In an interim final rule published on October 2, another layer has been added to the compliance landscape for defense contractors. In addition to complying with breach notification requirements in as many as 47 different states in the event of a breach involving personally identifiable information, Department of Defense contractors now have to comply with the rapid notification rules issues by DOD in the even of a cyber incident involving covered defense information. These rules are noteworthy in that they require DOD contractors to report cyber incidents within 72 hours of discovering the incident. Most state breach notification statutes do not require that individuals be notified of a breach within a specific number of days and the few state statutes that do have such a requirement contain a much more lenient timeframe of 45 to 90 days.
The interim rule applies only to “cyber incidents” which are defined in the rule as involving “actions taken through the use of computer networks” that result in a compromise or adverse affect on a contractor’s systems or the information on those systems. Thus, the rapid reporting requirements in the interim rule do not apply when defense information is compromised through other means, such as human error or physical theft, which still accounts for a significant number of data breaches for many businesses. However, the interim rule does not exempt contractors from any other reporting requirements triggered by a leak that may apply in the event of another form of intrusion.
But there is more to the interim rule than just rapid reporting. Once a cyber incident occurs, the contractor must “[c]onduct a review for evidence of compromise of covered defense information.” When a reportable cyber incident occurs under the interim rule, the contractor must, for example, identify compromised computers, servers and user accounts, as well as the specific data put at risk by the incident. In addition, the contractor must analyze “covered contractor information systems” that were involved in the cyber incident, as well as “other information systems on the contractor’s networks.” When the contractor completes this review, it is also required to “preserve and protect images of known affected information systems” identified in the review, as well as all “relevant monitoring/packet capture data” for at least 90 days from when the cyber incident was reported.
Even outside the context of this interim rule, every business should have a data breach response plan because when a breach occurs, it will be too late to put one together. We previously advised here that it is critical for businesses holding PII to review and revise their data breach response plans on a continuous basis in order to keep up with the ever-changing state law compliance scheme. Now DOD contractors have another reason to once again pull out their plans and make sure they include the requirements in the interim rule. Having the requirements of the interim rule set forth specifically in the plan will help ensure compliance (as well as provide evidence of compliance) and provide a guide for everyone on the data breach response team.