Many people don’t think of commercial real estate when they think about cyberattacks. But they should. A cyberattack can come from almost anywhere, including internet-based building management systems, third-party vendors, SaaS applications and employee’s use of personal devices to access company applications and data. Cyberattacks can result in significant economic and reputational losses and exposure to legal liability.
The type of harm inflicted by a cyberattack depends on the access point of the attack. An attack on data can result in email leaks and theft of personal or proprietary information. An attack on a building management system may result in disruptions to HVAC systems, safety systems and elevators, while an attack through third-party vendors or SaaS applications may lead to treasury management losses or disclosure of personally identifiable information. Even seemingly minor attacks often result in multifaceted losses.
Company leadership needs to assess how their existing technology and practices leave their companies vulnerable to cyberattacks. They must also consider how implementation of new technology may create issues. Finally, leadership should develop cyber risk management plans to include the following:
- Designating specific people with responsibility for cybersecurity
- Implementing formal security protocols and frameworks
- Determining levels of sensitivity of data
- Investing in cybersecurity systems
- Providing training to employees
- Implementing password custody policies
- Implementing diligence requirements for prospective contract counterparties—especially vendors
- Outlining cybersecurity requirements for contract counterparties and creating incident response plans
Taking these steps can minimize both the number and scope of cyberattacks. However, not every attack is preventable. Once an attack has been detected, it is critical to assess damages, including legal liability.
A company may have multiple types of liability as a result of a single attack, and multiple companies may be liable for the same incident. Companies may find themselves subject to civil liability, government investigations or fines for breach of employee data. An owner of a retail property may find itself liable to its tenants for breach of lease or negligence. Property managers and vendors may be similarly liable to owners. Owners, managers, vendors and tenants may all be liable to the tenants’ invitees. In the case of mixed-use properties, companies face the additional challenge of protecting residential tenants’ personally identifiable information. In addition to private lawsuits, companies that are victims of cyberattacks may also be subject to regulatory violations, including violations of local building and fire codes.
Fortunately, there are several nontechnology steps companies can take to eliminate or minimize their legal exposure. A combination of effective business and legal action can provide strong protections against cyber-based liability.
One of the most important protections companies can employ is smart contract drafting. Inclusion of clauses delineating which party is responsible for different aspects of security; eliminating or limiting liability for certain occurrences; caps on damages; indemnification provisions; confidentiality provisions; provisions governing storage and use of information; and audit requirements can all be employed to insulate or lessen a company’s liability for cybersecurity-related events. Companies can also require that their contract counterparties carry insurance against cyber-based loss and limit their counterparties’ ability to subcontract.
The type and efficacy of contract provisions to include depend on several factors including the identity of the contracting parties, building systems and the amount of sensitive or protected information being exchanged. The enforceability of these provisions also depends on the laws and regulations of the state governing the contract.
Another important step companies can take to protect themselves is to implement or revise bring-your-own-device policies governing their employees’ use of personal devices and remote access. Personal devices provide yet another attack surface and may not be sufficiently secured. While BYOD policies implicate several areas of the law, including labor and employment law, this is a necessary step for a modern business.
Insurance and third-party guaranties also provide protection against economic losses. Depending on the policy, insurance can cover legal costs, notification costs and other expenses arising from cyberattacks. Third-party guaranties may also offset some of the liability.
No industry is completely safe from cyberattack. But for companies adopting cyber risk management plans, entering into sound contracts and obtaining access to third-party indemnification sources, the economic and reputational harm from cyberattack can be greatly reduced.