ARTICLE
20 October 2015

Defense Contractors – Under The DOD's Interim Rule, It Is Time Once Again To Update Your Data Breach Response Plans

SS
Seyfarth Shaw LLP

Contributor

With more than 900 lawyers across 18 offices, Seyfarth Shaw LLP provides advisory, litigation, and transactional legal services to clients worldwide. Our high-caliber legal representation and advanced delivery capabilities allow us to take on our clients’ unique challenges and opportunities-no matter the scale or complexity. Whether navigating complex litigation, negotiating transformational deals, or advising on cross-border projects, our attorneys achieve exceptional legal outcomes. Our drive for excellence leads us to seek out better ways to work with our clients and each other. We have been first-to-market on many legal service delivery innovations-and we continue to break new ground with our clients every day. This long history of excellence and innovation has created a culture with a sense of purpose and belonging for all. In turn, our culture drives our commitment to the growth of our clients, the diversity of our people, and the resilience of our workforce.
In an interim final rule published on October 2, another layer has been added to the compliance landscape for defense contractors.
United States Privacy

In an interim final rule published on October 2, another layer has been added to the compliance landscape for defense contractors. In addition to complying with breach notification requirements in as many as 47 different states in the event of a breach involving personally identifiable information, Department of Defense contractors now have to comply with the rapid notification rules issues by DOD in the even of a cyber incident involving covered defense information. These rules are noteworthy in that they require DOD contractors to report cyber incidents within 72 hours of discovering the incident. Most state breach notification statutes do not require that individuals be notified of a breach within a specific number of days and the few state statutes that do have such a requirement contain a much more lenient timeframe of 45 to 90 days.

The interim rule applies only to "cyber incidents" which are defined in the rule as involving "actions taken through the use of computer networks" that result in a compromise or adverse affect on a contractor's systems or the information on those systems. Thus, the rapid reporting requirements in the interim rule do not apply when defense information is compromised through other means, such as human error or physical theft, which still accounts for a significant number of data breaches for many businesses. However, the interim rule does not exempt contractors from any other reporting requirements triggered by a leak that may apply in the event of another form of intrusion.

But there is more to the interim rule than just rapid reporting. Once a cyber incident occurs, the contractor must "[c]onduct a review for evidence of compromise of covered defense information."  When a reportable cyber incident occurs under the interim rule, the contractor must, for example, identify compromised computers, servers and user accounts, as well as the specific data put at risk by the incident. In addition, the contractor must analyze "covered contractor information systems" that were involved in the cyber incident, as well as "other information systems on the contractor's networks." When the contractor completes this review, it is also required to "preserve and protect images of known affected information systems" identified in the review, as well as all "relevant monitoring/packet capture data" for at least 90 days from when the cyber incident was reported.

Even outside the context of this interim rule, every business should have a data breach response plan because when a breach occurs, it will be too late to put one together. We previously advised here that it is critical for businesses holding PII to review and revise their data breach response plans on a continuous basis in order to keep up with the ever-changing state law compliance scheme. Now DOD contractors have another reason to once again pull out their plans and make sure they include the requirements in the interim rule. Having the requirements of the interim rule set forth specifically in the plan will help ensure compliance (as well as provide evidence of compliance) and provide a guide for everyone on the data breach response team.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More