The US Department of Defense’s (“DoD”) new cybersecurity regulations require defense contractors to cooperate with Government support services contractors investigating a “cyber incident that affects a covered contractor information system or the covered defense information residing therein or that affects the contractor’s ablity to provide operationally critical support.” DoD’s Defense Industrial Base Cybersecurity Activities Final Rule, 32 CFR 236.4(b), (m)(5) (effective Nov. 3, 2016); Response to Public Comments, 81 FR 68312 (Oct. 4, 2016).
It doesn’t take much imagination to think of the many ways in which providing access to your company’s data and devices could go horribly wrong.
- The support contractor could use the investigation as a means to access to your most valued trade secrets.
- The support contractor could review your data, identify what it considers questionable conduct, and, without ever asking you about it or the context, refer the matter for civil or criminal investigation. 32 CFR 236.4(m)(6) (authorizing the release of contractor attributional / proprietary information outside of DoD “for any other lawful Government purpose or activity”).
- The support contractor could be hacked resulting in the loss of your data.
- The support contractor may have a dishonest employee who steals your data.
DoD’s cybersecurity regulations do not provide much comfort if you are victimized under these scenarios.
- The regulations do not give you a private cause of action or remedy against the Government following a loss.
- While the regulations give you the right to sue the support contractor as a third-party beneficiary of the support contractor’s non-disclosure obligations to the Government if there is a loss, you have no opportunity to demand—before disclosure—that the support contractor have the financial resources or insurance in place to gaurantee that you will be reimbursed if there is a loss.
- While the regulations impose use and non-disclosure obligations on the support services contractor’s employees, they do not provide any remedy for the unauthorized release or disclosure (such as following a data breach), but only a remedy if there is a breach of the non-disclosure agreement between the Government support services contractor and its employees and the Government. (32 CFR 236.4(m)(iv) (limiting third-party beneficiary status to breach of the use and non-disclosure obligations imposed on the support services contractor’s employees only).
- It is unlikely that you would be able to recover financial damages resulting from a loss under your own insurance policies since there are typically exclusions precluding coverage for the loss of electronic data and trade secrets.
- You may have a difficult time proving causation and damages.
For these and many more reasons, you will want to exercise extreme caution when a support contractor comes calling.
The regulations and DoD’s responses to public comments provide some grounds to protect yourself.
- You can object to the support contractor’s request seeking data or access to devices that is more broad than is necessary to investigate the breach.
- You can raise the issue with the contracting officer or agreement officer for the contract or agreement in question to express your concerns.
- Most importantly, you can exercise the dispute resolution procedures under the contract to contest the support services contractor’s request.
See 81 FR at 68314-68315.
This is certainly not an area where you want to venture alone. You will want to promptly conduct an internal investigation to determine how the cyber incident occurred under the guidance of counsel to best protect the investigation under the attorney-client, work-product, and other privileges and protections; appropriately respond to a request from a support contractor; and potentially negotiate insurance coverage to help protect your company in the event of a loss.
For more information, you can review our prior posts, checklists, and webinar on this topic here.