Continuing the trend from 2015, 2016 has seen a significant number of large, public data breaches. Many of these breaches involved high-profile companies such as the Democratic National Convention, Internal Revenue Service, MySpace, Yahoo!, and Anthem. Since large corporate and government breaches typically get the most attention, many smaller, local businesses can be lulled into a false sense of security, believing that those who do hack and steal data are not interested in their business. However, in 2016, hacker targeting of small businesses increased from 34 percent to 43 percent.[1] Small businesses, including the construction industry, are at risk.
The construction industry is becoming increasingly more connected. In addition to storage of confidential data on computers, many design and construction software systems—like BIM, Revit, Procore, and Aconex—have remote access controls or Internet-connected capabilities. As a company grows more technologically-savvy, the risk of breaches becomes more inherent. This memorandum will answer some basic questions for construction companies regarding data privacy issues. For specific advice regarding individual, company-specific questions, inquirers should seek the assistance of an attorney experienced in data privacy.
I am not MySpace or the IRS—why would a hacker be interested in my business?
Construction companies are often just as reliant on IT and computers as any other business. Construction companies—especially smaller ones—often do not think they are a target, so any protective measures currently in place may be easier to permeate. Several reasons why a hacker may be interested in you include:
Valuable Personally Identifiable Information Data: The vast majority of hacks are made for financial gain. If you use computers at all in your businesses, it is likely that you have confidential data stored on that computer that would be valuable to a hacker. Though you may not have as much personally identifiable information as a financial institution, you likely still have employee information (e.g., Social Security numbers, bank accounts for payroll, healthcare information, etc.) that could be worth money.
- Valuable Non-Personal Data: A construction companies often have access to certain proprietary client documents including project bid data, architectural designs, trade secrets, and other intellectual property. A hacker may also target general information about the company’s banking, accounting data, and policies in order to orchestrate social engineering or phishing schemes to have an employee send the hacker valuable data or unwittingly transfer corporate funds/assets.
- Access to Private Client Information: At times, the hacker is interested in accessing a client of the company, rather than the company itself. In 2013, approximately 70 million customers’ data was released by retail giant Target through malware installed on credit card machines. The hackers’ access to Target’s network was obtained indirectly through Fazio Mechanical Services, Target’s HVAC vendor, which had Target network credentials.[2] Through Fazio’s credentials, the hackers were able to cross into Target’s network to install the malware.
- Extortion: Ransomware is a type of malware designed to block off access to data stored in a computer system until money is paid (typically in bitcoin) to the hacker. When access is blocked—typically through encryption—the data may be lost if the victim does not pay the ransom and the victim does not have the data backed-up.
I don’t buy it. Name a construction company who has had a breach.
In early 2016, Turner Construction was targeted by a spear-phishing[3] scam wherein an employee emailed tax information on current and former employees to a fraudulent email account.[4] The tax information included full names, Social Security numbers, states of employment and residence, and tax withholding data for 2015. Hackers had manipulated, or “spoofed”, the “From” field in the email to the employee to make the email look like it was from a legitimate sender. This scam was a common scam during the 2016 tax season in order to obtain information used to file fraudulent tax returns.
Whiting-Turner Contracting (Baltimore), Central Concrete Supply Company (California), Century Fence (Wisconsin), Trinity Solar, and Foss Manufacturing were also recent victims of this scam.[5]
Are breaches really that big of a deal?
Data breaches can be very costly for a business. Depending on the type of data breached, a breach can cause loss of business and clients, reputation damages, loss of goodwill, decline in share value, increased legal and technological costs, and potential fines. Some businesses are never able to recover from a breach.
Additionally, even when a company can recover, it will often still have incurred significant costs due to business interruption. Depending on when the data incident occurred, a construction company may also be facing the risk of delay damages.
Yikes, that sounds expensive. What can I do to guarantee I will never be breached?
Unfortunately, there really is no way to “guarantee” that you will never be a target of a hacker. “Most security experts believe that it is a matter of when, not if,” your company will be targeted by hackers.[6] However, there are some actions you can take today to reduce your risk:
- Identify your company’s valuable, private, and/or confidential information and know where that information is located on your network. Block off access to anyone who does not need that information to perform their job duties;
- Work with your IT provider to ensure the company and its employees have strong password controls, any necessary encryption, current firewalls, updated security patches, and other recommended protections;
- Consider using a third-party IT consultant to evaluate your system and identify any holes or vulnerabilities that your in-house IT personnel may have missed;
- If using a subcontractor or other third party service provider that will have access to your network, establish procedures to evaluate those contractors;
- Train employees to be aware and vigilant of risks and their role in protecting company data and assets; and
- Create a plan of action in the event of a data incident.
A number of these steps and further actions to help protect your data can be undertaken with the help of legal counsel.
I have CGL insurance. Wouldn’t this be covered under my insurance?
It depends on the terms of your policy. In 2014, the Insurance Services Office, Inc. (the insurance industry organization that develops standard policy forms adopted by many insurance companies) issued a new form for CGL policies that expressly excludes coverage for data incidents.[7] Consultation with legal counsel can help you determine whether your current insurance coverage will provide coverage during a data incident.
If your CGL policy or any other policy leaves you without coverage for a data incident, you may want to consider purchasing cyber liability insurance. This relatively new form of insurance can provide coverage for costs associated with a data breach, including (depending on the terms of your policy) business interruption expenses, cyber extortion demand payments, legal expenses, IT forensic team expenses, cost of notification, and/or credit monitoring for affected persons.
I have been breached. What do I do?
If you have been breached, immediately contact your incident response team assigned in your incident response plan. If you do not have an incident response plan in place, contact your IT professionals and legal counsel. Many notification laws require that notice be given to affected persons and other state and federal agencies within certain time-frames, so it is important to have counsel retained in order to respond quickly and appropriately.
_________________________________________
[1] Symantec, Internet Security Threat Report: Vol. 21 (Apr. 2016) (available at https://www.symantec.com/content/dam/symantec/docs/reports/istr-21-2016-en.pdf).
[2] Target Hackers Broke in Via HVAC Company, Krebs on Security (Feb. 5, 2014) (available at https://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company/).
[3] Phishing is a type of email scam wherein the victim receives an email from someone who is pretending to be another person or entity, believes that the email is legitimate, and typically sends assets or information to the scammer based upon that mistaken belief. A well-known phishing scam is the “Nigerian Prince” scam. Spear phishing is a more targeted version of phishing. In a spear-phishing email, the scammer pretends to be a friend, family member, or co-worker. Because the email appears to be from someone the recipient knows, the recipient is often less vigilant in evaluating the legitimacy of the email.
[4] Turner Construction Data Breach Notification Letter, State of California Department of Justice, Office of the Attorney General (last accessed 12/14/16) (available at https://oag.ca.gov/system/files/Turner%20Construction%20Ad%20r4prf_1.pdf?)
[5] Data Breaches, Cyber Security, and the Construction Industry, iSqFt.com (May 2, 2016) (available at http://www.isqft.com/start/blog-data-breaches-cyber-security-and-the-construction-industry/).
[6] Data Breaches, Cyber Security, and the Construction Industry, iSqFt.com (May 2, 2016) (available at http://www.isqft.com/start/blog-data-breaches-cyber-security-and-the-construction-industry/).
[7] Marla Kanemitsu & Erin Webb, Reviewing Emerging Insurance Protection for Cyber Risks, Security Magazine (Apr. 1, 2014) (available at http://www.securitymagazine.com/articles/85358-reviewing-emerging-insurance-protection-for-cyber-risks).