One of the most publicized security breaches was the 2013 hack of Target’s payment and security system. What's not as well known is that access credentials were stolen from an HVAC contractor that was working with Target. The data connection that was accessed was being used for electronic billing, contract submissions and project management. An employee of the HVAC company fell victim to a phishing attack by clicking on an email that contained malware. The rest is cybersecurity history.

While the construction industry does not generally face the same information security regulatory requirements as the healthcare and financial sectors, it does face the same threats. At a time when remote work is increasing risks, many sources report that the construction industry lags behind others in bolstering its security systems. That lack of security can lead to liability for significant losses.

The threats are numerous, though some are well known, considering their ubiquity. Malware is malicious software that invades a computer or network. It can be delivered through phishing scams where employees and customers receive one or more emails. It can also be picked up through fake online advertisements, known as malvertising. A spearfishing campaign can target a single employee or department. A password-spraying campaign can use one or several fabricated passwords to penetrate a network. Denial-of-service attacks involve disruptions of service by floods of traffic to a website. Ransomware is software that can hold data hostage pending payment.

An example of a business email compromise scam illustrates how liability is assessed. In Beau Townsend Ford Lincoln, Inc. v. Don Hinds Ford, Inc., 759 Fed.Appx 348 (6th Cir. 2018), there was an agreement that a volume car buyer would use a check to purchase 20 cars from a seller. The buyer sent an email saying as much, but the seller responded with an email providing wire instructions. The buyer paid by wire and picked up the vehicles. However, the seller never received payment because the email providing the wire instructions was from an imposter. Reviewing the applicable legal theories, the court determined that the loss should be borne by the party in the best position to prevent fraud. While the trial court determined that the buyer should pay again because it was a simple breach of contract, the appellate court reviewed several legal theories to determine that the trial court should ascertain which party was in the best position to have prevented the fraud. Construction executives can expect, then, that their company’s level of cybersecurity diligence will be scrutinized if there is a loss.

Fortunately, insurance coverage is available for these risks, but it is something that must be added to a contractor’s portfolio since its general liability policy likely excludes cybersecurity issues. And, there are certain key questions to bring to your insurance broker. For one, determine which events are covered. Ask specifically about data breaches (the theft of personal information, for example), attacks on data that is held by others and network breaches. Ask if coverage is available for attacks that originate outside the United States. Ask if the carrier will provide a defense to litigation or regulatory investigations. And ask if the policy provides coverage in excess of any other applicable coverage.

Contractors may have to make a claim directly against their coverage (a first-party claim) or they may have to respond to claims made by others who are harmed by an attack on their systems (a third-party claim). For first-party claims, determine if coverage is provided for recovery and replacement of lost or stolen data, customer notification, business interruption losses, crisis management and public relations expenses, cyber-extortion and fraud losses, investigation costs and any fees, fines or penalties. For third-party claims, determine the extent to which the coverage will pay damage claims from those third parties through settlement or in response to a judgment, be they customers, vendors or others and the extent to which the coverage will pay legal, consultant and accounting costs incurred.