As we near the end of the year and look back on 2017, both the number of data breaches and magnitude of these breaches stand out. There have been over forty very significant breaches of data stored on cloud computing systems in the past year – and it is safe to assume that we will learn of still more before the year’s end.
Though to date, many of the data breaches reported have not involved the disclosure of government data, they present a valuable opportunity to remind Government Contractors, many of whom use third-party cloud-systems to store Government data, of their disclosure obligations in the event of a data breach.
Should a contractor learn that Government Data stored on a cloud-system has been improperly accessed, the FAR and DFARs, as well as associated guidance such as the Cloud Computing Security Requirements Guide, National Institute of Standards and Technology Computer Security Incident Handling Guide, and the Federal Incident Notification Guidelines, impose strict reporting obligations. These reporting requirements depend on both the type of data accessed, e.g., personally identifiable information, protected critical infrastructure information, intellectual property, classified information, and the extent of the breach, e.g., the functional impact on the contractor, the informational impact on the data, whether the breach is confirmed.
Proper disclosure of a breach is critical for compliance with the applicable federal laws. While the scope of a disclosure will vary based on the aforementioned factors, it is critical that contractors comply with the federal disclosure requirements. The sole fact that a data breach has occurred is not adequate evidence of a failure to safeguard Government data; however, when the breach is compounded by a failure to satisfy the requisite reporting requirements, contractors face the potential for increased penalties ranging from civil fines to suspension, disbarment, and even criminal liability.