During markup of the 2016 National Defense Authorization Act (“NDAA FY 2016”) on April 27, House Armed Services Committee Chairman Mac Thornberry (R-TX) proposed an amendment that would provide liability protection to certain Department of Defense (“DoD”) contractors for properly reporting cyber incidents on their networks and information systems.
This amendment relates back to two Legislative efforts to impose data breach notification requirements on DoD contractors:
- NDAA FY 2013 Section 941, which requires “cleared contractors” private entities granted clearance by DoD to “access, receive, or store classified information” for contractual purposes to report “successful penetrations” of their networks or information systems.
- NDAA FY 2015 Section 1632 (10 U.S.C. § 391), which requires DoD-designated “operationally critical contractors” those contractors determined to be critical sources of supply or support essential to the mobilization, deployment, or sustainment of the Armed Forces in a contingency operation to “rapidly” report each cyber incident on any of its networks or information systems.
Rep. Thornberry’s amendment would amend both Section 941 and 10 U.S.C. § 391 to provide for liability protection for complying with the reporting requirements. Specifically, “no cause of action shall lie or be maintained in any court against any cleared defense contractor, and such action shall be promptly dismissed, for compliance with this section that is conducted in accordance with the [cyber incident reporting] procedures.” The liability protection does not extend to contractors who engage in willful misconduct “in the course of complying with” the reporting requirements. The amendment defines “willful misconduct” as “an act or omission that is taken . . . intentionally to achieve a wrongful purpose; knowingly without legal or factual justification; and in disregard of a known or obvious risk that is so great as to make it highly probably that the harm will outweigh the benefit.” In the event of an action alleging willful misconduct, the plaintiff bears the burden of proving the willful misconduct by “clear and convincing evidence” and that the alleged misconduct “proximately caused injury to a plaintiff.”
The exact parameters of the liability protection will be defined when (and if) the provision is implemented by regulation. Nonetheless, this provision may face opposition from those who believe that the proposal goes too far in blocking suits that arise out of cybersecurity incidents. Although lawsuits would be permitted, the “willful misconduct” standard is significantly higher than the negligence standard that would be alleged in most civil suits. On the other hand, this provision gives contractors additional incentives to report breaches and gain the protection. Given that this change only applies to DoD contractors; however, third parties may still have causes of action under the lower standards of proof if the incident involves the release of personally identifiable information or other confidential information of third parties.
Also not covered in this provision or in the current DoD reporting requirements is how these reports could impact a contractor’s responsibility determination, and this liability protection does not appear to protect against an adverse determination.
Similar reporting requirements were enacted for cleared intelligence community contractors under the 2014 Intelligence Authorization Act, and it remains to be seen whether a liability protection provision will be added to that to those forthcoming regulations.