September 19, 2020

Volume X, Number 263

September 18, 2020

Subscribe to Latest Legal News and Analysis

September 17, 2020

Subscribe to Latest Legal News and Analysis

September 16, 2020

Subscribe to Latest Legal News and Analysis

Potential Relief for Contractors Subject to Rapid Reporting Requirements





During markup of the 2016 National Defense Authorization Act (“NDAA FY 2016”) on April 27, House Armed Services Committee Chairman Mac Thornberry (R-TX) proposed an amendment that would provide liability protection to certain Department of Defense (“DoD”) contractors for properly reporting cyber incidents on their networks and information systems.

This amendment relates back to two Legislative efforts to impose data breach notification requirements on DoD contractors:

  • NDAA FY 2013 Section 941, which requires “cleared contractors”¾private entities granted clearance by DoD to “access, receive, or store classified information” for contractual purposes¾to report “successful penetrations” of their networks or information systems.

  • NDAA FY 2015 Section 1632 (10 U.S.C. § 391), which requires DoD-designated “operationally critical contractors”¾those contractors determined to be critical sources of supply or support essential to the mobilization, deployment, or sustainment of the Armed Forces in a contingency operation¾to “rapidly” report each cyber incident on any of its networks or information systems.

Rep. Thornberry’s amendment would amend both Section 941 and 10 U.S.C. § 391 to provide for liability protection for complying with the reporting requirements.  Specifically, “no cause of action shall lie or be maintained in any court against any cleared defense contractor, and such action shall be promptly dismissed, for compliance with this section that is conducted in accordance with the [cyber incident reporting] procedures.”  The liability protection does not extend to contractors who engage in willful misconduct “in the course of complying with” the reporting requirements.  The amendment defines “willful misconduct” as “an act or omission that is taken . . . intentionally to achieve a wrongful purpose; knowingly without legal or factual justification; and in disregard of a known or obvious risk that is so great as to make it highly probably that the harm will outweigh the benefit.”  In the event of an action alleging willful misconduct, the plaintiff bears the burden of proving the willful misconduct by “clear and convincing evidence” and that the alleged misconduct “proximately caused injury to a plaintiff.”

The exact parameters of the liability protection will be defined when (and if) the provision is implemented by regulation.  Nonetheless, this provision may face opposition from those who believe that the proposal goes too far in blocking suits that arise out of cybersecurity incidents.  Although lawsuits would be permitted, the “willful misconduct” standard is significantly higher than the negligence standard that would be alleged in most civil suits.  On the other hand, this provision gives contractors additional incentives to report breaches and gain the protection.  Given that this change only applies to DoD contractors; however, third parties may still have causes of action under the lower standards of proof if the incident involves the release of personally identifiable information or other confidential information of third parties.

Also not covered in this provision or in the current DoD reporting requirements is how these reports could impact a contractor’s responsibility determination, and this liability protection does not appear to protect against an adverse determination.

Similar reporting requirements were enacted for cleared intelligence community contractors under the 2014 Intelligence Authorization Act, and it remains to be seen whether a liability protection provision will be added to that to those forthcoming regulations.



© 2020 Covington & Burling LLPNational Law Review, Volume V, Number 130


About this Author

Catlin Meade, Cybersecurity lawyer, Covington

Catlin Meade advises clients across a broad range of cybersecurity and government contracts matters, including government and internal investigations, compliance with cybersecurity and data breach regulations, and SAFETY Act applications.

Representative Matters

  • Counsel to multiple companies in responding to data and cybersecurity incidents.
  • Advised a leading defense contractor on a multi-million-dollar prime-subcontractor dispute in connection with a NATO contract.
  • Key member of team that successfully represented a large government...
Susan B. Cassidy, Government Contracts Attorney, Covington Burling, Law Firm

Susan Cassidy advises clients on the complex rules and regulations imposed on government contractors, with a special emphasis on the defense and intelligence sectors. She combines a sophisticated knowledge of the FAR and DFARS with the practical insight gained from senior in-house positions at both dedicated defense and commercial item contractors.

Ms. Cassidy conducts internal investigations for clients on wide array of government contracts and national security compliance issues. She regularly advises on FAR mandatory disclosure obligations and represents clients with regard to these investigations before the agency, DOJ, and the relevant Suspension and Debarring Official. Ms. Cassidy spends considerable time advising on contractor cybersecurity requirements, including assessing contractual requirements and investigating and assisting clients with cyber breach incidents involving government information.