4 Data Privacy Week Takeaways for Construction
(And a few good tips for everyone else)
This week is “Data Privacy Week” in America, which upon first glance is not exactly the most exciting "awareness" week out there. Yet, IT and information security departments everywhere know how important data privacy is, especially within the context of data security and data protection.
According to NordLayer, 2023 was the most expensive year for data breaches yet, and construction firms were once again heavily targeted. But not all of these were the result of malicious attacks or cybersecurity threats—which is a primary data security concern.
Instead, most breaches that occur are actually a result of accidentally allowing unauthorized access to sensitive data. In some cases, that might run afoul of an individual’s right to privacy within the context of big data privacy laws like the California Consumer Privacy Act (CCPA), California Privacy Rights Act (CPRA), and the EU’s General Data Protection Regulation (GDPR). These laws say that businesses must ensure that any sensitive data they process, store, or transmit has the consent of the individual, with big fines for data breaches—accidental or not.
Larger construction businesses with a national or global presence must legally comply with these major regulations. But most smaller firms and mid-size businesses that don’t have to comply with comprehensive data privacy laws still have a lot they can take away from better data management concepts and processes.
So how can construction businesses of all sizes prevent unauthorized access to sensitive business material, like personally identifiable information or other critical business data? Let’s take a look at four ways contractors can help protect their data while abiding by data privacy laws like the CCPA and GDPR.
#1: Don’t Accidentally Breach Your Own Data
The greatest risk of a breach—by a relatively large margin—is unintentional disclosure of important sensitive information. These are often just simple mistakes, from sending the wrong email with sensitive information to the wrong client, to a misdirected fax or paper billing statement.
Data “incidents” and data “breaches” are terms used based on the severity of a potential information disclosure. If your construction business is governed by a state or other regional privacy law, you may be required to notify regulatory authorities either way. Accidental breaches can become a messy situation that are best avoided through internal process improvement and training. For example:
- Collect only as much data as necessary to run your business. Less data floating around means less to manage—and far less business risk in the unfortunate case of a breach.
- Likewise, don’t retain old information for longer than is reasonably necessary to conduct business.
- Encourage education and awareness surrounding privacy practices and how to detect potential security threats.
- Talk to your vendors (and anyone you share data with) about their privacy practices, as well as their cybersecurity. According to survey data on company breaches, businesses say they are more likely to experience a breach via a third-party—but may still be liable, depending on jurisdiction.
#2: Double-Check (and Triple-Check) Your Ransomware Defenses
For the last year, the construction industry has been fraught with ransomware attacks; industry figures from Nordlocker show that construction firms were attacked more often than any other type of business in 2021. The ultimate scale of a cyber attack may not be uncovered for months after initially identifying the threat, but the attacks often come down to one thing: Money.
Bad actors can hold computer systems hostage for payment and create other havoc, and businesses aren’t always able to bounce back from major data losses. A Federal Emergency Management Agency (FEMA) study found that as many as 60% of businesses don’t reopen after a major disaster—which includes business data losses due to a ransomware attack.
There are several other types of attacks that can impact a construction company outside of a typical ransomware attack.
In the construction industry specifically, contractors must also watch for:
- fraudulent wire transfers
- breaches of intellectual property (like sensitive blueprints or schematics)
- breaches of bid or contract data—which could lead to monetary and reputational losses
#3: Choose Your Vendors Wisely
There is no magic bullet or singular solution to keep your data private and secure. Instead, stakeholders must pair process improvement and internal communication with better privacy practices to drive awareness and education.
The vendors and outside firms you work with (cloud providers, subcontractors, and even other businesses) should maintain a high level of information security. Typically, the easiest way to identify that a vendor has its act together is to find out whether its software has earned SOC II Type 2 security compliance for data protections."
Bryce Austin, cybersecurity consultant from TCE Strategies, recommends taking a look at all of your resources and asking questions about the security of your cloud data.
“You need to choose your cloud providers wisely,” Austin said. “Some cloud providers take cybersecurity much more seriously than others. Make a list of your cloud providers so you understand who to call for which concern. And you need to have multi factor authentication on any administrator accounts that run your cloud services.”
Austin has three recommendations when looking at cloud service providers:
- Ensure Administrator accounts in the cloud are set up with Multi-Factor Authentication
- Make a list of your cloud providers and share it with stakeholders
- Discuss cloud security with your providers regularly
#4: Look Closely at Local, State, and National Privacy Laws
The United States does not yet have a comprehensive national data privacy law similar to the GDPR—so contractors doing business in the States alone may not have to worry about international laws to the degree that global contractors do.
However, a few states do have their own comprehensive privacy laws, with a number of provisions that make privacy and security practices very important. Contractors working in California, Virginia, or Colorado, for instance, must ensure that they’re complying with state privacy regulations.
Even though many of the most strict provisions of those laws apply to retail businesses that might collect and sell personal data, the breach provisions still apply if, for example, employee or partner information is among the sensitive material that a malicious actor has obtained. There are strict reporting requirements, potential fines, and even the potential for lawsuits. More importantly, these laws also apply to vendors and contractors—making it doubly important to keep an eye on vendor/contractor privacy practices.
The role of data privacy has expanded significantly since the launch of the GDPR, and in America, the CCPA. As more states look to modernize their privacy laws to make sense in a digital world, contractors must do the same with their security practices and technology.
Data privacy is an important aspect of any business, and certainly deserves more attention than its one week “holiday.” Better privacy and security practices can mean the difference between preventing a breach and falling for a phishing attempt—or accidentally sending sensitive data to the wrong company.
If you’re feeling pressured but are too busy managing multiple, disconnected solutions, it might be time to turn to a single connected cloud-based software suite like Trimble Construction One. With the latest security safeguards in place—including SOC II Type 2 compliance—Trimble Viewpoint software takes the IT burden off of contractors so they can focus on the work they love.