Richard R. Volack, partner and chair of Peckar & Abramson’s Cyber Security & Data Privacy practice, recently answered The Construction Broadsheet‘s readers’ cybersecurity questions as part of the publication’s “Legal Q&A” feature.

The questions included:

1. We are a subcontracting firm working on a large project, and most daily communication is handled via email. One of our superintendents fell victim to a phishing attack but did not realize it until those on his email list began receiving similar emails. A few ended up having their banking and other information compromised. Does our company have any liability for this? This situation is not addressed in our contract with the general contractor.
2. We issue our project managers and superintendents tablets and cell phones to use for all project communication. Our policy is that they may not download unauthorized software or games on those devices. One employee did so anyway, and it resulted in our having to spend a considerable sum on removing a virus that spread from his phone to our other devices and to some devices used by other contractors on the project. Can the employee that started this all be held financially responsible?
3. We are a general contracting firm and one of our owner customers is amending its standard form of contract to make us liable for damages resulting from any cybersecurity breaches on their construction projects. The new clause seems pretty far-reaching. Are there limits to our liability?

To read Richard’s responses, click here.