Zachary Song is a partner at Steptoe in New York and a panellist at this year’s Inter-Pacific Bar Association (IPBA) conference for the day two session on “Cybersecurity, Data Integrity, and Real-Time Dispute Resolution in International Construction Projects” on 27 February. Song, an international arbitration lawyer involved in construction industry disputes, shares his thoughts on issues in this area.
India Business Law Journal: What are the disputes related to cybersecurity and data that you see hold importance in jurisprudence?
Song: When you think of cybersecurity, one would think a breach is required to hold somebody liable, but that’s not necessarily true. Cybersecurity, in a way, is a compliance issue. There are technical standards that need to be met. Hence, non-compliance can give rise to all sorts of claims by even third parties, and you see it a lot in government-related contracts.
For example, in 2020, there was an instance where there was a data breach at a financial institution impacting the users’ data. In the government’s investigation, it was revealed that the company was not compliant with its own cybersecurity standards. Ultimately, they were fined somewhere around USD8 billion. Since then, the standards have become more rigid.
In 2024, a US university tried to perform defence and Nasa (National Aeronautics and Space Administration) contracts. A whistleblower, who was a contractual party, alerted the authorities that they weren’t NIST (National Institute of Standards and Technology) standards compliant, even though in the documents they submitted they had represented that they were. In this case, even though there wasn’t any data breach per say, based on falsified documents submitted to the government, they were fined.
IBLJ: How have cybersecurity standards evolved since then?
Song: Robust and pragmatic as a standard is deemed reasonable cybersecurity. It started off as being subjective, it is now documentary. Even if there is no data breach, the government will do audits. If your cybersecurity system has it all on paper, but in the audit it does not show cybersecurity measures are live, then they [the government] will come after you.
This is what happened when there was government funding to develop a tunnel. During the project, the government saw cybersecurity measures not being live and said that they were going to pull the funding, which ultimately the court stopped. But it does signify that the government is paying close attention to cybersecurity in construction projects, too.
IBLJ: What about nuclear projects?
Song: I do some nuclear technology disputes. You can probably imagine that if you’re in that sector, it is probably the utmost cybersecurity robust sector that can exist. Under the nuclear regulatory compliance codes (set of codes in the US for nuclear plants), it is not just reasonable measures that are required, but high assurance of cybersecurity measures that are required to be in place.
It is not just a legal mechanism, but also technical and is multi-layered. This is called the defence-in-depth requirements. They are necessary for everyone working in the nuclear energy construction sector.
This is something to be kept in contracts dealing in sensitive national security related technology.
