Torchwood Government Contracting

Guest Blogger - Mikki Barry - Barry Tech Law

Do you have a plan for data breach? What happens if you spill government or customer data?  Just about every company, large or small, will eventually be caught up in a data breach scenario, whether real or assumed. Do you know what you’ll do?

According to forensics company Stroz Friedberg, 52% of senior leadership gave corporate America’s response to cyber threats a grade of C or lower. That hardly fosters optimism. The Washington Post reported that in 2013, federal agents informed over 3000 companies that their systems had been hacked. This included Target’s system, which was breached with millions of personal records exposed, which caused a dramatic loss of sales. April 3, 2014, the Heartbleed exploit was discovered. It is not known how much information was compromised. April 30, 2014, ex counterterrorism czar Richard Clarke warned that Russia may use cyber warfare against the US and Ukraine. May 19, the New York Times reported that 5 Chinese Army personnel had been indicted for hacking US systems. May 21, eBay was hacked, including its e-commerce pseudo-banking site PayPal The damage to consumers is still unknown. May 22, Bloomberg News reported that “UglyGorilla,” one of the 5 indicted Chinese, is claimed to have hacked into Westinghouse and US Steel.

These are merely the publicized exploits. Meantime, there are tens of thousands of attempts to break in, usually by “script kiddies,” or kids who collect malicious code on the Internet that they use to try to break into random systems. Usually, these attacks are not very sophisticated. My blog’s automatic blocking of people who try to get in too many times has been triggered thousands of times this year. More savvy attacks would easily have gotten in. Of course, they wouldn’t have found anything except my articles, for which I have backups.

But what about the small to midsized defense contractors, software/hardware developers with intellectual property secrets, customer lists, employee SSNs, pay records and direct deposit accounts? What if you’re a HIPAA Business Associate with Private Health Information (PHI)?

It is very important for all companies to have systematic procedures in place long before the intrusion or possible intrusion happens. A sample team for a small company might include your system administrator, chief technical officer, legal counsel and the CEO. You should have identified and contracted with a competent computer forensics company and outside counsel who are well versed in cybersecurity. All team members should be involved with writing your company’s plan and with doing table top simulations so they’re comfortable with the procedures.

So, what do you need a lawyer for? Shouldn’t the forensics company in combination with the company IT staff be more than capable of handling an investigation? Maybe. If the techs find that no data was compromised, that the intrusion alarm went off for nothing and all is well, then you really don’t need legal assistance. What happens, however, if you find that customer data, protected medical information, employee SSNs or other identifying information has been disclosed? What if you have data from several states? What if you have international data? Trade secret information or classified materials? Would you know where to begin, and whether the company could be civilly or criminally liable?

All companies that deal with protected data of any kind that may be vulnerable to cyber attack (which is any data on a network), should have competent cybersecurity counsel, either as in house or outside counsel (hopefully both if your investigation needs attorney/client privilege), assisting in the creation of a comprehensive response plan. The lawyer should work closely with the technical and operations staff, a forensics company, as well as C level executives to draft a workable, easily understandable plan. The plan should be kept up to date with appropriate names and contact information, and scenarios should be simulated against the plan with changes made as necessary.

Having a rehearsed plan immediately implemented can make the difference in the outcome of any cyber incident. Rapid identification, verification, and containment, followed by ensuring compliance in reporting or other requirements, appropriately involving law enforcement, and improving safeguards as well as response, may keep your company out of the news.

If you’re a small business who is new to government contracts and the government marketplace, with no past performance to speak of, you may find it more difficult to win contract awards. August 1, the FAR was amended to require contracting officials to enter past performance evaluations into a retrieval system that will be evaluated for subsequent procurements. Of course, if you have no past performance, you will be one of the “unknowns” in the procurement process. If you have current contracts, you’re still not out of the woods, however. These often subjective evaluations, regardless of contractor explanation, or even the evaluation being outright incorrect, will appear prior to final agency evaluation.http://feedproxy.google.com/~r/GovernmentContractsMonitor/~3/b7pgWg130uM/get-what-you-need-final-far-rule-makes-past-performance-more-important-than-ever.html

The ruling has come down in a case that many have been watching with trepidation, and it’s not good news for companies who are affiliated with an indicted parent. In a nutshell, all affiliate companies may be suspended indefinitely for the indictment of a parent. It is not necessary to show any wrongdoing on the part of the affiliate, it is enough that the parent was indicted. This decision, in Agility Defense and Government Services, Inc. v. U.S. Dept. of Defense, 2013 WL 6850891 (11th Cir. Dec 31, 2013), overturned a lower court decision holding that without independent legal proceedings against the particular affiliate, it was improper to continue indefinite suspension of that affiliate. This means that an affiliate suspended due to a parent’s indictment has recourse only so far as the agency’s due process rules. The agency has the authority, under FAR 9.403, to suspend affiliates if it chooses to do so, provided the affiliate receives notice, and has the opportunity to contest the action.

The take away from this decision is that affiliates or affiliates counsel should inquire early and often regarding compliance of all companies it is affiliated with.

The Supreme Court recently made clear that the whistleblower protections of the Sarbanes-Oxley Act of 2002 apply not only to employees of public companies, but also to contractors and subcontractors of those companies. They stated that Congress intended for workers in a position to see, understand and report improper dealings, have the means to report without retribution. Given that there is no bright line between a contractor vs. a vendor, there could well be further litigation to shore up the definitions so that businesses can be clear on where SOX does and does not apply. The dissent, by Justice Sotomayor, while not addressing this issue, did point out that she was concerned with the reach of the majority opinion, saying in part, “Congress did not envision a system in which employees of other private businesses – such as cleaning and construction company workers who have little interaction with investor – related activities and who are ill suited to assist in detecting fraud against shareholders – would fall within §1514A. Nor, needless to say, did it envision §1514A applying to the household employees of millions of individuals who happen to work for public companies – housekeepers, gardeners, and babysitters who are also poorly positioned to prevent fraud against public company investors.”

This is a dramatic expansion of Sarbanes-Oxley to include millions more employees than previously thought. Contractors should begin training as soon as possible to ensure that they remain compliant with this ruling.

http://www.supremecourt.gov/opinions/13pdf/12-3_4f57.pdf