As the coronavirus (COVID-19) spread around the world, most businesses were forced to close their doors temporarily and take steps towards working virtually. However, the U.S. construction industry, deemed “essential” by nearly every stay-at-home order issued throughout the country, kept operating and kept building. After all, construction does not occur “virtually.” While many viewed the construction industry as one of the fortunate few exempt from shutting down, construction professionals wrestled with a different problem – how to stay open while staying safe.
Many contractors scrambled to implement new jobsite policies to enforce social distancing and expand their use of technology on and off the jobsite to minimize the potential for human contact. Even now, as restrictions are being lifted and companies are still encouraged to practice social distancing and limit employee contact, contractors continue to research and employ new technologies to maintain space while making progress on projects and bidding new work.
However, in this rush to adapt and overcome, many companies have not had the opportunity to analyze and assess the risks associated with their increased dependence on technology. Construction industry professionals should take this time to conduct a holistic review of the data-privacy risks they now face in their new normal. These risks exist at every phase of the construction process.
Assessing the Privacy, Confidentiality, and Cyber Risk of New Technologies
One example of new technologies that is on the rise in the construction industry to mitigate the spread of the virus includes pre-bid design software and virtual meeting platforms that allow employees to share ideas without sharing space. These programs range from drawing and planning software such as BIM to collaborative meeting spaces such as Zoom and Teams to cloud-based bidding tools. Indeed, some private owners are now requiring companies to use cloud-based bidding exclusively for all submissions. While these tools allow employees to discuss, bid, and win new work without ever coming into contact, they also place confidential and/or proprietary information at risk. For example, there are real data-privacy concerns that stem from uploading million-dollar proposals onto a cloud-based server to share with both internal and external contacts. Likewise, employees are transmitting pre-bid ideas and cost-analysis amongst each other while working from their homes and often times on virtual meeting platforms that may not be encrypted, password protected, or considered “secure” channels of communication.
With employees now “reaching into” their companies’ shared data drives from their phones and home internet connections, there are necessarily more points of entry for someone to pursue a cyberattack. Companies need to train their employees on the risks of email phishing, business email compromise, and the risks of malware. Sensitive project information should only be accessible by a select few employees. Different protected data classes should have unique login and access credentials. Virtual collaboration should not mean everyone can see every file.
“Internet of Things” and Connected Devices Pose New Threats
On those projects that were already underway, COVID-19 forced construction companies to come up with innovative ways to socially distance their workers and monitor their vitals. As is so often the case, struggle creates innovation, and many new tools are now being employed on jobsites to answer the call. There are safety vests and wearable watches that monitor employee vitals. There are hardhats that can send superintendents notifications when employees come within so many feet of one another. These tools gather the personal information of employees, transfer that data to a “hub,” and then analyze it for project team leaders. Companies must understand the data-privacy laws that apply to a particular job and make sure they are taking steps to protect their employees’ personal data as it is transferred from jobsite to home office and vice versa. Some states’ laws regulate how organizations can process and use the personal data of individuals within their companies. The exposure of an employee’s personal information can come with serious ramifications, and a conversation about how to remain in compliance can help ensure a company’s procedures align with multi-jurisdictional requirements.
Some construction companies have also begun identifying areas where they can use technology in lieu of humans. Many construction professionals are using drones to perform surveying work. Others have installed video surveillance on jobsites so that team leaders and engineers can monitor progress, on demand, from a project colocation or from their homes. Autonomous equipment is being employed to perform tasks once assigned to humans. Robots are performing excavation on smaller construction sites, and 3-D printing robots are printing prefabricated parts or components on site. This increased use of IOT and artificial intelligence comes with the increased need to understand how the data is being stored, who has access, and what fail-safes are built in if the technology fails. Construction professionals should consider these questions and analyze any risks associated with a move towards “smart” machines.
Planning for and Mitigating General Privacy, Confidentiality, and Cyber Risks
Construction companies should take five steps now to mitigate risks relating to privacy and cybersecurity:
- Train your employees to be your first line of defense. Many cyberattacks and inadvertent disclosures of confidential and proprietary information could be avoided if employees had been educated about the risks and followed prudent measures to prevent missteps. Do your employees know what to do if they get a suspicious email? Would they click on a link that could infect your entire system with ransomware? Do your employees know how to handle an email from a vendor or partner that asks them to change an ACH or wire account (which in turn will actually go to the criminal perpetrator who is posing as your vendor —subjecting your company to large financial losses and an angry vendor/partner)?
- Understand what data you are collecting. Privacy obligations often stem from the types of data a company is collecting and from whom. All companies should know the scope of their data collection, type of data collected, used, stored, and shared, and from whom the data is collected.
- Do your due diligence on technologies. Many technologies that are utilized in the construction industry are developed by non-construction companies or third parties. When using these technologies there are several important questions to consider. Who owns the data that is being collected? Can you independently access or delete data (say of one of your employees)? Is the technology company requiring you to comply with certain data privacy laws? Who is responsible for a data breach that occurs as a result in a flaw in the technology or a breach of the company storing the data?
- Review your vendor contracts. Review your vendor and third-party contracts to ensure that your rights are protected in the event your vendor has a data breach and to clarify who owns certain data.
- Stay informed of privacy regulation, litigation, and enforcement actions, as well as cyber-threats. Given the rapid pace at which privacy law is developing through both regulation and litigation, it is important to stay abreast of these developments. Find trusted sources of information, advisors, and industry experts to provide guidance on best practices and industry standards.
The increased use of technology on jobsites was already on the rise before the COVID-19 outbreak. However, the virus has prompted many construction companies to implement new technologies on their projects. Contractors must analyze the data-privacy risks associated with the use of IOT and artificial intelligence tools, as well as the risks associated with large data collection on individuals (even with presumably anonymized data). These new technologies can provide a sense of peace in a new normal, but only if construction companies implement policies and procedures to protect the data they are transmitting, collecting, and using to adapt their business models and legal expectations.