Data Security for Owners – Protecting Your Construction Investment From Catastrophic Loss

Even before the COVID-19 global pandemic, the construction industry has been “going global” using available technology and Cloud-based data storage and file sharing on all phases of projects. For example, an owner might hire a London-based architect to design a transportation hub in the United States. The London architect might delegate its Building Information Modeling (BIM) work to a company in New Zealand. Cloud and internet-based platforms make all this possible, enabling the General Contractor or Construction Manager to offer as part of its services one-stop paperless project management, stored on the Cloud and password protected.

The world’s “new normal” because of COVID-19 has only accelerated the industry’s reliance on remote access. In a recent article, McKinsey & Company observed that the construction industry will likely continue to devote resources long-term to research and development of standardized building technology systems and automation of elements of design and construction.

Increased reliance on Cloud data storage, email and file sharing platforms raises exponentially the risk of catastrophic data loss. The construction industry has yet to address the threat of data loss as a real element of risk.

For example, the American Institute of Architects (AIA) generally issues new contract documents on a 10-year cycle. AIA did not address cybersecurity until 2017 , and even then, only “advised” parties to discuss whether first-party cybersecurity coverage was appropriate on a project. Owners can, of course, acquire their own cybersecurity insurance policies on projects, or supplement their builders’ risk coverage with cybersecurity endorsements. Insurers will typically pay for data damage or destruction as a result of a “covered cause of loss,” which typically includes viruses, malware, and cyberextortion. Insurers typically will not cover damage caused by an insured’s employees or by third parties that an insured retains. These third parties might include Cloud-based platform operators, consultants, or subconsultants who perform work on projects from remote access points.

Insurance should be the last resort. Recovery of insurance funds related to a data breach is little consolation to the millions of dollars of delay and consequential losses while a project team works to either recover or recreate lost or stolen data or project files.

Owners must be proactive about data security. During contract negotiations, owners should insist on the approval of any Cloud-based project management platforms and file sharing platforms. Owners should insist on a uniform and secure method of data transmission and file sharing and should include in contracts or project manuals strict prohibitions on the use of unsecured file-sharing platforms. Owners should also consider requiring mandatory and routine data security training for anyone on their projects who will ever have access to project data. Finally, owners should bridge the gap in project cybersecurity insurance coverage by insisting that all project contracts include robust indemnification provisions that indemnify and hold the owner harmless from all losses and damages arising from data security incidents of any kind, from breaches to accidental losses. Though these efforts may seem onerous at the outset of a project, they may prevent, or at least mitigate, disaster later.

This information is intended to inform our clients and other friends about legal developments, including recent decisions of various municipalities, legislative, and administrative bodies. Because of the rapidly changing landscape related to COVID-19, we intend to send out regular updates. The information we provide is not intended as legal advice and viewers/readers should not rely on information contained in these materials to make business or legal decisions. Before making any legal decisions, consult your lawyer. Please do not hesitate to contact us should you need assistance responding to the many issues which have arisen, and will continue to arise, out of this situation.