—or the copies themselves—of the company’s W-2 tax forms, employee’s dates of birth, and Social Security Numbers. If the unsuspecting victim responds with this information, the sender can use this data to file false tax returns, generate revenue on the black market, and perpetuate identity theft.

While this email can take many forms, some example phrasing for the email includes:

  • “Please send me the individual 2016 W-2 (PDF) and earnings summary of all W-2s of our company staff for a quick review”
  • “Hope you had a nice weekend. Do you have PDF copies of the employee’s W-2s? Could you please send to me for a quick review?”
  • “I need you to email me the list of individual W-2 copies of all employees’ wages and income tax statements for 2016 tax year in PDF file format for quick review. Prepare the list and send to me ASAP. I will brief you more about this later.”

The IRS warning indicates that these phishing emails are also including requests for wire transfers this year.

The Security Summit (which comprises the IRS, state tax agencies, and members of the tax industry) recommend that employers and employees stay vigilant of this threat. Employers may consider doing additional training with employees on recognizing these phishing emails.

The IRS instructs any organization that receives a W-2 scam to forward that email to phishing@irs.gov and place “W2 Scam” in the subject line. Organizations that receive the scams or fall victim to the scam can file a complaint with the Internet Crime Compliance Center (IC3), which is operated by the Federal Bureau of Investigation. Organizations should also consider contacting an attorney with experience in data management to assist in the response to affected persons.

anonymous

By Jessica Engler

Continuing the trend from 2015, 2016 has seen a significant number of large, public data breaches. Many of these breaches involved high-profile companies such as the Democratic National Convention, Internal Revenue Service, MySpace, Yahoo!, and Anthem. Since large corporate and government breaches typically get the most attention, many smaller, local businesses can be lulled into a false sense of security, believing that those who do hack and steal data are not interested in their business. However, in 2016, hacker targeting of small businesses increased from 34 percent to 43 percent.[1] Small businesses, including the construction industry, are at risk.

The construction industry is becoming increasingly more connected. In addition to storage of confidential data on computers, many design and construction software systems—like BIM, Revit, Procore, and Aconex—have remote access controls or Internet-connected capabilities. As a company grows more technologically-savvy, the risk of breaches becomes more inherent. This memorandum will answer some basic questions for construction companies regarding data privacy issues. For specific advice regarding individual, company-specific questions, inquirers should seek the assistance of an attorney experienced in data privacy.

I am not MySpace or the IRS—why would a hacker be interested in my business?

Construction companies are often just as reliant on IT and computers as any other business. Construction companies—especially smaller ones—often do not think they are a target, so any protective measures currently in place may be easier to permeate. Several reasons why a hacker may be interested in you include:

Valuable Personally Identifiable Information Data: The vast majority of hacks are made for financial gain. If you use computers at all in your businesses, it is likely that you have confidential data stored on that computer that would be valuable to a hacker. Though you may not have as much personally identifiable information as a financial institution, you likely still have employee information (e.g., Social Security numbers, bank accounts for payroll, healthcare information, etc.) that could be worth money.

  1. Valuable Non-Personal Data: A construction companies often have access to certain proprietary client documents including project bid data, architectural designs, trade secrets, and other intellectual property. A hacker may also target general information about the company’s banking, accounting data, and policies in order to orchestrate social engineering or phishing schemes to have an employee send the hacker valuable data or unwittingly transfer corporate funds/assets.
  2. Access to Private Client Information: At times, the hacker is interested in accessing a client of the company, rather than the company itself. In 2013, approximately 70 million customers’ data was released by retail giant Target through malware installed on credit card machines. The hackers’ access to Target’s network was obtained indirectly through Fazio Mechanical Services, Target’s HVAC vendor, which had Target network credentials.[2] Through Fazio’s credentials, the hackers were able to cross into Target’s network to install the malware.
  3. Extortion: Ransomware is a type of malware designed to block off access to data stored in a computer system until money is paid (typically in bitcoin) to the hacker. When access is blocked—typically through encryption—the data may be lost if the victim does not pay the ransom and the victim does not have the data backed-up.

I don’t buy it. Name a construction company who has had a breach.

In early 2016, Turner Construction was targeted by a spear-phishing[3] scam wherein an employee emailed tax information on current and former employees to a fraudulent email account.[4] The tax information included full names, Social Security numbers, states of employment and residence, and tax withholding data for 2015. Hackers had manipulated, or “spoofed”, the “From” field in the email to the employee to make the email look like it was from a legitimate sender. This scam was a common scam during the 2016 tax season in order to obtain information used to file fraudulent tax returns.

Whiting-Turner Contracting (Baltimore), Central Concrete Supply Company (California), Century Fence (Wisconsin), Trinity Solar, and Foss Manufacturing were also recent victims of this scam.[5]

Are breaches really that big of a deal?

Data breaches can be very costly for a business. Depending on the type of data breached, a breach can cause loss of business and clients, reputation damages, loss of goodwill, decline in share value, increased legal and technological costs, and potential fines. Some businesses are never able to recover from a breach.

Additionally, even when a company can recover, it will often still have incurred significant costs due to business interruption. Depending on when the data incident occurred, a construction company may also be facing the risk of delay damages.

Yikes, that sounds expensive. What can I do to guarantee I will never be breached?

Unfortunately, there really is no way to “guarantee” that you will never be a target of a hacker. “Most security experts believe that it is a matter of when, not if,” your company will be targeted by hackers.[6] However, there are some actions you can take today to reduce your risk:

  • Identify your company’s valuable, private, and/or confidential information and know where that information is located on your network. Block off access to anyone who does not need that information to perform their job duties;
  • Work with your IT provider to ensure the company and its employees have strong password controls, any necessary encryption, current firewalls, updated security patches, and other recommended protections;
  • Consider using a third-party IT consultant to evaluate your system and identify any holes or vulnerabilities that your in-house IT personnel may have missed;
  • If using a subcontractor or other third party service provider that will have access to your network, establish procedures to evaluate those contractors;
  • Train employees to be aware and vigilant of risks and their role in protecting company data and assets; and
  • Create a plan of action in the event of a data incident.

A number of these steps and further actions to help protect your data can be undertaken with the help of legal counsel.

I have CGL insurance. Wouldn’t this be covered under my insurance?

It depends on the terms of your policy. In 2014, the Insurance Services Office, Inc. (the insurance industry organization that develops standard policy forms adopted by many insurance companies) issued a new form for CGL policies that expressly excludes coverage for data incidents.[7] Consultation with legal counsel can help you determine whether your current insurance coverage will provide coverage during a data incident.

If your CGL policy or any other policy leaves you without coverage for a data incident, you may want to consider purchasing cyber liability insurance. This relatively new form of insurance can provide coverage for costs associated with a data breach, including (depending on the terms of your policy) business interruption expenses, cyber extortion demand payments, legal expenses, IT forensic team expenses, cost of notification, and/or credit monitoring for affected persons.

I have been breached. What do I do?

If you have been breached, immediately contact your incident response team assigned in your incident response plan. If you do not have an incident response plan in place, contact your IT professionals and legal counsel. Many notification laws require that notice be given to affected persons and other state and federal agencies within certain time-frames, so it is important to have counsel retained in order to respond quickly and appropriately.

_________________________________________

[1] Symantec, Internet Security Threat Report: Vol. 21 (Apr. 2016) (available at https://www.symantec.com/content/dam/symantec/docs/reports/istr-21-2016-en.pdf).

[2] Target Hackers Broke in Via HVAC Company, Krebs on Security (Feb. 5, 2014) (available at https://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company/).

[3] Phishing is a type of email scam wherein the victim receives an email from someone who is pretending to be another person or entity, believes that the email is legitimate, and typically sends assets or information to the scammer based upon that mistaken belief. A well-known phishing scam is the “Nigerian Prince” scam. Spear phishing is a more targeted version of phishing. In a spear-phishing email, the scammer pretends to be a friend, family member, or co-worker. Because the email appears to be from someone the recipient knows, the recipient is often less vigilant in evaluating the legitimacy of the email. 

[4] Turner Construction Data Breach Notification Letter, State of California Department of Justice, Office of the Attorney General (last accessed 12/14/16) (available at https://oag.ca.gov/system/files/Turner%20Construction%20Ad%20r4prf_1.pdf?)

[5] Data Breaches, Cyber Security, and the Construction Industry, iSqFt.com (May 2, 2016) (available at http://www.isqft.com/start/blog-data-breaches-cyber-security-and-the-construction-industry/).

[6] Data Breaches, Cyber Security, and the Construction Industry, iSqFt.com (May 2, 2016) (available at http://www.isqft.com/start/blog-data-breaches-cyber-security-and-the-construction-industry/).

[7] Marla Kanemitsu & Erin Webb, Reviewing Emerging Insurance Protection for Cyber Risks, Security Magazine (Apr. 1, 2014) (available at http://www.securitymagazine.com/articles/85358-reviewing-emerging-insurance-protection-for-cyber-risks).