Privacy and data security are not just concerns for large, multinational corporations. Today, businesses of all sizes collect and store more personal data than ever before. While cyber attacks on Fortune 500 companies, like Target, make the headlines, most data breaches affect small to mid-sized businesses.
Although the construction industry hasn’t been the target of specific data security legislation or a headline-making crisis, construction businesses can’t afford to put off preparing for a data breach.
Even small businesses possess information that could be compromised in a cyber attack. The personal information of a company’s employees can represent low-hanging fruit if the organization hasn’t taken proper care to protect its data. Similarly, confidential corporate information concerning specific projects could be attractive to cybercriminals or disgruntled former employees.
Also, relaxed privacy and security practices can make it easier for hackers to access a customer’s personal information (even if the company doesn’t routinely access such information itself), creating legal exposure for the company in the event a customer’s data is compromised. The data breach experienced by Target in late 2013 is a prime example. The breach occurred because third parties gained access to network credentials through one of Target’s HVAC contractors.
Many companies are subject to laws that require them to contractually obligate their vendors to safeguard personal information. A company’s ability to demonstrate to potential customers that it has carefully considered data security issues and adopted appropriate policies and procedures can give it a competitive edge. A construction company can take certain steps to reduce the likelihood of a data breach and to ensure that the company’s response is as efficient as possible if it does experience a cyber attack.
Adopt a Written Information Security Program
A written information security program (WISP) is a way to document the measures that a business takes to protect the personal information and other sensitive information under its control.
While there is not yet a federal legal requirement for a construction business to develop a WISP, more and more companies are bound by contractual obligations to do so. Also, state law may mandate that a company adopt a WISP or implement reasonable safeguards to protect the personal information it collects and maintains. Finally, government contractors that access Controlled Unclassified Information (CUI) soon likely will be subject to a new Federal Acquisition Regulation (FAR) cybersecurity clause.
In June 2015, the National Institute for Standards and Technology (NIST) released NIST Special Publication 800-171, creating standards for federal contractors that handle CUI. This publication, the result of a partnership between NIST and the National Archives and Record Administration (NARA), is the first step toward NARA’s stated goal of adding a cybersecurity clause to the FAR in 2016.
The NIST publication organizes the security standards into 14 “families,” including access control, awareness and training, incident response and risk assessment. Government contractors should consult the publication as part of their WISP preparation to ensure they can meet forthcoming cybersecurity standards.
Even if a construction business isn’t required to have a WISP, the process of developing one can be beneficial, as it demonstrates to customers and employees that maintaining the security of their personal information is important to the business. Also, a well-developed WISP can reduce exposure in the event a business experiences a data breach.
Creating a WISP is an individualized exercise. Take into account the size of a business, available resources, the types of accessible personal information, and the states where customers and employees reside.
Adopt a Data Breach Response Plan
While the benefits of adopting and following a WISP cannot be overstated, the reality is that even the most proactive company can fall victim to a cyber attack. Preparing an incident response plan in advance can result in significant cost savings and reduced exposure.
Designate a response team to take charge in the event of a breach, with a capable leader who manages and coordinates the response. Depending on the size of the organization, the team may include representatives from the IT, legal, PR and HR departments. Include the company’s key decision-makers as advisors to the team to ensure the necessary backing and resources to properly develop and test a data breach response plan.
Establish internal and external communication protocols. It’s crucial that messages surrounding the incident be consistent. Only the company’s designated representative should discuss the incident with the media and other external parties.
Obtain cyber insurance for the business to shift the risk and defray the cost of a data breach. There are additional benefits to cyber insurance that may be less obvious. First, the due diligence that is part of the underwriting process can help identify vulnerabilities in a security program. Also, a carrier may offer access to a vetted network of vendors, including legal counsel, forensics firms and remediation services. Identifying and contracting with these vendors in advance can result in additional cost savings.
Finally, remember that policies and procedures are only as good as their implementation. Work to establish a culture of privacy and security by training employees and monitoring compliance. Make sure employees know how to spot suspicious emails (e.g., a phishing attack was the first step in the Target breach). Consider simulated cyber exercises, which can help make sure employees understand their roles in the event of a data breach and identify gaps in a plan.
Businesses in the construction industry cannot afford to take a casual approach to data security. More and more companies are required by contract or by state law to implement and follow robust information security programs. Preparing for a data breach in advance can result in significant cost savings and minimize a company’s legal exposure. Establishing appropriate policies and procedures can demonstrate to customers that a business takes data security seriously and ultimately increase a company’s bottom line.