Blog Post

Oct 6, 2015

Defense Contractors – Under the DOD’s Interim Rule, It Is Time Once Again To Update Your Data Breach Response Plans

Click for PDF

In an interim final rule published on October 2, another layer has been added to the compliance landscape for defense contractors. In addition to complying with breach notification requirements in as many as 47 different states in the event of a breach involving personally identifiable information, Department of Defense contractors now have to comply with the rapid notification rules issues by DOD in the even of a cyber incident involving covered defense information. These rules are noteworthy in that they require DOD contractors to report cyber incidents within 72 hours of discovering the incident. Most state breach notification statutes do not require that individuals be notified of a breach within a specific number of days and the few state statutes that do have such a requirement contain a much more lenient timeframe of 45 to 90 days. The interim rule applies only to “cyber incidents” which are defined in the rule as involving “actions taken through the use of computer networks” that result in a compromise or adverse affect on a contractor’s systems or the information on those systems. Thus, the rapid reporting requirements in the interim rule do not apply when defense information is compromised through other means, such as human error or physical theft, which still accounts for a significant number of data breaches for many businesses. However, the interim rule does not exempt contractors from any other reporting requirements triggered by a leak that may apply in the event of another form of intrusion.

To read the full blog post click here