WIXLIB

You need a data security compliance program (seriously)It seems like everymonth, there is news ofanother data breach ofsensitive information formillions of individuals.You may rememberthe 2013 Target databreach, when credit cardinformation for over 100Matthew J. Whipplemillion customers wasstolen during the height of the holiday shoppingseason. What you may not remember (or did notknow) is that Target’s systems were compromisedbecause hackers stole network credentials usedby an HVAC contractor to remotely connect toTarget’s network.You also may not remember the TurnerConstruction breach in 2016, when employeeSocial Security numbers were obtained througha fraudulent email scheme. And you likely havenot heard of other smaller-scale victims of cybercrime—the Ohio contractor whose 1.7 millionprogress payment was rerouted to a foreign bankaccount or the Texas contractor that was hit witha ransomware attack that shut down servers withdocuments related to millions of dollars of activeconstruction projects.Security industry studies are clear that cybercriminals are not just attacking high-profile retailbusinesses. Other industries are at risk, withconstruction companies serving as one of theprime targets. The time-sensitive demands ofconstruction project make contractors a primetarget for ransomware. A recent study by IBMpegs the average cost of a data breach for aUS-based business as 8.19 million, when factorssuch as reputational damage, lost business, legalfees, regulatory fines, and remediation costs aretaken into account. Having effective complianceand security policies are essential to mitigatingthe very real risks of cyber-liability. Below area few considerations for construction-industrybusinesses. Mapping Your Data. Construction projectsbring together dozens of parties—owners, design professionals, contractors,subcontractors, suppliers, temporary workers,code inspectors. Unlike a software businesswhere all company data may be housed in acentral server group, a construction project mayhave data in dozens of locations—a cloud-basedproject management system (CoConstruct,Procore, etc.), BIM software maintained bythe design professional, hardcopy files sittingin project trailers, a laptop in the projectsupervisor’s truck, emails with a componentsupplier providing the last round of submittalreviews, smartphones for virtually everyoneon-site. Increasingly real-time data is beingcollected to document project performance—video from drones, GPS tracking of vehiclesand deliveries, biometric data from safetyvests—which is stored in any number of on-siteand off-site locations. A complex project mayrequire the efforts of thousands of individuals,which means Social Security numbers,bank accounts for payroll, and health careinformation that hackers would love to access. Construction projects are not just aboutsticks and bricks. Many projects require thecollection and leveraging of massive amountsof documents and data, much of which isconfidential, business-sensitive, or “personallyidentifiable information” under applicablestatutes. Understanding what this data is, whereit resides, and who has access to it is the firststep to developing an effective security program. Reviewing Your Contracts. Gone are thedays when construction contracts werejust about scope of work, payment, andschedule. Particularly for large infrastructureand commercial projects, contractors areincreasingly being required to meet stringentcompliance requirements related to datasecurity and privacy. The protocols often applynot just to personally identifiable information,but also more broadly to confidentialinformation that may be exchanged during theproject. Do not gloss over acronyms like NIST,ISO-27001, and GDPR, and do not just sign thepro forma data security rider. Understand therisk you are buying and consider whether a lackof a policy means you are breaching a contractbefore work even begins. Equally as important is sharing the risk withothers. Data security requirements not onlyapply to first-tier contractors, but are also beingflowed-down to lower-tier subs and suppliers.Know your vendors and subcontractors andmake sure to include cyber-security-relatedprovisions in all agreements. If you are an“upstream” party, do your subcontractsadequately ensure that “downstream” partiesare following data security protocols? If a4hacker accesses your systems because amaterial supplier was careless with logincredentials, does the supplier have the financialresources or insurance coverage to make youwhole? A thorough review of contractingpractices can help you understand, andimprove, the risk profile of a project. Reviewing Your Insurance. You may know yourcompany’s builder’s risk, general liability, andcompleted operations insurance policies, butwhat about your coverage for cyber-liability?A cyber incident may require forensicallyexamining your servers, retaining counsel tointerface with law enforcement or attorneysgeneral and to provide data breach noticesto affected individuals, and hiring a publicrelations firm to manage crisis communications.The escalating costs are obvious. Cyberinsurance drastically curtails these costs—a 10,000 deductible can be a drop in the bucketfor a significant data breach matter. Not Just Your IT Department’s Problem. Acommon response to the above concerns is:“IT takes care of this.” The IT department is thecornerstone of an effective security program,but it is not sufficient. Compliance is a teamsport, which means having a leadership groupthat prioritizes security as a business risk. Italso means training all employees on cyber bestpractices, including how to recognize threats,respond to problems, and handle sensitivedata. Having an incident-response plan candrastically cut down the time it takes to identifyand combat an attack. Indeed, the average timeit takes to contain a data breach is months, notdays or weeks. If a ransomware attack shutsdown your business’s computers for a few daysduring an active project, the negative impactson the project schedule can be catastrophic.Time lost is money lost, and prioritizing securityfor all members of your organization reducescosts in the long run.When discussing data security, it is easy to soundalarmist. It may also be tempting to dismisscompliance as just another expense, in an industrywhere competition already means razor-thinmargins. Balancing costs and benefits is key, so aneffective program requires the input of legal andtechnical professionals who not only understanddata security in the abstract, but also the uniqueconcerns of the construction industry. If you donot have a security plan in effect, reach out tocounsel to discuss a program that would be bestfor your company’s unique needs. Seriously.Matthew J. Whipple can be reached atmwhipple@eckertseamans.com

CONSTRUCTION LAW REPORTargued, among other things, that the claims weredifferent. The Court found that the claims wereat heart, the same and that the subcontractorshad privity. The Court also found, as a rule of law,that a subcontractor is deemed to be presumptivelyin privity with a general contractor for purposesof res judicata. Other courts, including Texas,Massachusetts, California, Rhode Island, andMissouri, have adopted similar presumptions. TheCourt’s holdings were based on the principlesof res judicata set forth above, as well as thewell-settled standard that arbitration awards areentitled to the same deference for res judicatapurposes as judgments of a court.That arbitration you participated in may havegreater consequences than you anticipated.The effect of an arbitration on other proceedings.You are the owner ofa construction project.There were problems.So, as required byyour contract, youcommenced anarbitration against yourgeneral contractor.Edgar Alden Dunham, IVUnfortunately for you,things don’t go so wellfor you there either, and the arbitrator denies yourclaims. All is not lost, you think, I can file actionsin court against the subcontractors. They didn’tparticipate in the arbitration, and I couldn’t haveforced them to participate if I wanted to becauseI didn’t have arbitration agreements with them.So the denial of my claims against the generalcontractor by the arbitrator doesn’t apply to them.I can get a do-over in the court proceeding, right?Unfortunately for you, it doesn’t work that way.Under the legal doctrine of res judicata and thecompanion doctrine of collateral estoppel, yourclaims against the subcontractors are likely to bedismissed at the outset of the case.Res judicata is Latin for “the thing has beendecided.” It is based on the principle that afinal judgment of a competent court is finaland conclusive unless new material evidenceis discovered. It precludes parties, or those inprivity with them, from re-litigating issues thatwere or could have been raised in a previousproceeding that resulted in a judgment on themerits. Collateral estoppel precludes a partyfrom re-litigating an issue that was necessary toa judgment on its merits in the prior litigation.For res judicata or collateral estoppel to apply, itis fundamental that the party against whom itis being applied had a full and fair opportunityto present its arguments in the underlyingproceeding.Getting back to your problem, the claims you areasserting against the subcontractor are, for allintents and purposes, the same claims that youbrought against the general contractor and lostin the arbitration proceeding. You may try anddress them up as tort claims instead of contractclaims, but the claims arise out of the same facts,resulted in the same damages, and will requiresubstantially the same proofs. You also had theopportunity to fully and fairly present your claimsin the arbitration proceeding. The subcontractorswere in privity with the general contractor forpurposes of res judicata not only because of theirsubcontracts, but also because the claims arebasically the same. Accordingly, res judicata will baryour claims.Exactly this scenario occurred in a recentConnecticut case, Girolametti v. Michael HortonAsssociates, Inc., 332 Conn. 67 (2019). InGirolametti, an owner sued subcontractors incourt after losing an arbitration against thegeneral contractor. After winding its way throughthe appellate process, the Supreme Court ofConnecticut decided that the subcontractors wereentitled to dismissal of the claims on the basis ofres judicata. The subcontractors had argued thatthe claims were the same and that they were inprivity with the general contractor. The ownerSo, you decide to change the claims against thesubcontractors by more than simply turningcontract claims into tort claims. That shouldwork because they are different claims, right?Might work; probably won’t. If the claims arebasically the same, but merely dressed to look likedifferent claims, the court will likely see throughthe subterfuge just as the Supreme Court ofConnecticut did in Girolametti. If the claims arein fact different, but still rely on issues necessaryto the arbitration decision, you will be barredfrom re-litigating those issues under collateralestoppel. Your only real chance is with claimsagainst the subcontractors that you could nothave brought against the general contractor. Inother words, claims that are uniquely against thesubcontractors.Well, you say, what if I had won against thegeneral contractor? And now I want to pursueadditional claims against the subcontractors?What if the decisions on the issues necessaryto that arbitration award included findings thatwould be very helpful to me in my claims againstthe subcontractors? Are those findings bindingagainst the subcontractors under collateralestoppel? Unfortunately for you, the answeronce again is NO. The arbitration findings are notbinding against the subcontractors unless thesubcontractors had the opportunity to defendagainst them in the arbitration proceeding. Everyparty is entitled to present its defense.The takeaway is that your participation inan arbitration may be held against you by anonparticipant, but you are not going to beable to hold an arbitrator’s award against anonparticipant. Thus your participation inan arbitration can have an effect on otherproceedings, but it will only be to your benefit ifthe other party in the subsequent proceeding hadthe opportunity to participate in the arbitration.Edgar Alden Dunham, IV, can be reached atedunham@eckertseamans.com5

Construction industry employee verification actThe Pennsylvania General Assembly recently passed the Construction Industry Employee Verification Act (Act),which imposes new verification and records retention obligations on employers in the construction industry.What does thelaw require?The Act prohibitscovered employers fromhiring people withoutwork authorization,requires them to useE-Verify to confirm theirDerek J. Illarnewly hired employees’status, and obligatesthem to retain records from E-Verify.When is the law effective?On October 7, 2019, the Act became law, eventhough Governor Wolfe neither signed it norvetoed it. Covered employers will need to startcomplying with the Act on October 6, 2020.Who must comply?The Act applies to all employers in theconstruction industry. The “constructionindustry” refers to anyone that “engages in theerection, reconstruction, demolition, alteration,modification, custom fabrication, building,assembling, site preparation and repair workor maintenance work done on real property orpremises under a contract, including work for apublic body or work paid for from public funds.”Under the Act, an “employer” is an individual,entity, or organization in the construction industrythat transacts business in Pennsylvania and6employs at least one person. The Act also appliesto staffing companies that supply workers for theconstruction industry.Which records need to be keptunder the Act?Employers must keep the results from E-Verifythroughout a person’s employment or three yearsfrom the date of the verification, whichever islonger. Employers should remember that theyneed to keep the Form I-9 for 3 years fromthe date on which they hire an employee or 1year from the date on which they terminate anemployee, whichever is longer.Who enforces the Act?The Pennsylvania Department of Labor andIndustry (DLI) has responsibility for enforcingthe Act. If DLI receives a complaint that acovered employer has hired someone withoutauthorization, it can go to that employer’s placeof business and inspect its records; copy thatemployer’s records; request statements regardingthat employer’s process to verify employees’ workauthorization, and interrogate persons about thatemployer’s compliance with the law.What happens if you do not comply?The first time that a covered employer violates theAct, it will receive written notice from DLI and willneed to terminate the unauthorized employee.If a covered employer violates the Act again, theAttorney General will initiate an action againstit, which can expose the covered employer toprobation, suspension of its licenses, or revocationof its licenses, depending on the circumstances.What is E-Verify?E-Verify is an online system that permitsemployers to verify the employment eligibility oftheir newly hired employees.How does E-Verify work?E-Verify works by electronically comparingthe information from an employee’s Form I-9with records available to the Social SecurityAdministration and/or Department of HomelandSecurity to verify the identity and employmenteligibility of each newly hired employee.Is completion of the Form I-9still necessary?Absolutely! E-Verify is not a replacement for theForm I-9; rather, it is an additional requirement foremployers in the construction industry.Derek J. Illar may be reached atdillar@eckertseamans.com

CONSTRUCTION LAW REPORTExculpatory clauses in engineering contracts: Void against public policy in West VirginiaGretchen N. PanchikThe recent SouthernDistrict of West Virginiaopinion in the caseof Sanitary Bd. OfCharleston v. Colonial Sur.Co. has made clear thatstate-imposed safetystandards may not beeradicated by contractdespite the presence ofan exculpatory provision.The Sanitary Board of the City of Charleston(Sanitary Board) accepted bids for contractsto replace sewer lines, install house serviceconnections, and perform related work. TheSanitary Board provided prospective bidders withthe project design prepared by Burgess & Niple(B&N), the project engineer for the Sanitary Board.Tri-State submitted a bid, which the SanitaryBoard accepted, resulting in an agreement forthe completion of projects for a contract price of 9,876,186.44.Tri-State suffered delays in its performance as aresult of B&N’s “changing and dictating Tri-State’splanned manner and method of performance.” TriState alleged that B&N breached its duties owedto Tri-State and contended that B&N, among otherthings, failed to adequately and timely review andapprove submittals, failed to prepare adequate andaccurate drawings, plans, and specifications for usein the project, and failed to recommend paymentfor materials and work provided.Tri-State alleged that B&N, as design and projectengineer, owed a duty of care to Tri-State to‘‘Exculpatory clauses that appear to limit or eliminate tort’’liability will likely not be enforced in West Virginia because ofthe professional standards imposed by statute on engineers.render its services with the ordinary skill, care, anddiligence commensurate with that rendered bymembers of its profession in the same or similarcircumstances. As such, Tri-State alleged thatthese actions or inactions constitute negligence.Before the court in this opinion was B&N’s motionto dismiss the complaint against it becauseTri-State failed to establish that B&N owed aduty, citing to the contractual terms that clearlyeliminate any such duty. Tri-State responded thatthe apparent exculpatory clause should not applybecause it is void against public policy, and theCourt was persuaded. The parties did not disputethat absent the clause at issue, B&N owed a dutyto Tri-State. The Court cited to E. Steel Constructors,Inc. v. City of Salem, W.V., where the West VirginiaSupreme Court of Appeals found that contractorscould file a negligence action against designprofessionals hired by the same project ownerbecause the parties have a special relationship,imposing a duty of care to render professionalservices with the ordinary skill, care, and diligencecommensurate with that rendered by members ofhis or her profession in similar circumstances.The Court reasoned that when a statute imposesa standard of conduct,

and local government retention requirements before finalizing any retention periods. Provided the retention periods are in conformity with all applicable guidelines, as a rule of thumb, set retention periods to the minimum required in order to minimize the risk of unauthorized access to data. Your company's record retention policy: What to .