Cyber attacks of business computer systems and websites are increasingly common. These attacks can be extremely damaging to businesses, especially if security is breached and confidential business and personal data is compromised.
Commercial real estate has been considered relatively secure from cyber security threats. However, particular sectors of commercial real estate, such as retail and hospitality, including residential property management companies and vacation rental properties, are highly vulnerable to malicious attacks.
Recent high-profile cyber attacks have made cyber security a top concern for all members of the commercial real estate industry, including owners, property managers, operators, investors, and lenders. In all likelihood, cyber attacks will continue to increase across commercial real estate sectors, and the potential liabilities are disastrous.
Commercial Real Estate Cyber Risks
Commercial real estate is vulnerable to cyber criminals because of the electronic storage of personally identifiable information, intellectual property, and credit card information.
In addition, buildings continue to incorporate new technologies to attract tenants. Part of the convenience of new technology systems is that they can be controlled remotely. For instance, most modern building systems can be accessed externally by several different methods, including security systems, servers, voicemail, email, closed-circuit TV, HVAC, fire alarms, and utilities.
Many commercial tenants also require Wi-Fi, cloud-based computing, and web-based transaction services. Retail and hospitality properties further require point of sale terminals to process credit card transactions and Wi-Fi connectivity for a great and ever-changing number of tenants. Employees likely have multiple devices (laptops, smartphones, tablets, key cards) that can easily be lost or stolen. Each system and device provides a potential access point for a cyber attack.
In addition, cyber criminals have been able to intercept and reroute wire transfers from real estate closings, even here in Savannah.
Actions to Prevent or Reduce the Risk of Cyber Attacks
Real estate companies and professionals are not shielded from liability and should invest in data security controls and procedures to deter or prevent cyber attacks. While there are numerous federal laws criminalizing cyber attacks, including the Computer Fraud and Abuse Act, Wiretap Act, Electronic Communications Privacy Act, and Digital Millennium Copyright Act, recent litigation has found companies are liable for data breaches if appropriate security measures have not been implemented as required under various federal and state laws and administrative regulations.
Cyber Insurance Coverage
In addition to taking proper safeguards to prevent a cyber attack, cyber insurance coverage is becoming an increasingly necessary option to protect against open-ended liability following an attack. A data breach at a large business can incur damages into the hundreds of millions of dollars because of the potential for class action lawsuits. However, cyber criminals will also target small businesses where security measures are perceived to be weaker. The cost of remediating a data breach without cyber insurance can range from hundreds of thousands to millions of dollars, bankrupting most small companies.
Cyber insurance protects the insured from the costs associated with responding to a data breach (first-party coverage) and also from the damages and expenses arising from lawsuits against the insured following a data breach (third-party coverage). First-party coverage addresses expenses related to actions the insured undertakes in connection with a breach. Benefits often included within first-party cyber coverage are coverage for the costs of hiring professionals to assist in the investigation of and response to the breach, notifying affected persons that their information was compromised, providing credit monitoring services for affected persons, and establishing and training personnel to field questions from affected persons. Benefits also include security audits and assistance implementing proper security measures to prevent an attack.
Third-party coverage protects the insured from liability to third parties allegedly resulting from a covered claim. Cyber policies may provide third-party coverage for costs of regulatory defense, fines, punitive damages, costs of litigation defense, and litigation damages.
Participants in the commercial real estate industry (lenders, owners, tenants, and any business that electronically stores sensitive information) should review their cyber security measures and put reasonable protections in place to prevent attacks. Legal professionals can assist by evaluating risks and implementing security measures for liability protection following an attack as well as by updating purchase and sale agreements, leases, and loan documents to ensure that cyber security needs are adequately addressed.