UNDERSTAND YOUR CYBERSECURITY RESPONSIBILITY

One of the benefits of practicing both US Government contract law and export law with an emphasis on the regulation of encryption technology is our exposure to US Government regulations regarding cybersecurity on the Government contracting side and our exposure to state of the art encryption and cyber “white hat” hacking products, techniques and practices on the export side.

We have witnessed a progression in the US moving from minimal cybersecurity regulations imposed on client companies by the US Government to a massive number of US regulations couched in cybersecurity terms covering the spectrum from protecting individual data privacy including finance and health to the enhancement of US national security. US law regarding cybersecurity has evolved from simple to extremely complex. Our “dual” practice has allowed us to witness this evolution first hand.

Numerous US Government contracting regulations have been implemented requiring safety and security of Government data provided by the US Government to a contractor. Most of these regulations must be passed onto lower tier subcontractors and vendors performing on a US Government contract. An example of one such clause is Defense Federal Acquisition Regulation (DFARS) 252.204-7012 which requires the protection of Government information and data against a cyber incident, monitoring the effect of the safeguards in place, and reporting requirements for a cybersecurity breach. This clause and related requirements must be passed down to lower tier subcontractors and vendors performing on the Government contact.

The implementing regulation in the DFARS for this clause is 204.7302 which indicates at (c) that it shall be included in all solicitations and contracts including those for the procurement of commercial items. The implementing regulation at (a)(1)(ii) and (iii) also indicates that contractors and subcontractors must submit detected and isolated malicious software and media to the US Department of Defense for review.

This clause and the related implementing regulation make it clear that US Government contractors and subcontractors, even for commercial item procurements, must provide adequate security for certain US Government data EVEN if that data is stored or moves through unclassified information systems as the data travels. An “unclassified information system” can be any commercial system not subject to the extraordinary protections required to safeguard US Government data.

Setting aside the obligations required of US Government contractors, subcontractors and vendors, many companies are subject to US cybersecurity regulations and reporting requirements even if not required to comply under a US Government contract.

For example, states in the US have already[1] or are in the process of implementing[2] cybersecurity regulations which can be considered applicable to commercial companies. Depending on the state in the US which your company facility resides, cyber security regulations mandate that, at a minimum, private data, financial data, and health data be protected from a hack and that, in certain situations, the breach be reported to a US or state government agency. This is usually a minimum starting point regarding cybersecurity protection of data.

In order to comply with applicable regulations, a company must first have in place a companywide policy which addresses protection of static and dynamic data, periodic review of those protections, a method to determine a hack, a process to respond to repair the vulnerability, a process to minimize the effect of the hack, a process to notify the individuals whose data has been compromised, and lastly, a process to comply with reporting the hack to a US Government agency, if required.

Though not part of any US policy, it is important to note that the company subject to the hack must also attempt to mitigate the effect of the disclosure of the hack to ensure that fallout resulting in branding and reputation problems are, at the very least, dealt with in a responsible and prompt manner. Exposing data resulting from a hack is an obvious major problem; losing market share because of the bad publicity resulting from a hack would be devastating to most companies.

At a minimum:

1. Understand the law regarding cybersecurity;

2. Create company policy to protect data in order to comply with cybersecurity law;

3. Create a plan to implement your cybersecurity policy and to monitor the effect of the plan;

4. React in the event of a breach including reporting, if required, and loss of business damage control.

Though most US companies are far ahead of the US Government’s understanding and implementation of cybersecurity technology, the US Government is at the forefront of implementing regulations and directives forcing US companies to stretch their cybersecurity dollars in order to comply with US Government cybersecurity policy. For better or worse, this is the beginning of a long, arduous and complicated path to implement the President’s “Cybersecurity National Action Plan” and many state policies which affect every aspect of cybersecurity for US companies including duties to report a “black hat” hack.

[1] State of California Assembly Bill (A.B.) 1841, A.B. 2623, A.B. 1137, State of Florida House Bill (H.B.) 1025, H.B 1033, H.B. 624, State of Washington H.B. 2375, Senate Bill (S.B.) 6528, State of Virginia H.B. 817, S.B. 494, State of Utah H.B. 241, S.B. 183

[2] State of New York 23 NYCRR 500 , State of Virginia H.B. 922, State of Pennsylvania H.B. 969, H.B. 1909, State of Delaware S.B. 283, H.B. 7406, S.B. 2219, S.B. 2584, Michigan H.B. 4540