BreachExchange mailing list archives
Defense contractors – under the DODs interim rule, it is time once again to update your data breach response plans
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Thu, 8 Oct 2015 17:14:46 -0600
http://www.lexology.com/library/detail.aspx?g=ce78c2cd-b4f0-4d2d-ad91-6cee60d1d8af In an interim final rule published on October 2, another layer has been added to the compliance landscape for defense contractors. In addition to complying with breach notification requirements in as many as 47 different states in the event of a breach involving personally identifiable information, Department of Defense contractors now have to comply with the rapid notification rules issues by DOD in the even of a cyber incident involving covered defense information. These rules are noteworthy in that they require DOD contractors to report cyber incidents within 72 hours of discovering the incident. Most state breach notification statutes do not require that individuals be notified of a breach within a specific number of days and the few state statutes that do have such a requirement contain a much more lenient timeframe of 45 to 90 days. The interim rule applies only to “cyber incidents” which are defined in the rule as involving “actions taken through the use of computer networks” that result in a compromise or adverse affect on a contractor’s systems or the information on those systems. Thus, the rapid reporting requirements in the interim rule do not apply when defense information is compromised through other means, such as human error or physical theft, which still accounts for a significant number of data breaches for many businesses. However, the interim rule does not exempt contractors from any other reporting requirements triggered by a leak that may apply in the event of another form of intrusion. But there is more to the interim rule than just rapid reporting. Once a cyber incident occurs, the contractor must “[c]onduct a review for evidence of compromise of covered defense information.” When a reportable cyber incident occurs under the interim rule, the contractor must, for example, identify compromised computers, servers and user accounts, as well as the specific data put at risk by the incident. In addition, the contractor must analyze “covered contractor information systems” that were involved in the cyber incident, as well as “other information systems on the contractor’s networks.” When the contractor completes this review, it is also required to “preserve and protect images of known affected information systems” identified in the review, as well as all “relevant monitoring/packet capture data” for at least 90 days from when the cyber incident was reported. Even outside the context of this interim rule, every business should have a data breach response plan because when a breach occurs, it will be too late to put one together. We previously advised here that it is critical for businesses holding PII to review and revise their data breach response plans on a continuous basis in order to keep up with the ever-changing state law compliance scheme. Now DOD contractors have another reason to once again pull out their plans and make sure they include the requirements in the interim rule.
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus on the right security. If you need security help or want to provide real risk reduction for your clients contact us!
Current thread:
- Defense contractors – under the DODs interim rule, it is time once again to update your data breach response plans Audrey McNeil (Oct 11)