Today, as the global economy enters a “new normal,” the construction industry’s reliance on remote access has accelerated. In June 2020, Procore Technologies, a construction management software provider, published an independent study of 250 construction managers in the United Kingdom. Data showed that 66% of the respondents had implemented new technology during the United Kingdom’s lockdown, and 94% of those respondents reported that using technology improved the way their teams worked together. Additional data demonstrated that 88% believed a cloud-based platform would play a long-term role in the construction industry; and 38% of those respondents said they could not work efficiently without the platform. McKinsey & Company observed that the construction industry will likely continue to devote resources to research and develop standardized building technology systems and automate certain elements of design and construction.
This increased reliance on cloud data storage, email and file sharing platforms raises exponentially the risk of catastrophic data loss. According to a recent study from IBM and the Ponemon Institute, the average cost of a data breach in 2020 is $3.86 million, and the average amount of time it takes a breach victim to identify and contain a breach is 280 days. Especially on a construction project, when time is of the essence, a data breach can wreak havoc on project schedules and resources.
The construction industry has yet to address as real risks the threat of a data breach, or theft or ransomware of project documents. The American Institute of architects generally issues new contract documents on a 10-year cycle. AIA did not address data security until 2017, and even then, only "advised" parties to discuss whether first-party cybersecurity coverage was appropriate on each project.
Cybersecurity insurance should be the industry standard for all parties on a construction project. Project owners and general contractors should not assume that ubiquitous commercial general liability, property, errors and omissions, builders’ risk or even a crime policy will cover data security incidents or business interruption as a result of a data breach or ransomware attack either on a first-party basis or downstream. While generally a court may construe silence in a policy in favor of coverage for the insured, insurance carriers are plugging the gaps of “silent cyber risk” by explicitly excluding data security incidents and all losses arising from those incidents in non-cyber policies.
Owners and general contractors should, as a rule, purchase first-party cyber insurance to protect themselves from data security breaches. First-party insurance typically covers the insured’s first-party losses resulting from a “covered cause of loss,” such as viruses, malware or cyberextortion. That coverage extends to losses related to network breaches, restoration costs, legal fees associated with breach response, or data damage or destruction.
Insurance, however, should always be the last resort. First-party coverage will typically not cover data security incidents caused by the insured's employees or third parties hired by the insured hires. For owners, third parties include the general contractor and its subcontractors, design professionals, consultants and any cloud-based platform operators or software systems that the owner purchases. For general contractors, third parties also include cloud-based project management platform and software system operators, and all downstream subcontractors, consultants or subconsultants who perform work on projects from remote access points.
First-party cyber insurance coverage will also typically not cover the insured’s potential lost profits or the loss of the value of any intellectual property stolen during a data security incident.
Insurance should thus be a stopgap. It simply is not intended to compensate the owner or the general contractor for the millions of dollars of delay and consequential losses while a project team works to either recover or recreate lost or stolen data or project files.
Proactive Measures Could Minimize Risks
Owners and general contractors must be proactive about data security from the top down. During contract negotiations, owners should insist on approving cloud-based project management platforms and file sharing platforms, and on using a uniform and secure method of remote access, data transmission and file sharing for the entire project team. General contractors should do the same with their subcontractors and any consultants, so that the entire project team uses uniform and secure systems.
Contracts, subcontracts and project manuals should, at the very least, strictly prohibit the use of unsecure or unencrypted file sharing platforms and/or the transmission of project data using unencrypted email. All outside vendors with access to project data should be screened to ensure they are using industry standard data security protocols and should also carry their own cyber liability coverage to mitigate losses.
Owners and general contractors should also consider requiring mandatory and routine data security training for anyone who will have access to project data and mandating frequent changes to passwords and login credentials for cloud-based platforms, requiring routine installation of software and security updates and patches on all equipment and devices on which project data may be stored, and requiring notification of the owner or general contractor within 48 to 72 hours of a data security incident involving the general contractor or a subcontractor, its or their employees, vendors or outside consultants.
Finally, owners and general contractors should bridge gaps in project cyber insurance coverage by insisting on robust contractual indemnification provisions. In the prime contract, the general contractor would indemnify and hold the owner harmless from losses and damages arising from data security incidents of any kind, whether from breaches and intentional employee acts to accidental losses. In all subcontracts, the subcontractor(s) would similarly indemnify the general contractor. Owners and general contractors should also consider carving out from consequential damage waiver provisions any damages and losses related to or arising from data security incidents. Though these efforts may seem onerous at the outset of a project, they may prevent, or at least mitigate, disaster later.
*This article was republished with permission from Construction Executive*
Kelly Ruane Melchiondo, Partner in Bilzin Sumberg's Construction Law Group and member of the firm's Data Security & Privacy Team, leads a discussion around the construction industry's increasing investment in information technology in both a pre and post COVID-19 world, taking a proactive ...