Preparing for a data breach: The construction industry is no exception

Data breaches continue to escalate and garner national attention. The most recent news-making incident was the hack of electronic toy maker, VTech. The Risk Insurance Management Society’s Cyber Survey in May 2015 provided important benchmarking information for risk managers continuing to grapple with data security and procurement of cyber insurance. Some of the important takeaways include: that most companies either have standalone cyber insurance at this point, and the rest are seriously considering it now. Companies of all sizes — and across all industries — need to consider cyber insurance as part of their overall program.

The situation is getting so bad that businesses, large and small, finally are realizing that the question is not if they will get breached, but when. The construction industry is not immune from data breaches. 

For example, national retailer Target was breached when hackers accessed the HVAC company’s network that was tied into Target’s computer system. Target has spent well over $100 million responding, and that HVAC vendor is bankrupt.

Those in the construction industry need to remember, the issue is a privacy breach, not just a cyber breach. That means that paper is still a source for an old-fashioned privacy breach. Many industry sectors, including construction, still mistakenly believe that, if they do not deal with the general public as customers or possess a lot of credit card information, they are not at risk. Not true. The Target case is a classic example of how wrong that thinking is today.

How data privacy insurance helps prepare for a breach response

For most companies, the significant costs associated with responding to a data privacy breach cannot be borne internally. Robust data privacy insurance is required to shift the risk for the company. Going through the process of purchasing such insurance is the first step to good coverage and a strong response plan. The premiums and policy limits are relative to a company’s risk, so that ratio allows a business of any size to consider such coverage.

However, insurance underwriters are very cautious and equally thorough in issuing data privacy insurance. Because the new digital order with respect to cyber is not if a company is breached but when, insurers require an extraordinary amount of due diligence in the underwriting process. Those in the construction industry that go through the process will learn a tremendous amount about the current state of their network security and response plan. Information learned in this process can be useful for companies to find the gaps and upgrade their security, protocols and insurance coverage. Policyholders will be required to fill out extensive questionnaires from the insurer and likely allow an onsite visit. All of the information gathered in the process not only informs the insurer as to whether it wants to issue a policy, but can prove invaluable to the company when it comes to developing a strong network defense and response.

Benefits of planning ahead for your response

A comprehensive data incident response is now “a must,” whether the business owns data privacy insurance or not. As noted, the process of placing insurance coverage can provide valuable insight for creating the strongest response plan possible. There are measurable benefits to being well prepared for a data breach. Obviously, a thorough and tested plan will make for a more effective and efficient response. Mistakes made during the first 72 hours of an incident can increase the costs in responding by two to three times. An efficient response can also prevent a loss of sales, income and stock pricing. Customers who are comfortable with a company’s response are less likely to stop doing business with it in the days following the breach and in the long-run. A proper and effective response protects the company’s brand reputation. The bigger the company, the harder they fall when it comes to a botched response to a breach event.

A preplanned response is even more critical for those in construction that are accessing a customer’s computer network or possess sensitive data. Contracts may require the general contractor or subcontractor to handle aspects of the response, work on complying with notification laws and indemnify the client. Plus, it is becoming common for owners to require general contractors and subcontractors to carry cyber insurance. Everyone needs to know what the contract requires.

A true cyber policy is an insured’s best protection

Businesses can obtain cyber insurance for losses. It is critical to understand the full scope of the coverage you buy. Insurance to protect your property and network can include: 1) computer data restoration; 2) re-securing a company’s information network; 3) theft and fraud coverage; 4) business interruption; 5) forensic investigations; 6) crisis and public relations management; and 7) extortion. Commentators note that first-party losses are usually the higher costs to a business suffering a cyber-attack, so adequate coverage in this area is vital.

Organizations also need liability coverage as well. Of course, most coverage in this area will provide for a defense to litigation brought by customers for their direct losses due to a breach. However, insurance may also cover: 1) PCI-DSS liability; 2) credit monitoring for customers; 3) the cost associated with notifying customers of a breach; 4) media and privacy liability; and 5) responses to regulatory investigations. Policyholders can obtain DIC coverage under certain aspects of first- and third-party coverages.

The policy forms among the difference carriers vary tremendously, and policyholders must be vigilant to ensure they purchase the right coverage. Insureds must look well beyond the declarations page and coverage grant when considering this type of insurance, although those are obviously important. The devil is in the details.

Having gone through the exercise of purchasing data privacy insurance coverage, a company can best develop and response plan and is prepared ahead of time. The process will allow your business to prepare in the following ways:

• Develop a strong response team;
• Identify response capabilities and external resources;
• Establish relationships with law enforcement and regulators;
• Create and test your plan prior to an actual event; and
• Anticipate communication, remediation and notification pitfalls.

Time spent upfront from an in-depth analysis when considering such insurance may prevent the type of coverage fight many policyholders are facing in order to get the coverage they paid for from their insurer.  Regardless, the response plan is a must for all companies unless they just prefer to go out of business.

Collin Hite leads the Insurance Recovery Group and the Data Privacy & Security practice at the law firm of Hirschler Fleischer in Richmond. He handles insurance recovery and coverage litigation nationally, and performs insurance policy and program audits for policyholders. Hite may be reached at (804)771-9595 or [email protected].