Coming to a Government Contract Near You: Mandatory Information Safeguarding Requirements

Justin A. ChiarodoPhilip E. Beshara, and Heather L. Petrovich

The government recently finalized a sweeping amendment to the Federal Acquisition Regulation (“FAR”) that will impose basic information system safeguarding requirements on many federal acquisitions, marking the latest in the continuing government effort to regulate and enhance cybersecurity protections in the industry. The Final Rule, effective June 15, 2016, imposes fifteen basic safeguarding requirements for contractors with information systems containing information provided by, or generated for, the government under a federal contract.

Though many contractors likely maintain information security standards that meet or exceed the new rule, they should confirm their compliance status by assessing these requirements against their current cybersecurity compliance program (to help mitigate the risk of a breach of contract claim or more serious enforcement action). This should include confirming that the requirement is flowed down to subcontractors where appropriate.

The new Rule (available here) broadly applies to all federal contractors and subcontractors with information systems that process, store, or transmit “federal contract information” (i.e., information provided by, or generated for, the government under a federal contract). These safeguarding requirements will be imposed on most acquisitions (including acquisitions below the simplified acquisition threshold and commercial item procurements). The only exception is the acquisition of commercial-off-the-shelf (“COTS”) items. Contractors and subcontractors must also flow down the requirements to all subcontracts where the subcontractor may have federal contract information residing in—or transiting through—its information systems.

While the Rule imposes 15 new requirements, they are characterized as “basic” security controls. Indeed, many companies will already be familiar with these standards, as most, if not all, are employed as standard best practices. Several are drawn directly from the National Institute of Standards and Technology (“NIST”) guidelines applicable to federal agencies. Importantly, the Rule does not impact the considerably higher safeguarding standards governing contractors dealing with Controlled Unclassified Information (“CUI”) or classified information.

Compliance with these safeguards may not only shield a contractor from liability in the event of an inadvertent release of information, but as the government indicated in its commenting on the Rule, the failure of a contractor to maintain the required safeguards may constitute a breach of a contract. Nonetheless, the security controls set forth in the Rule represent standard industry best practices and should be implemented by any prudent contractor regardless of the presence of covered information. To this end, any company doing business with the federal government should look to these guidelines as representative of the types of essential practices it should employ.

The Final Rule will be implemented through FAR Subpart 4.19 and a new contract clause (FAR 52.204-21, “Basic Safeguarding of Covered Contractor Information Systems”). The 15 requirements are set forth below:

  1. Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
  2. Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
  3. Verify and control/limit connections to and use of external information systems.
  4. Control information posted or processed on publicly accessible information systems.
  5. Identify information system users, processes acting on behalf of users, or devices.
  6. Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.
  7. Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse.
  8. Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.
  9. Escort visitors and monitor visitor activity; maintain audit logs of physical access; and control and manage physical access devices.
  10. Monitor, control, and protect organizational communications (e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.
  11. Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
  12. Identify, report, and correct information and information system flaws in a timely manner.
  13. Provide protection from malicious code at appropriate locations within organizational information systems.
  14. Update malicious code protection mechanisms when new releases are available.
  15. Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.

And The Survey Says . . . GCs Need More Cybersecurity And Social Media Training

By Jeffrey Rosenthal

Social Media AppsBecoming better versed in issues surrounding cybersecurity and social media risk would greatly benefit general counsel at publicly traded companies, according to a recent survey of executive leadership.

In May 2015, a survey of 5,000 directors, board chairs and CEOs of publicly traded companies—sponsored by executive search firm BakerGilmore, and NYSE Governance Services—was released.  The survey was conducted in February and March of 2015.

Among the questions asked was the areas in which executives felt their general counsel would most benefit from gaining additional expertise so to add value to their company.  The overwhelming favorite: Cybersecurity risk—chosen by 67 percent of the executives surveyed.  The next closest answer was social media risk (39 percent), followed by crisis management (30 percent).

In fact, only 5 percent of respondents assessed their general counsel’s grasp of the issues surrounding cybersecurity as “excellent”; 44 percent characterized it as “good”; and 47 percent as only “fair.”  Likewise, only 7 percent rated their general counsel’s working knowledge of social media risk as “excellent.”

“Not surprisingly, as the corporate world continues to grapple with fallout in the modern cyber era, directors believe general counsel would most benefit from additional education in cybersecurity and social media, areas in which many directors are admittedly lacking in expertise,” wrote the survey’s authors.

But there was also positive news for in-house lawyers:  General counsel are “much more likely” to be considered key members of the management team nowadays, as compared to a decade ago.  “Overall, general counsel are being lauded for their strategic contributions as well as pragmatic ones, making them increasingly valued members of the executive team,” the survey concluded.

A copy of the survey, entitled “GCs” Adding Value to the C-Suite,” is available here.

California Passes New Law Protecting Consumers From Data Breaches

By Jeffrey Rosenthal

123196886In response to high-profile intrusions at Target Corp., Neiman Marcus, Home Depot, Inc. and a host of other retailers, California recently passed new legislation implementing small but significant changes to its privacy laws.

On September 30, 2014, Governor Jerry Brown signed Assembly Bill 1710, authored by Assembly Members Roger Dickinson (D-Sacramento) and Bob Wieckowski (D-Fremont).  AB 1710 enhances consumer protections by strengthening the requirements businesses must adhere to in the event of a breach.

“Recent breaches emphasized the need for stronger consumer protections and awareness.  The retailers affected by the recent mega data breaches are not the first nor will they be the last,” said Dickinson, Chair of the Assembly Banking and Finance Committee.  “AB 1710 will increase consumer privacy, ensure appropriate fraud and identity theft protection, and safeguard against the exploitation of personal information.”

Specifically, AB 1710:

  • Requires the source of the breach to offer identity theft prevention mitigation services at no cost to the affected person for no less than 12 months if a Social Security Number or Driver’s license number are breached;
  • Prohibits the sale of social security numbers, except when part of a legitimate business transaction; and
  • Provides that existing personal information data security obligations apply to businesses that maintain personal information, in addition to those who own or license the information.

Earlier versions of AB 1710 placed limits on the amount of payment information a retailer could store in its system; it also mandated more stringent encryption standards.  But a coalition of business groups opposed the bill—claiming the data management rules were “onerous and unneeded,” and that it would be ineffective for protecting customer data.  Although these provisions were ultimately removed, Dickinson told news outlets he intends to pick up the notification issue during the next legislative session.  He will also pursue future legislation to tighten encryption standards in California.

Not surprisingly, such legislation follows closely on the heels of a report released by California Attorney General Kamala Harris in February of 2014.  Titled Cybersecuity in the Golden State, the report details how in 2012 more than 2.5 million California residents were victimized by data breaches—more than half of which would have been protected had companies implemented stricter encryption procedures when transmitting personal data.

In light of AB 1710, retailers and consumer-facing business that “maintain” personal information (even if they do not own or license such data) should familiarize themselves with the parameters of the new law to ensure their data security procedures satisfy the law’s “reasonable security” requirement.

A copy of AB 1710 is available here.  The Attorney General report is available here.

Verizon’s Data Breach Report Reveals The Nine Most Pressing Corporate Security Threats

By Jeffrey Rosenthal

VerizonreportAs April comes to a close, it’s time once again for Verizon Enterprise Solutions’ Data Breach Investigations Report to remind us just how important data security is to the corporate world.

Released Wednesday, the report, now in its tenth year, concluded that hackers and cybercriminals have gotten faster at breaching corporate website defenses than companies’ ability to detect attacks—meaning many attacks were already complete before victims could even respond.

Verizon, which received contributions from 50 organizations worldwide, recorded nearly 63,500 “security incidents”—i.e., any attempt to attack a corporate computer system, successful or not—as well as 1,300 confirmed data breaches.  According to Verizon, nine out of ten security incidents in 2013 fell within nine basic categories, as discussed below:

1. Point-Of-Sale Intrusions.

Despite the widespread-publicity of the recent Target Corp. breach (resulting in hackers gaining access to the credit card numbers of around 40 million customers), the occurrence of point-of-sale intrusions has actually been trending downward over the last several years, Verizon claims.  But retailers and hotel companies in particular still need to be concerned about this kind of intrusion, as even a single attack can be devastating.

2. Web App Attacks.

Described as the “proverbial punching bag of the Internet,” web application attacks are by far the most common type of breach.  Accomplished by phishing techniques, installing malware, and correctly guessing security questions, Verizon insists better protection for Internet-facing applications starts with stronger passwords and two-factor authentication.

3. Insider And Privilege Misuse.

Common examples of insider misuse include employees using forbidden devices/services to send intellectual property to personal accounts, or sending messages while posing as another employee to get that person fired.  Verizon observed that while many of the people committing these crimes are payment chain personnel and end users, C-suite managers were more to blame in prior years.

4. Physical Theft And Loss.

Corporate assets (phones, laptops etc.) are stolen from offices more often than from homes or vehicles.  The primary cause is simple carelessness.  To counter, Verizon suggests companies back up data, encrypt devices and encourage employees to closely guard devices.

5. Miscellaneous Errors.

Sending an email with sensitive information to the wrong recipient is the most common example of unintentional data disclosure.  Other examples include accidentally posting non-public information to a company’s web server, or mailing documents to the wrong physical address.  While some human error is unavoidable, Verizon says data loss prevention software and tighter processes around postings can reduce occurrences.

6. Crimeware.

Crimeware consists of any illicit activity that does not fall under espionage or point-of-sale.  Most crimeware occurs when users download malicious files.  But it can also happen via “drive-by infections,” whereby a virus is downloaded when a user unknowingly clicks a deceptive pop-up window.  Corporations’ best defense against crimeware is to maintain the most up-to-date browsers and software.

7. Payment Card Skimmers.

This type of attack is mainly directed at ATMs and gas pumps.  Because it requires a skimming device be physically added to a machine, it’s considered a relatively crude manner of intrusion.  According to Verizon, the most-recent development is that, rather than retrieve the skimming device itself, criminals can remotely collect data via wireless means, like Bluetooth.  Although modern ATMs are mostly tamper-free, this is still a concern in certain parts of the world.

8. Denial-Of-Service.

Commonly referred to as DDoS attacks, these threats include attacks aimed at compromising networks and systems availability to shut down corporate, consumer-facing websites.  Primarily directed at the financial, retail and public sectors, potential motives include extortion, protest, or simple amusement.

9. Cyber-Espionage.

Unauthorized network/system access associated with state-affiliated actors tripled from last year.  Espionage also had the widest variety of “threat actions”—meaning once intruders gain access, they are engaging in multiple types of illegal activities.  About 21% of reported incidents originated from Eastern Europe.

While, at first glance, the increasing volume of cyber attacks may seem disheartening, there is a silver-lining here.  Because most attacks tend to follow one of the above nine patterns, companies stand a better chance of resisting intrusions if they take steps to combat the type of attack most common to their industry.  Recognizing your company’s greatest vulnerability and prioritizing the most likely type of cyber attack can mean the difference between preventing the intrusion altogether, or becoming the next Target.

Once again: a little knowledge can be a powerful tool when defending against mounting cyber attacks.

A copy of Verizon’s complete 2014 Data Breach Investigations Report is available here, with the Executive Summary available here.

NIST Releases Final Framework For Improving Critical Infrastructure Cybersecurity

post_atBy Steven Caponi

The White House released today the long-awaited voluntary guidelines intended to encourage companies operating in critical infrastructure sectors to adopt policies to better protect themselves from cyber attacks.  The standards were developed through a collaborative process involving the National Institute of Standards and Technology (“NIST”) and critical infrastructure companies such as those involved with energy, transportation, communication, and banking.

The guidelines are formally known as the “Framework for Improving Critical Infrastructure Cybersecurity” (the “Framework”).  In February 2013, President Obama issued Executive Order 13636: Improving Critical Infrastructure Cybersecurity, which called for the development of a voluntary, risk-based Cybersecurity Framework—i.e., a set of standards, guidelines, and practices to help organizations manage cyber risks. The resulting Framework announced today is intended to carry-out the objectives of the Executive Order by providing a common language to address and manage cyber risk in a cost-effective way without placing additional regulatory requirements on businesses.  The ultimate goal is to provide companies overseeing the nation’s crucial infrastructure with a blueprint for identifying potential threats, protecting themselves from cyber attacks, and quickly recovering if an attack occurs.

In a statement, Obama warned that cyber threats “pose one of the greatest national security dangers that the United States faces,” echoing the recent judgment of major U.S. intelligence agencies.  “While I believe today’s framework marks a turning point, it’s clear that much more work needs to be done to enhance our cybersecurity,” Obama said. “America’s economic prosperity, national security and our individual liberties depend on our commitment to securing cyberspace and maintaining an open, interoperable, secure and reliable Internet.”

The Framework does not mandate specific security controls, but instead are intended to provide guidance for detecting and responding to attacks, mitigating fallout from cyber incidents, and managing overall cyber risks.  A key objective of the Framework is to provide a common language and mechanism for organizations to:

  • Describe their current cybersecurity postures
  • Describe their target states for cybersecurity
  • Identify/prioritize opportunities for improved risk management
  • Assess progress toward a target state
  • Foster communication among internal and external stakeholders

Department of Homeland Security (“DHS”) chief Jeh Johnson also announced on Wednesday that the DHS was starting a program to help companies implement the Framework.  The government is not, however, providing any tax breaks or other incentives to encourage the adoption of the Framework.  The White House is instead going to rely on companies having a sense of self-preservation, as well as a strong desire to avoid being victimized by a cyber attack and managing the resulting law suits that will surely follow.

For a more comprehensive discussion of the NIST Framework and its anticipated impact on companies that are both inside and outside of critical infrastructure sectors, please read this recent article.

Cybersecurity—Hitting Too Close To Home

post_bombBy Steven Caponi

Last week, I was faced with yet another Friday filing deadline in my local federal district court.  By 6:30 p.m., the only thing standing between me and a much needed weekend was hitting the proverbial “Send” button to complete my filing.  For some unknown reason, however, I could not complete the filing and eventually lost my connection to the court’s electronic filing system, commonly known as PACER.  The start of my weekend quickly went from thoughts of a nice dinner with my wife, to mild panic over possibly missing a court-ordered deadline—not to mention the subsequent embarrassment of explaining to the other counsel involved in the case that I was incapable of completing a routine filing.  Close to midnight, I was able to access PACER and complete the filing just under the wire.

The following Monday, I entered the office committed to finding out what technical glitch in my Firm’s software had ruined my Friday evening.  Much to my surprise, I learned that the problem was not due to issues with our software, but rather due to a group called the European Cyber Army, who decided to scuttle my weekend by shutting down the federal judiciary’s websites.   A tweet from the group stated, “Government of the United States of America: We have taken the Liberty of Nuking your Court’s Website!”  Known for distributed denial-of-service (“DOS”) assaults, the group claims to have attacked the websites of the Syrian and Pakistani national governments, Asian and European banks, the State of Nevada, online document sharing site, and Craigslist Inc.

The DOS assault on PACER overwhelmed the system and resulted in communications slowing down to a snail’s pace before the subsequent termination of the connection.  Once the attack was noticed by the judiciary, the PACER system placed a warning on its website and a prerecorded message on its telephone hotline.  But, there were mixed messages as to whether or not the outage was caused by a cyber attack.    Almost immediately, a spokesman for the Administrative Office of the U.S. Courts stated the service problems were caused by a DOS attack and referred to the incident as a “national cyber attack on the judiciary.”  The FBI, however, told the Wall Street Journal that the problems with PACER were caused by technical issues in federal court computers rather than by a cyber attack.  The FBI quickly backtracked from this statement on Saturday and indicated it was “reassessing” its initial conclusion.

With the confusion caused by contradictory statements by the FBI and Administrative Office of the Courts, it is unclear whether the European Cyber Army launched its DOS attack on PACER to send a message to the American judiciary or if it was done specifically to scuttle my Friday dinner plans.  I do know, however, that despite extensively advising others on the need for increased cybersecurity, I did not anticipate becoming a victim myself.  All joking aside, the attack on PACER highlights several important points: (1) you never know when a cyber attack will occur; (2) the targets of cyber attacks are often chosen at random; and (3) as we increasingly transition into a society where even mundane functions (like filing scheduling order) are done electronically, cyber attacks will ensnare an increasingly larger portion of our population.

Board of Directors Liability for Cybersecurity

By Steven Caponi

The likelihood of a cybersecurity breach hitting a company in the near future is as certain as the subsequent drop in shareholder value, finger-pointing, fines, regulatory headaches, and civil litigation alleging the board was asleep at the wheel in the face of a known danger when that danger finally materializes.  The question every board member must answer is whether the actions they are currently taking to protect their company’s digital assets are sufficient to withstand the Monday morning quarterbacking that will occur after a cyber attack incident.

I recently published a series of three articles intended to help boards of directors better understand the breadth of their fiduciary obligation in managing looming cybersecurity threats.

In today’s world, many companies maintain their most valuable assets in digital form.  Thieves no longer need to physically enter a company’s facility to steal its valuables. Rather, an individual on the other side of the globe, or right next door, can, with equal impunity, silently steal a company’s most prized possessions by breaching its data network.  Due to the evolving nature of cyber risks, there is a lack of authority discussing the scope of a board’s obligation to address such attacks.

Obviously, directors’ fiduciary duties will extend to the protection of significant digital assets. The more difficult question to answer is: What are the contours of a director’s fiduciary obligation when it comes to cybersecurity?  As discussed in my articles, the answer to these vexing questions is almost always “it depends.”  As with all risks, the extent of a director’s obligation and the amount of attention an issue should receive at the board level will depend on such things as the nature of the company, the foreseeability of an attack, and the potential severity of a cyber breach.

Each of the three articles in my “Cybersecurity and the Board of Directors: Avoiding Personal Liability” series can be read in their entirety by clicking on the links below:

Part I:

Part II:

Part III: