Cybersecurity and Privacy in the Construction Industry
As the design and construction industries become more digitally connected, the risk of damaging cyber attacks has grown exponentially. Shared resources, such as Building Information Modeling (BIM), and an increasing dependence on the Internet of Things (IoT), place critical infrastructure, such as our power grid, air traffic control, global positioning systems, automatic train control, and traffic systems on our roads and highways, at peril. Industrial espionage is on the rise, making proprietary intellectual property, customer and employee data, and facility security information vulnerable. The multitude of participants in complex projects, often connected through shared networks, combined with the proliferation of malware, phishing and spoofing attacks, place corporate reputations, financial resources, and the safety of persons and property in jeopardy.
To put these risks into perspective, the operator of the Trans-Alaska pipeline has reported that every day it receives approximately 22 million emails (8 billion emails annually) full of malware, viruses and phishing schemes from hackers and state-sponsored adversaries trying to gain unauthorized access to its systems. Others in the industry face similar challenges as cyber attacks in the transportation and construction industry continue to grow each year. To address these risks, design and construction companies must adopt best practices (including the consideration of cyber insurance) to safeguard information and to mitigate damage on those occasions when cyber intrusions are successful.
Saul Ewing Arnstein & Lehr’s Cybersecurity and Privacy professionals work collaboratively with our Construction Practice Group to support design and construction firms at all stages and from all angles: we advise on privacy regulations, cybersecurity preparedness, and cutting-edge insurance products; we guide clients through crisis management when an incident occurs; and we offer clients a full range of post-incident services. We regularly advise:
- Owners and developers
- Design and engineering firms
- Contractors and construction companies
- Specialty contractors and material suppliers
- Government contractors
- Energy producers, including alternative energy projects
- Insurers and bonding companies
Areas of risk commonly encountered in the construction industry include:
- Vendor-created liability – Cybersecurity of an IT system is only as strong as the weakest link in the chain. The vast number of contractors, subcontractors and suppliers in the industry make it critical to include cybersecurity requirements in vendor contracts.
- Intellectual property – Project and system designs and information prepared by and furnished to project owners are both highly confidential and of potential high value to unethical cyber actors. Their attractiveness as a target makes cybersecurity of intellectual property a must.
- Internet of Things (IoT) – The construction industry relies heavily on devices and security and alarm systems that can be accessed remotely via WiFi or Bluetooth. These IoT devices are vulnerable to hacking and tampering.
- Personally identifiable information (PII) – Although design and construction companies may not have as much consumer financial data or other PII as firms in the financial or retail sectors, all companies have legal obligations to keep employees’ PII confidential, and any breach of employee information could trigger state data breach notification laws. In addition, some companies may find themselves obligated to comply with applicable U.S. Government regulations or the European Union’s General Data Protection Regulation (GDPR), which impose a number of obligations on the collection and processing of a wide range of information.
- Ransomware – Not all cyber incidents involve a data breach. An attack that renders an IT system inoperable—such as a successful ransomware attack—can cause significant interruptions to business operations, leading to reputational and financial damage, including construction delays and cost over-runs.
Being prepared in the constantly evolving landscape of privacy regulations and cybersecurity threats requires those who create, collect or hold data to remain on top of the latest changes. Our team is here to guide clients to do that, with a range of services that includes:
Data Privacy and Cybersecurity Preparedness
- Strategic counseling and board governance
- Regulatory matters and internal compliance
- Drafting and review of employee contracts
- Comprehensive cybersecurity preparedness
- Privacy risk review for big data analytics and advice on technology development
- Review of vendor agreements for data storage and other contracted services
- Pre-event evaluation of insurance coverage for cyber risks
- Specialist referrals, including computer security specialists and public relations professionals
Data Privacy and Cybersecurity Incident Response
- Immediate (24/7) consultation through our legal team with forensic data technology specialist to minimize the effects of an attack or breach
- Post-event evaluation of insurance claim
- Advice and assistance with reporting to authorities, if required
- Advice and assistance with reporting to affected parties, as required/appropriate
- Consultation with public relations professionals to manage messaging to clients and media
Data Privacy and Cybersecurity Post-Incident Representation
- Forensic data analysis
- After-action reviews and lessons learned
- Defense of government investigation/proceedings
- Data privacy and cybersecurity litigation
- Loss/damage mitigation
- Ongoing public relations assistance
The group includes attorneys who have received the following recognition: