Bilzin Sumberg Partner Sounds Alarm About Data Breaches in Construction Sector
Data privacy was a hot topic in April for Florida, because it would have been the strictest privacy law in the country. Miami-based partner Kelly Ruane Melchiondo of Bilzin Sumberg explains how businesses and consumers should be more cautious.
As a member of the firm’s data security and privacy team, Melchiondo focuses on ensuring that her clients and firm take all precautions when it comes to keeping their information secure.
In this conversation with Daily Business Review, Melchiondo discusses how attorneys should be advising their business clients on protecting themselves, whether people have seen a spike in attacks while working remotely and how her construction practice intertwines with her data privacy practice.
According to her bio on the Bilzin Sumberg website, Melchiondo’s cybersecurity practice concentrates on assisting clients on protecting their data and private information by drafting and executing policies for data security and strengthening internal controls. Data breach prevention is also key.
DBR: What is the biggest litigation trend you’re seeing right now?
Kelly Ruane Melchiondo: I have a unique practice in the sense that I am both a construction litigator and also a data privacy attorney. I’ve seen a trend in large scale construction projects my clients are involved in, which intersect with data security. For example, I’ve seen in my own practice issues that arise from data incidents on projects, whether it be hacked emails leading to diverted wires of funds that the owner would need to use to pay the contractor. There is an increasing trend in construction and infrastructure projects, and interaction with data security. The bigger and more publicized the project, the higher value the target.
On a national scale, we saw the recent ransomware issue with the Colonial Pipeline, which is a private company that is doing business with the U.S. governments and running the gas and oil pipeline. When the Colonial Pipeline experienced a data breach, we saw the entire pipeline had to be taken offline for over a week to determine the problem and find a solution. That was obviously a massive catastrophic failure, but there are lessons to be learned for any company that relies on other people or organizations to protect its data.
Q: If you had control, what legislation would you pass about data privacy in Florida?
A: As you know, the data privacy act was a very hot topic in April. The real sticking point was the private right of action. The Florida House was keenly interested in getting the private right of action passed because it would have allowed individual consumers to pursue rights of their own against companies who collect and transfer their data for violation. The business community was very wary of it happening because of the potential for plaintiff class actions for data violations.
In a perfect world, I think that Florida should strengthen data protection for consumers. I believe there is a lot of good in the Data Privacy legislation that has come out of California that allows consumers to have more control of what companies do with their data. But the private right of action is not the way to go, at least not in the form that the Florida House pushed.
Q: What should attorneys be advising their business clients about protecting themselves?
A: Everyday we see hackers are getting smarter. Data breaches are typically caused because we let our guard down, by either responding to a phishing email or giving away their password. So I think the primary example is businesses should be investing in training their employees. You can meet industry standard with high tech security and a firewall system, but if you’re not teaching people to be mindful of dangers regarding emails then all the protection they have will not actually protect anyone from incidents. I believe it’s far less expensive to train your employees to catch things that are potentially damaging than it is to respond to a data breach. Also, companies need to be paying attention to who they are hiring for their IT, so they can have someone who can recognize threats and speak to vendors about the state-of-the-art options available.
Companies should also have a basic incident response policy with a manual of who is in charge and how to respond. That can save critical days or weeks of time by laying out what to do when the problem becomes apparent.
Q: I know people have been working remotely from home. Did they see any spike in attacks or vulnerability and do they expect a rise in litigation stemming from remote work?
A: I don’t necessarily see a spike, but with the pandemic, companies like Zoom and other platforms have had to up their security game. We did have those situations where we had people “Zoom bombing” meetings. I think it has certainly taught people the importance of security issues when they’re on the remote network 24 hours a day. Companies should know that their internal network can handle the different access points at different times. I don’t believe remote working will cause an influx in litigation, but I think it has spurred more awareness of security-related lawsuits. Data security in general and data privacy are certainly going to be causing more litigation as we go forward because it is difficult to keep up, even with sophisticated security software and hardware in place. Hackers are always one step ahead.
Q: How does your construction practice intersect with your data privacy practice?
A: The construction industry is now finally starting to realize the importance of paying attention to data security. We are seeing that owners are getting more savvy about writing into their construction contracts requirements to have data security protection, audit rights into the contractor’s use and protection of data and requirements for data cybersecurity insurance. I think the construction industry is moving far more toward cloud-based data storage. There are a lot of software systems that are online that allow all the project files to be loaded so that everyone may view it.
At the same time, cybersecurity insurance field is starting to get more limited as far as carriers because of all the giant payouts happening. Some carriers are pulling out of the cybersecurity industry in general, so we’re seeing more limited carriers willing to take on the risks of these breaches. It’s important for everyone in the construction industry to pay attention to security because there will likely never be enough insurance to safeguard against massive losses.