CRE firms are more vulnerable than ever to cybersecurity and privacy threats that can arise from their handling of sensitive personal and financial information and their use of sophisticated building management systems. Those threats can pose substantial legal and financial risks to the organization. Part one of this two-part series described five steps that organizations can take to manage and mitigate those risks. This part will describe five more concrete actions that any CRE firm can to reduce its exposure and guard against the potentially disastrous consequences of a cybersecurity incident.
- Focus on Employee Training and Awareness. According to a recent study conducted by the Ponemon Institute LLC and sponsored by Experian Data Breach Resolution, employee carelessness is the number one cybersecurity and privacy risk for organizations. That carelessness manifests itself in a variety of ways, including:
- Sharing system credentials or sensitive data with an attacker posing over email as a colleague or service provider in a “phishing” attack;
- Losing a laptop, smartphone or USB drive that contains sensitive information; and
- Inadvertently unleashing malware by visiting compromised or malicious websites or clicking on links in malicious emails.
To reduce these risks organizations should focus on creating a culture of security through employee training and awareness campaigns. Training materials can be created in-house or purchased from third-party vendors. In either case the content should be tailored to the specific risks faced by the organization. Key topics in most organizations would include, at a minimum, phishing, social engineering and mobile device security.
- Consider Addressing Privacy and Cybersecurity in Tenant Agreements. To reduce the company’s legal and financial risk, CRE companies should consider addressing privacy or cybersecurity in the terms of tenant agreements. One example is where a tenant is subject to privacy or data security laws that could be implicated by a landlord’s performance under a lease agreement. Healthcare providers, for example, are subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA), a federal law that protects the privacy of patient health information. HIPAA strictly regulates third parties’ access to patient health records. Thus lease provisions that give a landlord unrestricted access to the premises could lead to violations of HIPAA if the landlord is exposed to patient health records when exercising that right of access. The lease should specifically address that issue, and in general should place the primary burden of protecting the confidentiality of the records on the tenant.
Other examples include leases in which the tenant relies on the landlord to deliver IT services such as wireless internet or other IT infrastructure, and those in which a tenants’ IT systems are integrated with building management systems operated by the landlord. In either case, parties should consider clearly agreeing in writing on the duties that apply – and do not apply – to each party to protect the security and confidentiality of the services, systems or data involved. The agreement should also address who will be responsible for damages caused by a cybersecurity incident that affects those services, systems or data.
- Carefully Vet Service Providers with Access to Company Systems or Data. Even when an organization’s own privacy and cybersecurity programs are well developed and functioning properly, third party vendors and service providers can be a significant source of cybersecurity and privacy risk. That is especially true when their offerings involve access to company systems or the receipt of sensitive company data.
To mitigate the risk posed by these parties, organizations should first examine their procurement procedures and implement a means to quickly flag engagements in which vendors need to access company systems or data. When the flag is raised the organization should conduct due diligence on the vendor to ensure it can uphold the organization’s own privacy and information security standards.
For vendors that pass that test, the organization should then build appropriate confidentiality and security obligations into the applicable product or services agreement. General confidentiality provisions are not usually sufficient; the agreement should spell out the vendor’s obligations to implement safeguards to protect against unauthorized access to or misuse of company systems and data. The agreement should also obligate the vendor to promptly report any security incidents to the organization, and clearly allocate responsibility for the costs of response and remediation.
- Prepare and Practice an Incident Response Plan. Despite an organization’s best efforts, an incident will occur at some point that compromises the security or confidentiality of its systems or data. To effectively respond the organization should prepare a documented incident response plan. The plan should, at a minimum:
- Assign roles and responsibilities to personnel that will form the incident response team;
- Document the steps that the organization will take to identify, investigate, contain and remediate security incidents;
- Address when and how the organization should engage external resources such as computer forensics providers and outside legal counsel;
- Define the process for preparing and distributing communications about the incident with external parties such as tenants, regulators, and law enforcement; and
- Describe the process to identify and address any legal obligations arising from the incident.
Once the plan is prepared, the organization should practice the plan using “tabletop” exercises that present realistic scenarios and that require the incident response team to discuss how each step in the plan would be applied to that scenario. Such exercises can be invaluable for discovering weaknesses in the plan and addressing them without the pressure of a live incident.
- Review Your Insurance Policies and Consider Adding Cyber Liability Coverage. Liability insurance can help minimize financial losses to the organization in the event of a cybersecurity incident. But traditional policies such as commercial general liability, professional liability, errors and omissions or crime policies may or may not cover cyber risks. The organization should therefore carefully review its existing insurance policies to determine whether they provide the necessary protection against the losses that can arise from a data breach or other cybersecurity incident.
Where those traditional policies don’t provide the necessary protection, the organization can purchase specialized cyber liability insurance that covers the organization’s exposure to the wide spectrum of issues arising from privacy and cybersecurity incidents. Coverage under those policies varies widely. There is no standard policy form and individual policies can contain substantial differences on what is covered, when coverage is triggered, and what events are excluded. Organizations should therefore review their specific cyber risks needs and carefully evaluate any policy with those risks in mind to ensure that it will provide the coverage the organization expects.
This is the second part of a series on cybersecurity and commercial real estate. Read part one on the MarketShare blog.
Alex Pearce is an attorney with Ellis & Winters LLP in Raleigh, North Carolina. His practice focuses on Privacy and Data Security law.