With the rapid pace of innovation and deployment of intelligent transportation systems (ITS) to enhance existing transportation infrastructure, transportation officials frequently procure and manage sophisticated systems that collect, use and maintain vast amounts of data. Today’s transportation officials must possess considerable technological proficiency in addition to their traditional expertise in civil engineering and construction.
Identifying technology to optimize infrastructure, and crafting complex technical specifications to procure the same, is only half the challenge. The use of ITS systems and management of the data they require is fraught with network security and privacy risks that must be identified, understood and managed. Risks ranging from service interruption, lost revenues, loss of data, reputational damage, introduction of malicious computer code, theft of valuable electronic business assets, disclosure of sensitive information and legal liability for security and privacy breaches, to cyber terrorism and cyber extortion, require thorough risk assessment, robust security policies, and diligent management. According to a report by the Identity Theft Resource Center, 781 data breaches in the U.S. were tracked in the year 2015, and the number and severity of breaches is ever increasing. The question isn’t whether a transportation agency’s systems will be hacked, but rather, how will the transportation agency minimize the threat, prepare to respond to and manage incidents, and mitigate losses?
While current events highlight the risk of data breaches from network hackers, data breaches and damage to IT networks can also come from employee negligence and theft, lost or stolen laptops, mobile devices and portable discs and drives, malware, and consultant and vendor negligence or malfeasance, among other sources. Transportation agencies need to identify vulnerabilities and assess the risks associated with the systems they procure and operate, continuously monitor their systems for suspicious activity, implement robust training and security programs, and have a plan in place to respond to breaches. Risk assessment should begin at the procurement stage. Carefully drafted technical specifications should assign responsibility for undertaking necessary precautions, and contracts should allocate the risk of losses from data breaches to appropriate parties.
Typically transportation agencies have standard clauses requiring commercial insurance that they use as a starting point for their procurement documents. However, most standard commercial insurance policies do not cover many cyber risks. Fortunately, as data breaches have increased in frequency, and as awareness of the risks has grown among professionals charged with procuring and managing systems and data, growing demand for cyber liability insurance products has prompted the insurance industry to respond by offering new and expanded cyber liability products.
Transportation officials may find it appropriate to require contractors to provide network security/privacy coverage, including some or all of (a) coverage for hostile actions with the intent to affect, alter, copy, corrupt, destroy, disrupt, damage or provide unauthorized access to or use of a computer system, including exposing confidential electronic data or causing electronic data to be inaccessible, (b) computer viruses, (c) dishonest or criminal use of a computer system to affect or destroy a computer system or steal or take electronic data, (d) loss of service by the contractor resulting in inability to access a computer system and conduct normal Internet or network activities, (e) denial of service for which the contractor is responsible resulting in degradation of or loss of access to normal use of a computer system, (f) access to a computer system or resources by an unauthorized person, and (g) loss or disclosure of personally identifiable information.
Also appropriate is media liability coverage, including (a) copyright and trademark infringement, (b) plagiarism, (c) public disclosure or loss of misappropriated trade secrets or unauthorized use of material, (d) libel, slander, disparagement or other forms of defamation, (e) unauthorized disclosure of data resulting in invasion of privacy, (f) unfair competition or violation of Section 43(a) of the Lanham Act or similar statutes, (g) breaches of contract from alleged misuse of data, and (h) errors and omissions and negligence in the production or publication of content.
The cyber insurance coverages described above may be included in a comprehensive technology errors and omissions policy covering (a) software design, (b) systems programming, (c) data processing, (d) systems integration, (e) outsourcing, (f) systems design, consulting development and modification, (g) training services related to computer software or hardware, (h) management repair and maintenance of computer products, networks, and systems, (i) servicing, distributing, installing, and maintaining computer hardware or software, and (j) data entry, modification, verification, maintenance, storage, retrieval or preparation of data output.
With these coverages, the transportation agency may recover a variety of expenses associated with the identified cyber and technology risks, including the cost of notifying persons whose information is disclosed, the cost of providing credit monitoring services, the cost of defending claims by state regulators, fines and penalties, losses resulting from identity theft, property exposure from business interruption, costs associated with data loss and destruction, fraud, funds transfer losses, and the cost of defending lawsuits alleging trademark or copyright infringement.
In addition to new insurance products, increased awareness of cyber risks is prompting expansion of resources to aid in understanding and managing the risks. As noted by Traffic Technology Today, [c]ybersecurity and insurance are definitely on the A-list of discussions across almost every industry. A recently published comprehensive report of the National Cooperative Highway Research Program, Liability of Transportation Entity for the Unintentional Release of Secure Data or the Intentional Release of Monitoring Data on Movements or Activities of the Public, is an excellent resource for any transportation official involved in procuring systems and handling data, or advising those who do. (Thomas, Larry W., July 2016, Transportation Research Record: Journal of the Transportation Research Board Online) The report throws into stark relief the enormous challenge of using ITS technologies to optimize transportation resources while navigating the complex legal environment. Transportation officials also may wish to attend the 2016 Cybersecurity Symposium Cybersecurity, Data Breach, and Privacy: Examining Your Risks and Legal Issues From the Inside Out to be presented by the University of California Irvine School of Law and Nossaman LLP on December 1, 2016, at the City Club of Los Angeles.
Assessment of cyber risks should be near the top of the list in planning for transportation projects in the 21st century. While cyber liability may not be within the traditional lexicon of transportation officials, it is the new, inescapable reality. By recognizing the issues, transportation agencies may take steps to manage cyber risks through a combination of contract risk allocation and insurance requirements, in addition to training and consistent vigilance.
Nossaman’s 30-plus infrastructure attorneys offer clients, colleagues, strategic partners and industry media a wealth of practical experience, insider insight and thoughtful analysis here on Infra Insight. We blog about what we know best, from industry-leading procurements to local and national policy developments that affect the market and our clients.