It seems that barely a week goes by without another high profile cyber breach (Ebay, JP Morgan Chase, Home Depot and Sony, twice, spring to mind). However, for every high-profile cyber-attack, there will be tens or hundreds of unreported phishing scams, malware intrusions and data losses stemming from employees (whether inadvertent of malicious).
Cyber security is a real and present danger within the construction industry and one which operators within the industry should be aware of and take steps to confront. A UK government 2015 survey indicates that 90% of large businesses and 74% of small businesses have suffered a cyber-security breach in the last year.
If those in the construction industry are not as concerned about cyber security as some other sectors, they certainly should be, particularly as the industry increasingly turns to internet-based programmes to achieve efficiencies (such as BIM and Procore for example). Organisations may hold plans and schematics for current and past projects that need to be protected against access by terrorist or other malevolent organisations. Similarly, unwanted access to FM systems such as security or BMS could cause serious operational difficulties or present health, safety and security risks.
On a more prosaic level, the leaking of market-sensitive information, intellectual property or other confidential information could have serious financial consequences. And especially where multiple sets of employees, consultants and contractors are involved on a site, the risks of phishing or malware are significant.
So what can be done to combat these threats?
The best chance for positively affecting the outcome is in the first 24 hours following a breach. During this period, the priorities should be establishing a core team to:
- Shore up defences through software / hardware fixes, isolating the point of attack (mobile, email, web) and protecting the most valuable assets (trade secrets and other high-value IP).
- Minimise the damage through technical means (whether that means getting systems up and running again or taking them down temporarily to prevent further harm) and practical steps (if passwords have been compromised, alerting those affected).
- Initiate a crisis management protocol, including gathering information to understand what has happened, preserving evidence and controlling the messaging to stakeholders.
Establish a core team
Cyber breaches can be complex and highly damaging to construction projects. An incident response team should include senior management, senior IT personnel and senior members of the HR and PR teams. The internal investigation should be led by in-house or external lawyers who are experienced in managing investigations and able to advise on potential exposure and routes for recovery.
The team may also need to include outside experts, such as specialist cyber security firms, forensic IT experts or forensic accountants.
Consider reporting obligations
Once the nature of the cyber breach is understood, it is important to consider any reporting obligations to:
- Regulators. The Information Commissioner’s Office (ICO) has made it clear that data controllers should report serious data breaches to it. The proposed new EU Cyber Security Directive and Data Protection Regulations will bring in additional reporting obligations, particularly for those who operate “critical infrastructure”.
- Supply and delivery chain. Contracts for the provision of data storage or IT infrastructure may contain specific clauses requiring one party to notify the other of any cyber breaches. If not, there may be other legal or commercial reasons to inform the supply or delivery chain of a cyber-breach, particularly if data that is held may have been compromised.
- The market. Listed companies will need to consider carefully their obligations under the Listing Rules and the Disclosure and Transparency Rules. These may require a breach to be disclosed, as soon as possible, if it would be considered “inside information” (which will depend, in part, on the seriousness and likely consequences of the breach).
- Insurers. Consider whether the breach may be covered by an insurance policy and whether notification is required. The extent of coverage for cyber risks is not always well understood.
- Law enforcement authorities. Law enforcement authorities have a broad range of powers available to pursue suspects. However, criminal investigations and prosecutions tend to be lengthy and once a matter is in the hands of authorities, conduct and publicity of those criminal proceedings will be out of a company’s control.
There may be other third parties who, for commercial reasons, should be notified voluntarily at the appropriate time. Consider employers, contractors or suppliers who may be affected. If part of the project’s system is outsourced or cloud-based, might others also be at risk?
Understand regulatory and civil risks
As well as damage arising directly from the breach, a cyber-breach can also result in regulatory or civil actions. The ICO and other regulators have wide-ranging powers, including imposing:
- Notices to provide information.
- Requirements to take remedial actions.
- Monetary penalties.
Where a breach has affected a supply or delivery chain, whether by data loss, unavailability of services or otherwise, a company could also face civil claims. The contracts in the supply or delivery chain may contain express clauses covering data security. Contract counterparites might also look to rely on general contractual obligations to use reasonable care and skill, or seek to imply similar terms or bring an action in negligence. If the breach has prevented one of the companies from providing services, this could also be the basis for a claim (unless the cyber breach could be said to be covered by a force majeure clause, as may be the case for a terrorist attack).
As well as the supply and delivery chain, consider whether any third parties might be able to bring claims. In the UK, where individuals’ personal data has been lost, this could potentially give rise to claims by those individuals for compensation if it can be argued that they have suffered “damage” as a result of a breach of the Data Protection Act 1998 (DPA 1998). Google Inc v Judith Vidal-Hall and others confirmed that “damage” for the purposes of private claims bought under the DPA 1998 includes where the individual has suffered “distress” but has not suffered any financial loss. Following Vidall-Hall, individuals affected by a data breach may be more likely to bring claims against those holding their data.
The adequacy of a company’s compliance program and its response to an incident may be central to demonstrating that it has fulfilled its regulatory, contractual and common law duties.
Take action to recover the damage
If the breach has been as a result of a deliberate attack, it may be possible to take action against the perpetrator. However, recovering damages can be challenging:
- It can be very difficult to identify the perpetrator – or at least to pin this to an individual or legal entity.
- If the perpetrator is overseas, there may be difficult issues of jurisdiction of applicable law.
- If judgment is obtained, it can be challenging to enforce and will only be worthwhile if the perpetrator has assets to enforce against.
If the perpetrator is a rogue employee (particularly a UK-based employee), there may be more options. It may, for example, be possible to get injunctive relief to obtain and/or prevent any confidential information from being disclosed or used.
Looking beyond the perpetrator, if the breach has been caused or contributed to by a weakness in a third-party hosted system, consider whether there are any claims against those IT suppliers or contractors. As with claims by the supply and delivery chain, such claims could turn on express or implied terms, or common law (negligence) duties.
The actions taken in response to a breach will be important in demonstrating that a company has taken reasonable steps to mitigate losses.
Start preparing now
When a cyber-breach is discovered, the actions taken in the immediate aftermath can have dramatic and far-reaching effects. Getting the response right from the start can effectively minimise the damage, but missing key issues early on can give rise to collateral problems down the line. By planning in advance, a company stands the best chance of being able to act swiftly, decisively and effectively, to minimise the risk from the breach itself and any follow-on claims or regulatory action.