US Federal Privacy & Cybersecurity Regulatory DevelopmentsFederal Privacy and Cybersecurity Regulatory Developments – Key Updates

Federal Privacy and Cybersecurity Regulatory Developments – Key Updates

In the absence of overreaching federal privacy legislation, enforcement authority over privacy and cybersecurity is shared among several different government agencies. With attention on privacy and cybersecurity-related issues rapidly increasing, federal agencies seek to address these issues by actively engaging in rulemaking, enforcement, and policy development.

Throughout this blog post, we highlight and summarize some key recent developments concerning federal regulation of privacy and cybersecurity:

Consumer Financial Protection Bureau (CFPB)

On October 21, 2021, the CFPB ordered Google, Apple, Facebook (now Meta), Amazon, Square, and PayPal to provide information regarding their data harvesting and monetization activities, access restrictions and user choice policies, and consumer payment and fraud protection. In his full statement on the matter, Director Rohit Chopra remarked that the CFPB would also investigate the practices of Chinese tech giants that offer payment systems.

On January 27, 2022, the CFPB released its annual list of consumer reporting companies and urged consumers to “exercise their right to see what information these firms have, dispute inaccuracies, and file lawsuits if the firms violate the Fair Credit Reporting Act (FCRA).” This list (consisting of the three nationwide consumer reporting companies as well as specialty reporting companies that collect and sell access to people’s data) follows the CFPB’s November 2021 advisory opinion affirming that consumer reporting companies are violating the FCRA if they engage in inadequate information matching procedures.

On March 9, 2022, President Biden issued an Executive Order on Ensuring Responsible Development of Digital Assets. Among other priorities, the Executive Order directs the FTC Chair and the CFPB Director to investigate the “extent to which privacy or consumer protection measures within their respective jurisdictions may be used to protect users of digital assets and whether additional measures may be needed.”

Department of Homeland Security (DHS)

In the past year, DHS’s Transportation Security Administration (TSA) and Cybersecurity Infrastructure Security Agency (CISA) have focused on mitigating potential cybersecurity vulnerabilities and promoting public-private information sharing within the critical infrastructure and related industries. These efforts came in the form of several Security Directives. In response to the May 2021 Colonial Pipeline ransomware attack, TSA announced a Security Directive requiring critical pipeline owners and operators to (1) report confirmed and potential cybersecurity incidents to CISA; (2) designate a Cybersecurity Coordinator who would be on call 24/7; and (3) review current practices to identify gaps and remediation measures related to cyber risks, with a report of the results due to TSA and CISA within 30 days.

On July 20, 2021, TSA announced a second Security Directive requiring owners and operators of TSA-designated critical pipelines that transport hazardous liquids and natural gas to (1) implement specific mitigation measures to protect against ransomware attacks and other information technology and operational threats; (2) develop and implement a cybersecurity contingency and recovery plan; and (3) conduct a cybersecurity architecture design review. In December 2021, TSA released two Security Directives applicable to owners and operators of passenger railroad carriers and rail transit systems and to freight railroad carriers. Both Security Directives require rail owners and operators to (1) designate a Cybersecurity Coordinator who would be on call 24/7; (2) report cybersecurity incidents as soon as practicable, but no later than 24 hours; (3) develop and implement (within 180 days) a Cybersecurity Incident Response Plan; and (4) conduct a cybersecurity vulnerability assessment with results due to TSA within 90 days.

In addition to the above, DHS also established the Cyber Safety Review Board in accordance with President Biden’s May 2021 Executive Order on Improving the Nation’s Cybersecurity. The Cyber Safety Review Board aims to act as a bridge between the federal government and the private sector on matters relating to cybersecurity.

Furthermore, in the wake of Russia’s invasion of Ukraine, DHS and the FBI published advisories for critical infrastructure organizations regarding potential cyberattacks by Russian threat actors.

On March 10, 2022, Congress passed the Cyber Incident Reporting for Critical Infrastructure Act of 2022. Signed into law by President Biden on March 15, this act requires covered critical infrastructure organizations to report covered cyber incidents to CISA within 72 hours and report ransomware payments within 24 hours.

Federal Communications Commission (FCC)

On January 12, 2022, FCC Chairwoman Jessica Rosenworcel shared a Notice of Proposed Rulemaking that would update the current data breach notification rules for telecommunication carriers. The changes include (1) elimination of the current 7 business day mandatory waiting period for notifying customers; (2) expansion of consumer protections by requiring notification of inadvertent breaches; and (3) requirement of notification to the FCC, the FBI, and the Secret Service.

In response to a petition filed by All About the Message, Rosenworcel announced on February 2, 2022, a proposal that would require callers to obtain a consumer’s consent before delivering a “ringless voicemail” message.

On February 28, 2022, the FCC published a Notice of Inquiry (NOI) seeking “comment on vulnerabilities threatening the security and integrity of the Border Gateway Protocol (BGP).” BGP, as a critical component of Internet infrastructure, is the routing protocol used to exchange reachability information amongst independently managed networks on the Internet. The FCC published this NOI in light of Russia’s invasion of Ukraine, and comments are due 30 days after publication in the Federal Register.

Federal Trade Commission (FTC)

The FTC is particularly active in multiple areas related to privacy and cybersecurity.

For example, at an open commission meeting on September 15, 2021, the FTC voted 3-2 to approve a policy statement affirming that health apps and connected devices that draw information from multiple sources must comply with the Health Breach Notification Rule. The policy statement served as a notice to health apps and connected devices – companies that are traditionally not covered entities under HIPAA – “of their ongoing obligation to come clean about breaches.” The FTC published a “Health Privacy” landing page with featured guides on “Complying with FTC’s Health Breach Notification Rule” and “The Basics for Business.” Businesses can find information regarding who is covered by the Health Breach Notification Rule, what triggers the notification requirement, and what to do if a breach occurs.

On September 31, 2021, the FTC delivered its “Report to Congress on Privacy and Security,” urging Congress to enact privacy and data security legislation.

On October 27, 2021, the FTC announced updates to the GLBA Safeguards Rule that would strengthen data security requirements for financial institutions. The amendments became effective on January 10, 2022.

In response to the critical Log4j vulnerability, the FTC has also been warning businesses about remediating Log4j vulnerabilities and emphasized that it would use its authority to pursue companies that fail to take reasonable steps to mitigate exposure. The FTC recommends that businesses (1) update their Log4j software package to the most current version; (2) consult CISA guidance regarding mitigation techniques; (3) ensure remedial steps are taken; and (4) distribute this information to any relevant third-party subsidiaries.

The FTC has also been active on the enforcement front.

Office of the Comptroller of the Currency in the Department of the Treasury (OCC)

On November 28, 2021, the OCC, the Fed Board, and the FDIC jointly approved a final rule that requires (1) “banking organizations” to notify their primary federal regulator of any significant “computer-security incidents” as soon as possible and no later than 36 hours after the bank determines a “notification incident” has occurred, and (2) “bank service providers” to notify any affected banking organization customer of “computer-security incidents” that has “caused, or is reasonably likely to cause, a material service disruption or degradation for 4 or more hours.” The rule became effective on April 1, 2022, with a compliance date of May 1, 2022.

Office of Foreign Assets Control in the Department of the Treasury (OFAC)

In response to the rising rates of cybercrime and the increasingly prominent role played by virtual currencies, OFAC released its “Sanctions Compliance Guidance for the Virtual Currency Industry” on October 15, 2021. This compliance guidance follows on the heels of the agency’s September 21, 2021 “Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments.” Noting that demand for ransomware payments increased during the COVID-19 pandemic, OFAC warned all U.S. private companies and citizens of the potential sanctions risks associated with making and facilitating ransomware payments. OFAC further noted that the “existence, nature, and adequacy of a sanctions compliance program,” notification to and cooperation with law enforcement, and “meaningful steps taken to reduce the risk of extortion by a sanctioned actor through adopting or improving cybersecurity practices” would be viewed as significant mitigating factors in any enforcement response.

On the same day, OFAC designated a virtual currency exchange, SUEX OTC, S.R.O., for its role in facilitating financial transactions for ransomware actors. Accordingly, all U.S. persons were thus prohibited from engaging in any sort of transactions with SUEX.

Furthermore, following Russia’s invasion of Ukraine, OFAC issued sweeping sanctions related to the Russian Direct Investment Fund, the Central Bank of the Russian Federation, the National Wealth Fund of the Russian Federation, and the Ministry of Finance at the Russian Federation. Additionally, OFAC has designated certain Russian and Belarusian entities and individuals. On February 24, 2022, OFAC also announced that all U.S. financial institutions are to close any Sberbank correspondent or payable-through accounts and that full blocking sanctions will be placed on VTB Bank. Businesses should keep a close eye on all updates from OFAC and the Department of Commerce’s Bureau of Industry and Security (BIS) related to sanctions and Export Administration Regulations (EAR).

Office of Management and Budget (OMB)

On December 6, 2021, the OMB published a Memorandum for the Heads of Executive Departments and Agencies.” In this Memorandum, Deputy Director for Management Jason S. Miller called for the implementation of a Zero Trust Architecture, accelerated efforts toward ground truth testing, improvement of observable security outcomes, and emphasis on automated and machine-readable reporting. Additionally, the Memorandum urged agencies to report all major incidents to CISA and the OMB OFCIO within 1 hour of determining that a major incident had occurred. The Memorandum defines a “major incident” to be either (1) any incident that is likely to result in demonstrable harm to the national security interests, foreign relations, or the economy of the United States, or to the public confidence, civil liberties, or public health and safety of the American people,” or (2) a breach that involves personally identifiable information (PII) that, if exfiltrated, modified, deleted, or otherwise compromised, is likely to result in demonstrable harm to the national security interests, foreign relations, or the economy of the United States, or to the public confidence, civil liberties, or public health and safety of the American people.”

Securities and Exchange Commission (SEC)

On March 9, 2022, the SEC announced proposed amendments to its rules to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting by public companies. The proposed amendments include (1) amending Form 8-K to require registrants to disclose information about a cybersecurity incident within 4 business days after the registrant determines that it has experienced a material cybersecurity incident; (2) amending Forms 10-Q and 10-K to require registrants to provide updated disclosure relating to previously disclosed cybersecurity incidents and to require disclosure (to the extent known to management) when a series of previously undisclosed individually immaterial cybersecurity incidents become material in the aggregate; (3) amending Form 10-K to require disclosures related to a registrant’s policies and procedures for identifying cybersecurity risks, cybersecurity governance, and management roles; (4) amending Item 407 of Regulation S-K to require disclosure about if any member of the registrant’s board of directors has cybersecurity expertise; (5) amending Form 20-F to require foreign private issuers to provide cybersecurity disclosures in their annual reports; (6) amending Form 6-K to add “cybersecurity incidents” as a reporting topic; and (7) requiring that proposed disclosures be provided in Inline XBRL. Comments are due by the 30th day after the date of publication in the Federal Register or by May 9, 2022 (whichever is later).

Key Takeaways

The data security and privacy landscape in the United States and worldwide is incredibly complex and becoming more complicated given the drastic increase in cyber-attacks over the past several years. Working with sophisticated legal counsel can help your organization better understand this landscape, work towards compliance with state, federal, and global privacy laws, and respond in the event of a cybersecurity incident. Our team of lawyers and technologists are uniquely positioned to help organizations navigate this constantly evolving space.

*Attorney Advertising: Prior results do not guarantee future outcomes.

Subscribe to our newsletter. 

Top Privacy and Cybersecurity Trends of 2021Year in Review: 2021’s Top Privacy and Cybersecurity Trends

Year in Review: 2021’s Top Privacy and Cybersecurity Trends

Despite the ongoing COVID-19 pandemic, 2021 proved to be another incredibly busy year for consumer privacy and cybersecurity. In this blog post, we revisit some of the most important domestic and international privacy and cybersecurity trends of the past year. 


New State Consumer Privacy Laws 

On the heels of the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), Virginia and Colorado became the next two states to enact comprehensive consumer privacy laws. Signed into law by Governor Ralph Northam back in March, the Virginia Consumer Data Protection Act (VCDPA) becomes effective on January 1, 2023 and applies to all companies who operate a business or produce products or services that are targeted to residents of Virginia and meet certain thresholds. Months later in July, Governor Jared Polis signed the Colorado Privacy Act (CPA) into law. Set to go into effect on July 1, 2023, the CPA applies to controllers that conduct business in Colorado or produce or deliver commercial products or services that are intentionally targeted to residents of Colorado and meet certain thresholds. Both the VCDPA and the CPA carve out several exemptions for entities that are already covered under the privacy and security requirements of other federal laws. Unlike the CCPA and the VCDPA, however, the CPA does not provide an exemption for non-profit organizations. Furthermore, neither the VCDPA nor the CPA offer a private right of action. 

Other notable state privacy developments include New York’s new rules on employee electronic monitoring as well as Nevada’s SB260 amendment, which expanded the right to opt-out of sales and created new requirements for “data brokers”. 

As we head into 2022, we anticipate that the patchwork of state consumer privacy laws will continue to grow. Octillo recommends that businesses take proactive steps to first evaluate what laws and regulations apply to their business and then develop a comprehensive roadmap and plan to mature their data privacy and security posture both internally and externally.   


Continued Focus on Cybersecurity 

Threat actors in 2021 continued to launch increasingly sophisticated ransomware and cyberattacks against businesses of all sizes and in all industries. In the wake of highly disruptive attacks such as SolarWinds and the Colonial Pipeline ransomware attack, both the federal government and also state governments sought to increase their focus on cybersecurity standards. For example, the New York State Department of Financial Services (NYDFS) issued guidance to cyber insurers in the form of the Cyber Insurance Risk Framework. The Cybersecurity and Infrastructure Security Agency (CISA) also regularly issued advisories informing businesses of vulnerabilities. In an effort to secure critical infrastructure, President Biden signed an Executive Order on “Improving the Nation’s Cybersecurity” in May. The new Civil Cyber-Fraud Initiative announced by the Department of Justice back in October further indicates the increasing importance of developing and maintaining resilient cybersecurity protocols.  

The federal government’s response to this year’s exponential increase in ransomware attacks has led several high-profile threat actors – such as DarkSide, REvil, and Black Matter – to take their dark web platforms offline.  At the same time, however, new variants of ransomware are constantly emerging and there is significant evidence that experienced cyber criminals are rebranding to evade law enforcement rather than shutting down their operations.   

In this complex threat landscape, companies across industries are wisely seeking to secure or renew cyber liability coverage in an increasingly competitive market.  Insurers are asking meaningful questions about applicants’ security programs and expecting strong safeguards in place.  For organizations of all sizes, the past year has shown that cybersecurity incidents are now a question of when rather than if.  

Octillo’s Incident Response Team urges businesses to develop plans and procedures to mitigate cyber and legal risk. Octillo recommends businesses continue to dedicate internal resources to refining compliance programs and testing incident response plans through tabletop training exercises. 


Health Privacy and Compliance Challenges 

Our lives have become increasingly digitized, and 2021 was no different – especially with the COVID-19 pandemic. The proliferation of apps and technologies handling personal health data led the FTC to confirm back in September that the requirements contained in the agency’s Health Breach Notification Rule extend to health apps and connected device companies. And as the world continued to operate under the shadow of the COVID-19 pandemic, businesses faced – and will continue to face – uncertainty regarding new federal vaccination and testing policies. Octillo’s Data Security and Privacy Compliance and Health Law Teams recommend businesses take stock of their employee data collection practices in their efforts to prevent the spread of COVID-19. 


Biometrics Class Actions, BIPA Claims Accrual, and Statute of Limitations 

In 2021, litigation under Illinois’ Biometric Information Privacy Act (BIPA) remained at the forefront of the data privacy landscape. As we noted back in JanuaryMarch, and April, BIPA’s private right of action has contributed in part to an increase in the number of class actions. In September, the First District of the Illinois Appellate Court found that the statute of limitations period could range from one year to as much as five years depending on the nature of the alleged violation. But as the year closed out, Illinois courts continued to wrestle with the issues of BIPA claims accrual and statute of limitations. As this blog post goes to press, the U.S. Court of Appeals for the Seventh Circuit had just issued its decision in Cothron v. White Castle, certifying the issue of BIPA claims accrual to the Illinois Supreme Court.  


Website Accessibility Litigation and What Counts as a Place of Public Accommodation 

The Octillo Accessibility Team continues to see a drastic increase in litigation filed under Title III of the Americans with Disabilities Act (ADA) as well as the rapidly evolving caselaw surrounding website accessibility claims. 2021 is set to be a record-breaking year, with approximately of 4,000 new lawsuits filed this year alone, with most of these cases filed against small to medium sized businesses. The issue of whether websites qualify as places of public accommodates under the ADA continued to take shape in 2021. For example, in May the Eleventh Circuit Court of Appeals held in Gil v. Winn-Dixie Stores that a website is not a “place of public accommodation” under Title III of the ADA, creating a clear conflict with 9th Circuit authority that has held a website is a place of public accommodation if there is a nexus to a brick and mortar location. In September, the United States District Court for the Eastern District of New York issued a decision in Winegard v Newsday LLC, which also concluded that a website is not a “place of public accommodation” under Title III of the ADA. Despite this unsettled landscape, we anticipate more litigation to come around the specific statutory definition of what constitutes a “public accommodation.” 

Nevertheless, there is no end in sight for companies facing lawsuits under the ADA. Accordingly, Octillo recommends that businesses with any online presence or mobile application take proactive steps and prioritize accessibility internally. Minimizing legal risk through a digital accessibility compliance buildout that includes both a full scale audit of digital assets and internal and external policy development is recommended for all businesses looking ahead in to 2022.  


Telephone Consumer Protection Act (TCPA) 

TCPA class actions are numerous. Octillo’s TCPA team has charted the complex legal landscape surrounding text message marketing and telemarketing throughout the course of 2021. In April, we covered the decision by the Supreme Court of the United States in Facebook v. Duguid et al., which narrowed the scope of the TCPA down to systems that utilize random number generators. In November, we covered Florida’s new telemarketer requirements. As we head into 2022, TCPA compliance will continue to be an important area of focus for businesses. Businesses that leverage text messaging marketing as part of their consumer outreach should evaluate compliance initiatives and stay up to date on this fast moving area of the law. 


More Global Privacy and Cybersecurity Developments 

Privacy and cybersecurity continued to be areas of significant focus on an international scale. For example, China’s new Data Security Law (DSL) and new Personal Information Protection Law (PIPL) became effective on September 1 and November 1, respectively. Along with the Cybersecurity Law (CSL) of 2017, these two new laws have added a set of new cross-border requirements for international companies seeking to do business in China. Furthermore, following the Schrems II decision, which invalidated the EU-US Privacy Shield, the EU Commission released new standard contractual clauses (SCCs) intended to provide more flexibility and options for cross-border data exchange. The new SCCs are applicable for all new contracts entered into as of September 27, and businesses have until December 27, 2022 to transition all contracts using the older SCCs to ones with the new SCCs. Additionally, Québec’s Bill 64, which received royal assent a few months ago, has a series of new requirements coming into effect within the next couple of years for businesses both within and outside the province. 

On the global data privacy class action front, the UK Supreme Court’s recent decision in Lloyd v. Google suggests that opt-out class action cases for data privacy claims will be very difficult to bring. 


Conclusion and Key Takeaways 

In the midst of the ongoing COVID-19 pandemic and a rise in sophisticated cyberattacks, 2021 saw many privacy and cybersecurity trends and developments. There were new laws and regulations on both a domestic and an international scale. Case law in relevant areas developed rapidly, with some issues still unresolved as we embark on 2022. Things do not seem to be slowing down at all in the realm of privacy and cybersecurity. Octillo’s team of attorneys and technologists work with businesses of all sizes and industries to develop comprehensive scalable data security and privacy infrastructures to navigate this fast moving area. 

*Attorney Advertising. Prior results do not guarantee similar outcomes. 

Subscribe to our newsletter. 

DOJ Cyber-Fraud InitiativeUnder New Cyber-Fraud Initiative, DOJ Will Sue Federal Contractors For Failure to Maintain Cybersecurity Standards and Report Incidents

Under New Cyber-Fraud Initiative, DOJ Will Sue Federal Contractors For Failure to Maintain Cybersecurity Standards and Report Incidents

The Department of Justice has announced a new “Civil Cyber-Fraud Initiative” in which the Department will pursue civil actions for damages against federal contractors that fail to maintain cybersecurity standards and fail to report cybersecurity incidents and breaches.


What Is the Civil Cyber-Fraud Initiative?

On October 6, 2021, Deputy Attorney General Lisa Monaco declared that the DOJ will use its existing authority under the False Claims Act to bring civil litigation against entities or individuals that put U.S. information or systems at risk by either:

  • Knowingly providing deficient cybersecurity products or services;
  • Knowingly misrepresenting their cybersecurity practices or protocols; or
  • Knowingly violating obligations to monitor and report cybersecurity incidents and breaches.

Monaco explained that “for too long, companies have chosen silence under the mistaken belief that it is less risky to hide a breach than to bring it forward and to report it.  Well that changes today … because we know that puts all of us at risk.”


How Will Enforcement Work?

Under the False Claims Act, the government can recover treble damages, plus a penalty amount that is linked to inflation, against companies that make false statements in connection with work that is funded by the government.  The new initiative will apply to federal government contractors, federal grant recipients, and other recipients of federal funding.  The statute of limitations for False Claims Act litigation is three years.


The Cyber-Fraud Initiative will be conducted by the Civil Division’s Commercial Litigation Branch, Fraud Section.  The False Claims Act also authorizes Qui Tam litigation, a type of whistleblower activity in which private parties can initiate litigation on behalf of the government and receive a percentage of the government’s recovery if the claim is successful.  The DOJ’s press release announcing the Cyber-Fraud Initiative indicated that qui tam litigation would apply to the new initiative.


The new initiative is part of the DOJ’s ongoing comprehensive cyber review, which was ordered by Deputy Attorney General Monaco in May 2021 and follows a recent series of cybersecurity attacks that has motivated the Biden administration to bolster cybersecurity resiliency and pursue threat actors.


What Should Federal Contractors Do Next?

While cybersecurity incidents and breaches always exposed companies to considerable litigation risk, and the DOJ’s new initiative only increases that risk.  The DOJ’s new initiative demonstrates the increasing importance of developing and maintaining resilient cybersecurity protocols.  Octillo closely monitors developments in laws and regulations governing cybersecurity. Octillo’s team of highly skilled attorneys and technologists are uniquely situated to assist clients as they navigate these changes.

*Attorney advertising: prior results do not guarantee similar outcomes.

Subscribe to our newsletter.

Cybersecurity AwarenessCybersecurity Awareness Month – 10 Tips for Improving Your Organization’s Cyber Hygiene

Cybersecurity Awareness Month – 10 Tips for Improving Your Organization’s Cyber Hygiene

October is Cybersecurity Awareness Month – a month-long event with the goal of raising awareness of good cybersecurity practices.

As a law firm focused only on technology, data security, and privacy, Octillo is dedicated to helping organizations create robust cybersecurity programs that help prevent or lessen the impact of potential cyber attacks. This starts with helping organizations, and their employees understand the important role they play in protecting their systems and safeguarding data.

In recognition of this important educational opportunity, we have compiled some of our top cybersecurity tips to help your organization improve your cyber hygiene. Do your part, #BeCyberSmart!

1. Use Multi-Factor Identification  

Add multi-factor authentication to your accounts. These tools require you to grant access to your accounts every time someone tries to log in.   


2. Update your Systems  

Updates may be a pain, but they are important. Updates often include patches for recently identified security issues. Neglecting updates may leave you vulnerable to threat actors exploiting these vulnerabilities.  


3. Emphasize Employee Education  

Human error is one of the most commonly cited causes of cyber incidents. Conduct regular cybersecurity trainings, including tabletop exercises testing your incident response plan, to help employees understand their role in incident response and prevention.  


4. Use Strong Passwords  

Choose unique passphrases as an alternative to passwords (ie. Myd0g1sth3b3st! vs. Fido123). Use a different password for each account. To help keep your credentials straight, consider using a password manager.   


5. Examine Emails Carefully  

Scammers often mimic a legitimate site or email address by using a slight variation in spelling. Pay attention to email and website addresses and independently verify links and attachments before clicking. Know where/how to report any suspect emails because you may not be the only one who received it.  Sharing is caring! 


6. Avoid Public or Unsecure Wi-Fi Networks  

Do not connect to a public or unsecure Wi-Fi network, such as at a coffee shop or hotel. Any sensitive information transmitted over these unsecure connections can be accessed by other users on the network. When a secure network is not available, opt to use your mobile hotspot.  


7. Create Email Forwarding Alerts  

Set up alerts when forwarding rules are added to your e-mail account and routinely check email forwarding rules. If threat actors gain access to an email account, they may create account rules to hide their activity.      


8. Do Not Use Personal Devices to Access Sensitive Data  

Personal devices, such as your phone or personal computer, are often not as secure as devices in the workplace. Downloading or accessing sensitive information on those devices could lead to the information being compromised. Unless your Security Officer says otherwise, never access sensitive information from personal devices.    


9. Keep Track of your Backups  

Make sure to have backups of important backups in place and these backups are stored separate from your normal environment. Check the integrity of your backups regularly. 


10. Find A Data Security Team  

Creating data security policies, procedures, and plans be daunting. Partnering with a team that understands the legal and threat landscape surrounding data security is a great first step towards improving your cyber preparedness. 



*Attorney advertising – prior results do not guarantee future outcomes.

Subscribe to our newsletter.

Construction Industry and Cyber AttacksWhy the Construction Industry Is Being Impacted By Cyber-Attacks, and What To Do About It

Why the Construction Industry Is Being Impacted By Cyber-Attacks, and What To Do About It


For many years, the construction industry has appeared almost immune from cyber events because of the limited personal information it keeps. However, the last 12 months directly negate this view, reminding the industry that this perspective no longer carries weight. The construction industry is one of the leading industries impacted by data security incidents. This begs the question: why? And what can the industry do to address this rise in cyber threats?

Threat actors know that the construction industry is, in some areas, behind in data security and privacy initiatives. This is in large part because this industry, to date, avoided heavy regulation in data security and privacy laws. The limited regulation and guidance in the construction industry may have contributed to less focus on cybersecurity than in other industries.

Additionally, many in the construction industry are leveraging artificial intelligence technologies (AI) such as machine learning (ML) and robotics, among others. These new technologies still require data security and privacy risk assessments and proper controls in place, something that may be a second thought for those in the construction industry that, historically may not have had cybersecurity top of mind.

Lastly, the threat actors seek to extort money, and the construction industry presents a big, lucrative target. The exposure of cyber-attacks in construction, in part, is amplified by the amount of confidential and proprietary information digitally stored and shared across projects and their long information technology (IT) chains. Infrastructure, financial accounts, as well as the data of employees, projects, and business- sensitive information may be at risk. Accordingly, the number of cyber-attacks in the construction industry are growing exponentially.

The legal and threat landscapes are constantly changing, requiring those in the construction industry to be familiar or associate themselves with experienced tech and legal providers who can assist in navigating these rushing river waters.


Some of the Largest Cyber Risks Facing the Construction Industry

While the risks of cyber-attacks are not unique to the construction industry, their impact on the industry is distinctive.

For example, on January 30, 2020, French construction behemoth, Bouygues, announced that threat actors were holding 200GB of data ransom. See Naveen Gourd, Maze Ransomware hits Bird Construction and Bouygues Construction, https://www.cybersecurity-insiders.com/maze-ransomware-hits-bird-constriction-and-bouygues-construction/. Ultimately, the ransomware event caused a delay to various projects as Bouygues shut down various operating systems to prevent the propagation of the attack. See Bouygues, Press Release – Information on a Cyber-Attack, https://www.bouygues.com/wp-content/uploads/2020/01/prbouyguesconstructioncyberattack01-31-2020-pdf.pdf.

Unfortunately, Bouygues is not alone in their suffering. Bird Construction, a large Canadian construction company, suffered a similar ransomware attack in December 2019, where the threat actors were demanding $9,000,000 CAD in exchange for decrypting the 60GB of data they were holding for ransom. See Naveen Gourd, Maze Ransomware hits Bird Construction and Bouygues Construction, https://www.cybersecurity-insiders.com/maze-ransomware-hits-bird-constriction-and-bouygues-construction/.

These events are, unfortunately, very common in the construction industry.

There are five main cyber-attacks that could impact a construction company: i) ransomware; ii) fraudulent wire transfer; iii) downtime or business interruption; iv) breach of intellectual property; and v) breach of bid data. Each presents its impact and harm.

  • Ransomware: Ransomware, when a threat actor holds a computer system hostage for payment, can limit a construction company’s access to critical systems and potentially delay work at a project. Moreover, a construction company may be left with little choice but to incur the financial responsibility of paying the ransom. However, damage from a ransomware event is not simply limited to the payment of the ransom but may also include reputational damage.


  • Fraudulent Wire Transfers: Fraudulent wire transfers, often the result of social engineering, present a substantial risk to the construction industry, which is often moving large sums of capital around. Falling victim to fraudulent wire transfer not only presents dire fiscal issues for a construction company but can also lead to severe reputational harm.


  • Downtime or Business Interruption: The construction industry is heavily reliant on the ability to deliver projects on a deadline. A cyber-attack on a construction company’s software or equipment could potentially cause a delay in the project while the cyber-attack is properly addressed.


  • Breach of Intellectual Property: If a construction company is holding highly sensitive blueprints or schematics in its computer system, breach of these computer systems could result in major reputational damage and potential lawsuits.


  • Breach of Bid Data: If a construction company holds information regarding its bidding strategies on a computer system, access and acquisition of these files could lead to a loss of a competitive edge.


What Happens In A Data Breach

The fast-moving cyber threat landscape above is juxtaposed with emerging data security and privacy laws. In the United States, there is no overarching data security and privacy law(s). Instead, we have a patchwork of federal and state laws that may apply to an organization.

For example, let’s pretend that Company XZY suffers a data breach that not only seizes access to systems, but one such system is a human resources program that contains all of the employee’s personal information (whether hosted internally or with a third-party provider). Perhaps another system is a client management program that has a sensitive design or tenant plans or city or government projects with confidentiality treatment requirements. Assuming in this scenario that the threat actor accessed and then exfiltrated the human resource system and client management program data, then Company XZY would have to provide notice to all potentially impacted persons (the employees in our scenario) under a myriad of state and perhaps federal laws, but also under contract to the third parties whose confidential business information was impacted.

As it relates to the employees, it is important for the legal counsel for Company XZY to review where each employee resides to determine applicable laws that will direct notification requirements for employees. As one can imagine, in a data breach with hundreds or thousands or more employees who are impacted, this could become complicated, but there are seasoned professionals who can help the organization prepare and respond. Unfortunately, most organizations are not prepared.

Besides operational setbacks from a data security incident and notifications to potentially impacted persons, there could also be revenue loss, reputational harm, legal fees, technical costs, call center expenses, credit monitoring costs, regulatory reporting, third-party claims, and more.

There are, however, ways that this risk can be shifted.


Actionable Steps the Construction Industry Can Take to Mitigate Cyber Risk

There are several methods your organization can leverage to limit its exposure to cyber risks. These include but are not limited to: 1) building a team of trusted advisors; 2) picking the plan that is right for you; 3) evaluating risk so it is properly allocated through contract; 4) evaluating whether your organization has a strong cyber liability insurance policy; and 5) implementing good cyber hygiene and best practices.

1. Build A Team of Trusted Advisors

Cybersecurity preparedness will require knowledge and awareness across many roles within the organization. The leaders of the organization, information technology, legal, and most likely also marketing, sales, customer service, accounting, finance, human resources, and other groups to the extent they exist at the organization.

Third parties will likely need to be engaged as the legal and technical areas are emerging at rapid speeds. Further, the market is oversaturated with vendors, providers, partners of all types and sizes. Organizations should take time to validate credentials, years of experience, contractual terms, insurance carried, and more before engaging third-party partners to assist with cybersecurity program development.

2. You Pick the Plan

The organization’s team should, through a risk assessment, determine its cybersecurity program goals. Too often organizations are “sold” by a vendor as to a plan, but if a breach occurred such a plan would do very little to prevent legal and technical risk.

Some in the construction industry have robust experience with information technologies and others rely heavily on third parties. If the latter, find a trusted partner to help you manage your third-party providers if your organization does not fully understand technically what they are doing. Just like an employee, those third parties should be reviewed regularly (more on that soon).

3. Contract with Strong Data Security & Privacy Provisions

Another method of mitigating cyber risk is through contract. When reviewing your company’s agreements with third-party vendors and subcontractors, it should pay close attention to indemnification and insurance procurement provisions for how they might allocate cyber risk between the parties. A data security incident at one of your company’s vendors may have serious consequences when it exposes your business’ information. To that end, your company may want to consider including language in its third-party contracts which require vendors and subcontractors to indemnify your company in the event the third-party vendor or subcontractor suffers a data breach. Similarly, your company might want to consider requiring a third-party vendor or subcontractor to name your company as an additional insured on its cyber liability insurance policy. Both of these steps help in the event your third-party vendor suffers a data security incident, as the financial impact on your business would be minimal.

4. Cyber Liability Insurance

If the third parties the organization is using do not want to (or they should not) carry certain risk, one potential method of mitigating risk associated with cyber-attacks are a cyber liability insurance policy. These policies generally provide coverage for the following types of attacks:

  • Data Breach Expenses: When a threat actor accesses or acquires Personal Identifiable Information as defined by applicable law, your company has suffered a data security incident. Cyber liability insurance policies typically cover the costs of hiring lawyers, forensic IT security vendors, public relations, or crisis communication costs to assist you in handling your response. Moreover, cyber liability insurance policies cover the cost associated with notifying individuals and state regulators, providing identity and/or credit monitoring services to affected individuals, and running a call center.


  • Cyber Extortion or Ransomware: When a threat actor acquires access to your company’s systems and encrypts or otherwise locks you out of the network, demanding the payment of a ransom to unlock the system. Cyber liability insurance policies typically cover the cost of negotiating with the threat actor as well as potentially paying part of the ransom.


  • Fraudulent Wire Transfer: When a threat actor misdirects a wire transfer from your company to a vendor, your company is a victim of a fraudulent wire transfer. Cyber liability insurance policies will normally cover such fraudulent wire transfers if your company took certain steps to prevent them. Coverage for fraudulent wire transfers is generally limited to the amount of the wire transfer itself.


  • Business Interruption: When a threat actor executes a cyber-attack, some cyber liability insurance policies provide coverage for the loss of business income as a result of being locked out or shut down as part of the cyber-attack.

As provided above, cyber liability insurance policies generally cover the major types of cyber-attacks a construction company may face; however, cyber liability insurance is not the only means of mitigating the risk of a cyber-attack.

Cybersecurity insurance can provide first-party and third-party damages. Other insurance such as Tech Errors & Omissions may be options for some organizations to consider as well.

5. “What’s Good for the Goose is Good For The Gander” Policies and Practices

a.) Policies & SOPs

Applicable here is the old proverb “what’s good for the goose is good for the gander.”

If an organization is going to require that its vendors and third-party partners have certain controls and practices, then that organization should perhaps think about its practices. In fact, its insurance carrier may require it. Also, the organization may have requirements under laws and regulations, under contract, or other duties owed.

This is where most organizations are paralyzed – it sounds overwhelming. Or they find some stock policies, modify them slightly, and place the policies on a virtual shelf.

In creating policies, the team charged with building a construction cybersecurity program will identify first the laws that apply to the organization, IT standards it wishes to follow, along with other guiding principles – organization mission, vision, codes of conduct, or company ethics policies, and more.

Policies and standard operating procedures can come in a myriad of shapes and sizes, which makes creating them sometimes difficult for organizations – too many choices – so they pick and choose from numerous templates and the result is, frankly, often a mess.

Organizations should plan to take time to put together written policies and procedures that reflect the organization’s goals, vision, standards, controls, and more – not some other organization’s that is in a template found online.

What are some good cybersecurity controls and practices? The National Institute of Standards and Technology’s (“NIST”) Cybersecurity Framework Version 1.1 offers for some a good place to start looking at what a cybersecurity program may look like on the technical side for your organization. See NIST, Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1 (available at https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf).

b.) Controls

The organization will need a variety of physical, administrative, and technical controls.

Physical controls include safeguarding server rooms to video monitoring of secure areas (*be careful if you are collecting biometric information, this is also a fast-moving area).

Administrative controls include the policies and SOPs discussed earlier, but also that there are folks responsible for these duties, there is training, review, auditing, discipline, and more.

Technical controls can take many forms but include changing passwords regularly, implementing two-factor authentication where possible, and regularly informing employees of the dangers of social engineering. Good cyber hygiene can prevent a cyber-attack from occurring in the first place, and in that regard is one of the most effective means of mitigating cyber risk.

6. Construction Cyber Culture

One final method of mitigating cyber risk is through fostering good cyberculture across the organization.

An organization is on its way to great construction cyber culture through the actionable items above: 1) team of trusted advisors, 2) selecting a plan, 3) third-party contracting and auditing, 4) cybersecurity insurance, and 5) policies and procedures.

Great construction cyberculture begins with a buy in at the top and demonstrating by example (so no exceptions!).



Unfortunately, organizations in almost every industry are navigating cyber threats and the construction industry is no exception. There are, however, a number of risk mitigation strategies that can be reviewed for applicability to an organization. As discussed, the first step is to find those experienced trusted advisors to help navigate this complex and sophisticated legal and technical terrain.

Subscribe to our newsletter.

*Attorney advertising. Prior results do not guarantee similar outcomes.


1 2 3 7