During markup of the 2016 National Defense Authorization Act (“NDAA FY 2016”) on April 27, House Armed Services Committee Chairman Mac Thornberry (R-TX) proposed an amendment that would provide liability protection to certain Department of Defense (“DoD”) contractors for properly reporting cyber incidents on their networks and information systems.

This amendment relates back to two Legislative efforts to impose data breach notification requirements on DoD contractors:

  • NDAA FY 2013 Section 941, which requires “cleared contractors” private entities granted clearance by DoD to “access, receive, or store classified information” for contractual purposes to report “successful penetrations” of their networks or information systems.
  • NDAA FY 2015 Section 1632 (10 U.S.C. § 391), which requires DoD-designated “operationally critical contractors” those contractors determined to be critical sources of supply or support essential to the mobilization, deployment, or sustainment of the Armed Forces in a contingency operation to “rapidly” report each cyber incident on any of its networks or information systems.

Rep. Thornberry’s amendment would amend both Section 941 and 10 U.S.C. § 391 to provide for liability protection for complying with the reporting requirements.  Specifically, “no cause of action shall lie or be maintained in any court against any cleared defense contractor, and such action shall be promptly dismissed, for compliance with this section that is conducted in accordance with the [cyber incident reporting] procedures.”  The liability protection does not extend to contractors who engage in willful misconduct “in the course of complying with” the reporting requirements.  The amendment defines “willful misconduct” as “an act or omission that is taken . . . intentionally to achieve a wrongful purpose; knowingly without legal or factual justification; and in disregard of a known or obvious risk that is so great as to make it highly probably that the harm will outweigh the benefit.”  In the event of an action alleging willful misconduct, the plaintiff bears the burden of proving the willful misconduct by “clear and convincing evidence” and that the alleged misconduct “proximately caused injury to a plaintiff.”

The exact parameters of the liability protection will be defined when (and if) the provision is implemented by regulation.  Nonetheless, this provision may face opposition from those who believe that the proposal goes too far in blocking suits that arise out of cybersecurity incidents.  Although lawsuits would be permitted, the “willful misconduct” standard is significantly higher than the negligence standard that would be alleged in most civil suits.  On the other hand, this provision gives contractors additional incentives to report breaches and gain the protection.  Given that this change only applies to DoD contractors; however, third parties may still have causes of action under the lower standards of proof if the incident involves the release of personally identifiable information or other confidential information of third parties.

Also not covered in this provision or in the current DoD reporting requirements is how these reports could impact a contractor’s responsibility determination, and this liability protection does not appear to protect against an adverse determination.

Similar reporting requirements were enacted for cleared intelligence community contractors under the 2014 Intelligence Authorization Act, and it remains to be seen whether a liability protection provision will be added to that to those forthcoming regulations.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Susan B. Cassidy Susan B. Cassidy

Susan is co-chair of the firm’s Aerospace and Defense Industry Group and is a partner in the firm’s Government Contracts and Cybersecurity Practice Groups. She previously served as in-house counsel for two major defense contractors and advises a broad range of government contractors…

Susan is co-chair of the firm’s Aerospace and Defense Industry Group and is a partner in the firm’s Government Contracts and Cybersecurity Practice Groups. She previously served as in-house counsel for two major defense contractors and advises a broad range of government contractors on compliance with FAR and DFARS requirements, with a special expertise in supply chain and cybersecurity requirements. She has an active investigations practice and advises contractors when faced with cyber incidents involving government information. Susan relies on her expertise and experience with the Defense Department and the Intelligence Community to help her clients navigate the complex regulatory intersection of cybersecurity, national security, and government contracts. She is Chambers rated in both Government Contracts and Government Contracts Cybersecurity. In 2023, Chambers USA quoted sources stating that “Susan’s in-house experience coupled with her deep understanding of the regulatory requirements is the perfect balance to navigate legal and commercial matters.”

Her clients range from new entrants into the federal procurement market to well established defense contractors and she provides compliance advices across a broad spectrum of procurement issues. Susan consistently remains at the forefront of legislative and regulatory changes in the procurement area, and in 2018, the National Law Review selected her as a “Go-to Thought Leader” on the topic of Cybersecurity for Government Contractors.

In her work with global, national, and start-up contractors, Susan advises companies on all aspects of government supply chain issues including:

  • Government cybersecurity requirements, including the Cybersecurity Maturity Model Certification (CMMC), DFARS 7012, and NIST SP 800-171 requirements,
  • Evolving sourcing issues such as Section 889, counterfeit part requirements, Section 5949 and limitations on sourcing from China
  • Federal Acquisition Security Council (FASC) regulations and product exclusions,
  • Controlled unclassified information (CUI) obligations, and
  • M&A government cybersecurity due diligence.

Susan has an active internal investigations practice that assists clients when allegations of non-compliance arise with procurement requirements, such as in the following areas:

  • Procurement fraud and FAR mandatory disclosure requirements,
  • Cyber incidents and data spills involving sensitive government information,
  • Allegations of violations of national security requirements, and
  • Compliance with MIL-SPEC requirements, the Qualified Products List, and other sourcing obligations.

In addition to her counseling and investigatory practice, Susan has considerable litigation experience and has represented clients in bid protests, prime-subcontractor disputes, Administrative Procedure Act cases, and product liability litigation before federal courts, state courts, and administrative agencies.

Susan is a former Public Contract Law Procurement Division Co-Chair, former Co-Chair and current Vice-Chair of the ABA PCL Cybersecurity, Privacy and Emerging Technology Committee.

Prior to joining Covington, Susan served as in-house senior counsel at Northrop Grumman Corporation and Motorola Incorporated.