This post was written by Gunjan Talati and Timothy Nagle.
The 2013 National Defense Authorization Act (“NDAA”) became the law of the land in early January. This NDAA contains a notice requirement that follows the government trend of the past few years of being required to tattle on yourself. Specifically, the NDAA directs the Department of Defense (“DoD”) to create notice requirements that mandate notification by “cleared” defense contractors to the government if covered networks are successfully penetrated.
A lot of uncertainty surrounds how the DoD will implement these notice requirements and exactly what they will cover. The NDAA explains that the Under Secretary of Defense for Intelligence (in conjunction with other enumerated officials) “shall establish the criteria for designating the cleared defense contractors’ networks or information systems that contain or process information created by or for the [DoD] to be subject to the reporting [requirements].” Thus, the NDAA gives the DoD significant discretion in determining what networks and systems will be covered, and whether unclassified networks and systems will be included.
The NDAA also gives the DoD broad discretion with the procedure for reporting, requiring only that the reporting be “rapid.” The NDAA does, however, outline certain elements a report must have, such as how the system was penetrated, and a sample of the malicious code if available.
The law also requires the DoD to establish a process that gives DoD personnel the authority to access “equipment or information of a contractor necessary to conduct a forensic analysis” to determine if any DoD information was “exfiltrated” by the hack. While the language of the statute appears to limit the access of the DoD to simply determining if information was “exfiltrated,” the actual procedures proposed by the DoD may be a different story. If the DoD drafts procedures that go beyond just determining what was “exfiltrated,” companies will have to grapple with a number of issues, such as the inadvertent release of trade secrets, DoD access to privileged records, and attorney/client communications. As is almost always the case, the true devil will be in the details.