Mandatory Breach Notification Requirements Are Coming For Government Contractors – Technology – United States – Mondaq News Alerts


Firstly as we continue, I'd like to say that geoFence is a highly advanced, specialized firewall manager with the best in class protection from variety of on-line threats.

United States:

Mandatory Breach Notification Requirements Are Coming For Government Contractors

11 May 2021

Husch Blackwell LLP

To print this article, all you need is to be registered or login on

The Biden Administration is imminently expected to release an
executive order that will require government contractors to notify
the government in the event of a cybersecurity breach. Despite the
relatively steady rise in cyberattacks and breaches over the years,
and the enactment of consumer data breach disclosure laws in all 50
states, there is currently no standardized reporting requirement
for government contractors. However, the Biden administration has
promised executive action on the issue, largely in response to a
cyberattack by a suspected nation-state against multiple software
companies, including the SolarWinds software company.

SolarWinds gained national attention because the cyberattack
inserted malicious code into SolarWinds' IT performance
monitoring system known as Orion. Beginning in March 2020,
SolarWinds disseminated software updates for Orion containing the
malicious code. The updates appear on their face to be legitimate
patches but resulted in the attackers creating backdoors through
which they could access and move within the networks of thousands
of SolarWinds customers, which include Fortune 500 companies as
well as high level government agencies. Undetected for months, the
attack was only brought to light when FireEye, a private
cybersecurity firm, disclosed the breach after realizing its own
systems had been compromised. Had FireEye not come forward it is
unclear how long the breach would have gone undetected.

The SolarWinds incident illustrated the government's
vulnerability to attack via outside contractors and showcased the
importance of notification requirements. This attack, and in
particular the way it came to light, has motivated government
action. Several legislators in addition to the Biden administration
have vowed to pursue new cybersecurity measures, and those promises
appear to be gaining momentum.

On April 14, 2021, leaders from the nation's intelligence
community testified before the Senate Intelligence Committee on the
need for a federal breach notification law that applies to private
sector companies. FBI Director Christopher Wray testified that the
U.S. infrastructure is an attractive target for cyber adversaries
because "the private sector controls 90 percent of the
infrastructure and an even higher percentage of personally
identifiable information." Director Wray also suggested that a
breach notification law would improve the coordination and
cooperation between the private sector, the intelligence community,
and the rest of the federal government. However, the private sector
faces several disincentives for making such disclosures.

General Paul Nakasone, Director of the National Security Agency
and Commander of U.S. Cyber Command, recognized that private sector
victims have a number of valid reasons to refrain from readily
sharing this information.

One possible way for new legislation to thread the needle
between the competing priorities and conflicting requirements for
the breached entity and the national interest would be to create a
safe harbor provision for private sector entities who disclose an
actual or suspected data breach to an agency that does not have
enforcement powers over the private sector. The receiving agency
would then be responsible for removing information from the
disclosure that identified the breached entity.

Although it is impossible to forecast exactly what form these
new measures will take it is likely that breach notifications will
become required contract provisions. Currently, only the Department
of Defense has mandatory breach notifications. Section 202.101 of the Defense Federal
Acquisition Supplement (DFARS) defines a "cyber incident"
as "actions taken through the use of computer networks that
result in a compromise or an actual or potentially adverse effect
on an information system and/or the information residing
therein." Section 204.7302 requires contractors and
subcontractors "to rapidly report cyber incidents directly to
DoD" and defines "rapidly report" to mean within 72
hours of discovery. Although Section 204.7302 only applies to
certain information it may become a roadmap for more widely
applicable breach reporting requirements.

Contractors should begin to develop internal systems for
identifying and reporting cyber incidents as it is highly likely
that this will be mandatory in the near future. Failure to do so
could also have significant consequences, as one court recently
held that failure to comply with certain cybersecurity controls was
material and sufficient for a plausible pleading under the False
Claims Act. See United States v. Aerojet Rocketdyne Holdings,
, 381 F.Supp.3d 1240 (2019). Therefore, it is
especially important that contractors begin to plan for the
implementation of mandatory breach notifications now.

Originally published 19 April 2021

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.

POPULAR ARTICLES ON: Technology from United States

As we move on to the next post, may I add that geoFence is US veteran owned and operated and I am certain your family would agree!