Although hacking attempts may be most commonly directed at financial and health institutions housing troves of financial and personal data, the construction industry is not immune from the risk of a data breach. Like most industries, the construction industry continues to advance in technological innovation—projects are becoming increasingly dependent on mobile connectivity and there is a growing reliance on cloud-based storage and sharing services. With such innovation comes an increase in possible cyber attacks and data breaches.
Hackers may be interested in, among other things:
Construction professionals are also at risk of unwittingly assisting a hack of their clients. The Target credit card and personal data breach, which affected 110 million consumers, allegedly originated as a result of stolen credentials of a refrigeration and HVAC construction and maintenance service provider. A malware-laced email phishing attack was sent to the service provider, which enabled the hacker to steal the service provider’s credentials. The hacker then used those credentials to hack credit card data from Target cash registers. A third-party vendor was also responsible for a data breach at Home Depot that resulted in theft of credit card information and approximately 53 million email addresses.
Data breaches can have severe financial costs. One study shows that the global average cost of a data breach, as of 2018, is $3.86 million, representing a 6.4% increase from 2017. Due in large part to notice requirements present in every state, the cost of data breaches is much higher than average in the United States, at $7.91 million. A data breach on a construction project can also carry additional financial costs associated with project delay and disruption.
Data breaches can also carry regulatory and litigation risks. Every state now has a law requiring businesses to notify those affected by a data breach.
Although this is a developing legal field, being the victim of a data breach can also result in being served with a lawsuit. Below are several examples of causes of action that may be filed as a result of a data breach:
Traditional insurance policies may leave construction companies less protected (or not protected at all) in the event of a data breach than they might hope. Coverage under “standard form” commercial general liability insurance policies may provide some coverage, but is currently unsettled by the courts. CGL policies typically have two coverages—coverage A and coverage B—that could come into play in the event of a data breach. But, the interpretation of both coverages is unsettled and subject to litigation.
The increase in cyber events has spawned litigation over the definition of “bodily injury,” “property damage,” and “personal and advertising injury,” as well as the extent to which those terms cover data breaches. Ultimately, courts apply fact-specific reasoning to determine coverage. For example:
As these cases show, application of traditional CGL policies to cyber events such as data breaches is far from settled and highly fact-specific.
Cyber insurance is increasingly common and can provide first- and third-party coverage for various losses and costs of cyber events. However, selecting a cyber insurance policy can be difficult, as there is no standard policy and the quickly changing landscape results in complex risk assessment.
First-party policies can include the following types of coverage:
Third-party policies can include the following types of coverage:
Cyber insurance policies are not without their exclusions and oftentimes exclude property damage and bodily injury.
No industry is immune from risks associated with cyberattacks and data breaches. With the emergence of cyber events—such as data breaches—comes litigation and cyber insurance policies. Construction executives should examine their existing policies closely, as they might not be as covered as they would like in the event of a data breach.
Written by {{author.AuthorName}} - {{author.AuthorPosition}}, {{author.Company}} {{author.Company}} Contact Info: {{author.OfficePhone}} , {{author.EmailAddress}}
{{comment.Text}}