Recent data breach incidents—like the massive Capital One cyberattack, where a former employee accessed more than 100 million customer accounts and credit card applications—have left many users questioning how safe their information really is in the hands of companies. 

There is reason to be concerned. More than 4.1 billion records were exposed in nearly 4,000 data breaches reported in the first half of 2019 alone, according to the 2019 MidYear QuickView Data Breach Report. Construction companies are not immune. 

As the industry becomes more reliant on technology—using augmented reality, Building Information Modeling and drones on construction sites, for example—construction companies are becoming greater targets for hackers looking to gain a financial or strategic advantage. 

Instead of assuming a company will never experience a breach (or rather, denying that it will ever happen), it’s important to be aware of possible threats and establish data breach response policies to minimize potentially catastrophic fallout. 

The reality of data breaches 

It’s clear that customers are put at risk when a company’s database is compromised, but what exactly does it mean for the business? 

Most notably, the company will be required to spend a large sum of money to resolve the issue. In fact, according to IBM Security and Ponemon Institute’s 2019 Cost of a Data Breach Report, the average cost of a data breach in the United States is $8.19 million. Different factors affect the total cost of a breach, including the data volume involved, the time it takes to identify and contain it, the unexpected loss of customers and the lack of an incident response team, among many others. 

The same report found that an average breach in the United States compromises 32,434 records and takes an average of 245 days to be identified and contained. 

To put that into perspective, a breach that occurs on Jan. 1 may not be contained until Sept. 2. That’s eight months spent focusing on the breach, the cost of resolving it and attention directed toward unhappy customers. Those matters can be made even worse if companies fail to comply with new and forthcoming state regulations. 

Data breach regulations 

Detrimental data breaches continue to occur on a daily basis. With no federal data protection legislation, many states have created ways to protect consumers affected by a breach. States such as Colorado, Massachusetts, New York and California have created policies and requirements to not only help compromised companies better recognize data threats, but also to alert affected parties in a timely manner. Regulations identify what is considered a security breach, what data is covered (such as Social Security numbers, driver’s license numbers or biometric data) and who is required to report. 

For example, Colorado’s regulation requires anyone with access to personally identifiable information to report a breach to the state’s attorney general and residents within 30 days of the incident. Companies don’t have to be located within the borders of Colorado to be held liable, but rather are required to follow these statutes if any Colorado citizen is affected.

Many companies may not be aware of what data they own until it is sorted through, making it difficult to abide by these rules. Thus, every company must sift through compromised information after a breach and identify who was affected in order to move forward with the appropriate actions.

Creating a data breach response plan 

Complying with regulations within 30 days (considerably less than the 245-day average data breach response length) calls for a well-formulated plan. Contractors should work with IT and legal teams to create detailed policies explaining how the company will respond to a breach, and then support the plan with these measures:

• An incident response team. Company management, IT personnel, the company’s attorney, the cyber investigations company (or “breach coach”) and the cyber insurance company (when applicable) should work together to respond to a data threat. Outline exactly what each person’s role will be and how they will respond during the different phases of a breach. 
• A crisis communications plan. Create a response plan identifying the company spokesperson and his or her talking points, and outline how employees should respond to customers and the media in the event of a data breach. Also, determine when notifications of the breach will be sent to employees, affected individuals and the public.
• Cyber insurance. Most general liability policies don’t cover cyberattacks, so do some research to see what insurance does include. Contractors should have a cyber insurance policy that covers data theft and all its related expenses, including outside costs such as tech support and public relations. 
• Outside help to identify PII and protected health information (PHI). Data breach investigative and response service providers are helpful in the aftermath of a breach, but most do not provide one critical step required by most state regulations: identifying the affected individuals. It’s a laborious process that requires specialty expertise and software, but because of its similar workflows, many e-discovery providers can take on the job. Look for a Data Breach Discovery provider that already has the tools in place to collect data sources, uses machine-learning to search the copious amount of files and creates lists of affected individuals.
• Vendor audit. Even after taking precautions to prevent cyberattacks, partnering with vulnerable third-party vendors breaks down any protective walls. In fact, some of the most notable recent data breaches started with outside vendors (even the U.S. Customs and Border Protection breach that stole travelers’ photos and license plate numbers earlier this year was caused by an outside contractor). Before partnering with HR and payroll companies, cloud providers or other vendors, sign a contract detailing data protection policies and indemnifying the company if the vendor is breached. 
• Security assessments. It’s important to take all precautions necessary to avoid a bad actor entering a company’s system. Hire an outside vendor to audit data security measures to identify risks, and continually review and update processes. Work with the IT team to establish security defenses like encryption and multifactor authentication. 
• Employee training. 34% of breaches are caused by inside actors, according to Verizon’s 2019 Data Breach Investigations Report, but not all of those are intentional theft. Teach employees about data threats, how to spot them and what to do if they are breached. Provide everyone with the company’s policies and then remind them during regular internal training sessions. 

The world’s advancements in technology and interconnectivity have created endless opportunities in every industry, but they have also opened the door for cybercrime. No business is safe from bad actors—establish company policies and procedures to be prepared when it matters.