Insuring Against a Data Breach

Cyber Security Risks

Although hacking attempts may be most commonly directed at financial and health institutions housing troves of financial and personal data, the construction industry is not immune from the risk of a data breach. Like most industries, the construction industry continues to advance in technological innovation—projects are becoming increasingly dependent on mobile connectivity and there is a growing reliance on cloud-based storage and sharing services. With such innovation comes an increase in possible cyber attacks and data breaches.

Hackers may be interested in, among other things:

• confidential project data or information, such as plans and specifications;
• employee personal identifying information, such as full names, social security numbers and health data;
• financial information of the business and subcontractors; and
• information about infrastructure projects, such as power plants, mass transit systems, roads and other utilities.

Construction professionals are also at risk of unwittingly assisting a hack of their clients. The Target credit card and personal data breach, which affected 110 million consumers, allegedly originated as a result of stolen credentials of a refrigeration and HVAC construction and maintenance service provider. A malware-laced email phishing attack was sent to the service provider, which enabled the hacker to steal the service provider’s credentials. The hacker then used those credentials to hack credit card data from Target cash registers. A third-party vendor was also responsible for a data breach at Home Depot that resulted in theft of credit card information and approximately 53 million email addresses.

Data breaches can have severe financial costs. One study shows that the global average cost of a data breach, as of 2018, is $3.86 million, representing a 6.4% increase from 2017. Due in large part to notice requirements present in every state, the cost of data breaches is much higher than average in the United States, at $7.91 million. A data breach on a construction project can also carry additional financial costs associated with project delay and disruption.

Regulatory and Litigation Risk

Data breaches can also carry regulatory and litigation risks. Every state now has a law requiring businesses to notify those affected by a data breach.

Although this is a developing legal field, being the victim of a data breach can also result in being served with a lawsuit. Below are several examples of causes of action that may be filed as a result of a data breach:

• a data breach on a construction project could cause project delays and disruptions, leading to claims for delay and cost increases associated with schedule disruption;
• a data breach of employee files, or client or subcontractor financial information, may lead to claims by those parties for negligence or breach of contract; and
• a third-party data breach, like the Target breach, could lead to claims from the ultimate hacking victim back to the construction company, for negligence or breach of contract.

How Protected is the Company by Insurance?

Traditional insurance policies may leave construction companies less protected (or not protected at all) in the event of a data breach than they might hope. Coverage under “standard form” commercial general liability insurance policies may provide some coverage, but is currently unsettled by the courts. CGL policies typically have two coverages—coverage A and coverage B—that could come into play in the event of a data breach. But, the interpretation of both coverages is unsettled and subject to litigation.

• The standard CGL Coverage A agreement provides: “We will pay those sums that the insured becomes legally obligated to pay as damages because of ‘bodily injury’ or ‘property damage’ to which this insurance applies.” “Property damage” means “[p]hysical injury to tangible property” and “[l]oss of use of tangible property that is not physically injured.” The standard agreement was amended in 2001 to further provide that “electronic data is not tangible property.”
• The standard CGL Coverage B agreement provides: “We will pay those sums that the insured becomes legally obligated to pay as damages because of ‘personal and advertising injury’ to which this insurance applies.” “Personal and advertising injury” means, among other things, “[o]ral or written publication, in any manner, of material that violates a person’s right of privacy.”

The increase in cyber events has spawned litigation over the definition of “bodily injury,” “property damage,” and “personal and advertising injury,” as well as the extent to which those terms cover data breaches. Ultimately, courts apply fact-specific reasoning to determine coverage. For example:

• A power outage that knocked out computer systems and caused the network to physically lose the programming information and custom configurations necessary for them to function was “property damage.”
• Software in an AOL update that “altered the customers’ existing software, disrupted their network connections, caused them loss of stored data, and caused their operating systems to crash” was not “property damage.”
• Loss of computer tapes that fell out of a van did not constitute “personal injury” under Coverage B because there had been no “publication” of the information stored on the tapes resulting in a violation of the person’s right to privacy.

As these cases show, application of traditional CGL policies to cyber events such as data breaches is far from settled and highly fact-specific.

Cyber Insurance Coverage

Cyber insurance is increasingly common and can provide first- and third-party coverage for various losses and costs of cyber events. However, selecting a cyber insurance policy can be difficult, as there is no standard policy and the quickly changing landscape results in complex risk assessment.

First-party policies can include the following types of coverage:

• costs to notify consumers, consumer support and related consumer costs;
• crisis management and public relations;
• legal and forensic services;
• cyber extortion reimbursement;
• business disruption expenses;
• costs associated with restoring or replacing lost business assets; or
• losses due to theft of trade secrets or intellectual property.

Third-party policies can include the following types of coverage:

• losses payable to third parties for the costs of unauthorized disclosure or theft of information;
• losses payable to third parties for business disruption expenses;
• losses payable to third parties for transmission of malware;
• defense costs in litigation filed by damaged third-party or regulatory proceedings initiated due to data breach.

Cyber insurance policies are not without their exclusions and oftentimes exclude property damage and bodily injury.

No industry is immune from risks associated with cyberattacks and data breaches. With the emergence of cyber events—such as data breaches—comes litigation and cyber insurance policies. Construction executives should examine their existing policies closely, as they might not be as covered as they would like in the event of a data breach.