Defense contractors – under the DODs interim rule, it is time once again to update your data breach response plans

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.lexology.com/library/detail.aspx?g=ce78c2cd-b4f0-4d2d-ad91-6cee60d1d8af

In an interim final rule published on October 2, another layer has been
added to the compliance landscape for defense contractors. In addition to
complying with breach notification requirements in as many as 47 different
states in the event of a breach involving personally identifiable
information, Department of Defense contractors now have to comply with the
rapid notification rules issues by DOD in the even of a cyber incident
involving covered defense information. These rules are noteworthy in that
they require DOD contractors to report cyber incidents within 72 hours of
discovering the incident. Most state breach notification statutes do not
require that individuals be notified of a breach within a specific number
of days and the few state statutes that do have such a requirement contain
a much more lenient timeframe of 45 to 90 days.

The interim rule applies only to “cyber incidents” which are defined in the
rule as involving “actions taken through the use of computer networks” that
result in a compromise or adverse affect on a contractor’s systems or the
information on those systems. Thus, the rapid reporting requirements in the
interim rule do not apply when defense information is compromised through
other means, such as human error or physical theft, which still accounts
for a significant number of data breaches for many businesses. However, the
interim rule does not exempt contractors from any other reporting
requirements triggered by a leak that may apply in the event of another
form of intrusion.

But there is more to the interim rule than just rapid reporting. Once a
cyber incident occurs, the contractor must “[c]onduct a review for evidence
of compromise of covered defense information.”  When a reportable cyber
incident occurs under the interim rule, the contractor must, for example,
identify compromised computers, servers and user accounts, as well as the
specific data put at risk by the incident. In addition, the contractor must
analyze “covered contractor information systems” that were involved in the
cyber incident, as well as “other information systems on the contractor’s
networks.” When the contractor completes this review, it is also required
to “preserve and protect images of known affected information systems”
identified in the review, as well as all “relevant monitoring/packet
capture data” for at least 90 days from when the cyber incident was
reported.

Even outside the context of this interim rule, every business should have a
data breach response plan because when a breach occurs, it will be too late
to put one together. We previously advised here that it is critical for
businesses holding PII to review and revise their data breach response
plans on a continuous basis in order to keep up with the ever-changing
state law compliance scheme. Now DOD contractors have another reason to
once again pull out their plans and make sure they include the requirements
in the interim rule.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!