Privacy and Data Security Update for Defense Contractors

Similar documents
[SUBPART CLOUD COMPUTING (DEVIATION 2015-O0011) Prescribes policies and procedures for the acquisition of cloud computing services.

DoD Issues Interim Rule Addressing New Requirements for Cyber Incidents and Cloud Computing Services

(Billing Code ) Defense Federal Acquisition Regulation Supplement: Network. Penetration Reporting and Contracting for Cloud Services (DFARS

BUSINESS ASSOCIATE AGREEMENT

Disclaimer: Template Business Associate Agreement (45 C.F.R )

BUSINESS ASSOCIATE AGREEMENT. Business Associate. Business Associate shall mean.

CLOUD COMPUTING ISSUES FOR SCHOOL DISTRICTS. Presented to the 2013 BRADLEY F. KIDDER LAW CONFERENCE. October 2, 2013

BUSINESS ASSOCIATE AGREEMENT

FirstCarolinaCare Insurance Company Business Associate Agreement

BUSINESS ASSOCIATE AGREEMENT BETWEEN LEWIS & CLARK COLLEGE AND ALLEGIANCE BENEFIT PLAN MANAGEMENT, INC. I. PREAMBLE

M E M O R A N D U M. Definitions

HIPAA BUSINESS ASSOCIATE AGREEMENT

Appendix : Business Associate Agreement

HIPAA PRIVACY AND SECURITY RULES BUSINESS ASSOCIATE AGREEMENT BETWEEN. Stewart C. Miller & Co., Inc. (Business Associate) AND

COMPLIANCE ALERT 10-12

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT Tribal Contract

New HIPAA Breach Notification Rule: Know Your Responsibilities. Loudoun Medical Group Spring 2010

SAMPLE BUSINESS ASSOCIATE AGREEMENT

Business Associate Agreement

HSHS BUSINESS ASSOCIATE AGREEMENT BACKGROUND AND RECITALS

HIPAA Business Associate Agreement

HIPAA for Business Associates

SaaS. Business Associate Agreement

Barnes & Thornburg LLP HIPAA Update: HITECH Act Breach Notification Rule

UNIVERSITY OF MAINE SYSTEM STANDARDS FOR SAFEGUARDING INFORMATION ATTACHMENT C

BUSINESS ASSOCIATE AGREEMENT

Identity Theft Prevention and Security Breach Notification Policy. Purpose:

Business Associate Agreement

SAMPLE BUSINESS ASSOCIATE AGREEMENT

Business Associate and Data Use Agreement

Name of Other Party: Address of Other Party: Effective Date: Reference Number as applicable:

This form may not be modified without prior approval from the Department of Justice.

BUSINESS ASSOCIATE ADDENDUM

HIPAA BUSINESS ASSOCIATE AGREEMENT

Use & Disclosure of Protected Health Information by Business Associates

BREACH NOTIFICATION FOR UNSECURED PROTECTED HEALTH INFORMATION

CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy

APPENDIX I: STANDARD FORM BUSINESS ASSOCIATE CONTRACT AND DATA USE AGREEMENT (2012 Version)

Sample Business Associate Agreement Provisions

BUSINESS ASSOCIATE AGREEMENT HIPAA Protected Health Information

BUSINESS ASSOCIATE AGREEMENT

Business Associate Agreement

CONNECTICUT IDENTITY THEFT RANKING BY STATE: Rank 19, 68.8 Complaints Per 100,000 Population, 2409 Complaints (2007) Updated November 28, 2008

Data Processing Agreement for Oracle Cloud Services

Model Business Associate Agreement

BUSINESS ASSOCIATE AGREEMENT TERMS

Terms and Conditions Relating to Protected Health Information ( City PHI Terms ) Revised and Effective as of September 23, 2013

LCD SOLUTIONS and CLICKTATE.COM BUSINESS ASSOCIATE AGREEMENT and DISCLOSURE of RIGHTS to COVERED ENTITIES

BUSINESS ASSOCIATE ADDENDUM

BUSINESS ASSOCIATE AGREEMENT. (Contractor name and address), hereinafter referred to as Business Associate;

STATE OF NEVADA DEPARTMENT OF HEALTH AND HUMAN SERVICES BUSINESS ASSOCIATE ADDENDUM

BUSINESS ASSOCIATE ADDENDUM. WHEREAS, Provider (as defined below) has a contractual relationship with FHCCP requiring this Addendum;

APPENDIX I: STANDARD FORM BUSINESS ASSOCIATE CONTRACT AND DATA USE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT

H I P AA B U S I N E S S AS S O C I ATE AGREEMENT

FEDERAL AND STATE BREACH NOTIFICATION LAWS FOR CALIFORNIA

STANDARD FORM BUSINESS ASSOCIATE CONTRACT AND DATA USE AGREEMENT

Business Associate Agreement Involving the Access to Protected Health Information

KRS Chapter 61. Personal Information Security and Breach Investigations

H 6191 SUBSTITUTE A AS AMENDED ======= LC02663/SUB A/2 ======= STATE OF RHODE ISLAND IN GENERAL ASSEMBLY JANUARY SESSION, A.D.

BUSINESS ASSOCIATE AGREEMENT ( BAA )

BUSINESS ASSOCIATE AGREEMENT

HIPAA Compliance (DSHS and HCA) Preamble: This section of the Contract is the Business Associate Agreement as

BUSINESS ASSOCIATE AGREEMENT

HIPAA Business Associate Contract. Definitions

January An Overview of U.S. Security Breach Statutes

BENCHMARK MEDICAL LLC, BUSINESS ASSOCIATE AGREEMENT

Business Associates and Breach Reporting Under HITECH and the Omnibus Final HIPAA Rule

Cloud Hosting Terms and Conditions

BUSINESS ASSOCIATE AGREEMENT BETWEEN AND COMMISSION ON ACCREDITATION, AMERICAN PSYCHOLOGICAL ASSOCIATION

Business Associate Agreement

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT

HIPAA and the HITECH Act Privacy and Security of Health Information in 2009

BUSINESS ASSOCIATE AGREEMENT

Please print the attached document, sign and return to or contact Erica Van Treese, Account Manager, Provider Relations &

Data Breach, Electronic Health Records and Healthcare Reform

NCHICA HITECH Act Breach Notification Risk Assessment Tool. Prepared by the NCHICA Privacy, Security & Legal Officials Workgroup

BUSINESS ASSOCIATE AGREEMENT

Transcription:

Privacy and Data Security Update for Defense Contractors T.J. Crane May 19, 2017

Overview DoD interim rule Expanded DFAR reporting obligations New DFAR definitions Cloud services Changes to local breach notification laws Possible federal breach notification law

Caveats Not intended to Cover all laws or industries Create an attorney-client relationship Seek counsel for a particular legal issue

Expanded reporting obligations

Key points on reporting Rule applies to all contractors with covered defense information residing in or transiting through their information systems Requires safeguarding and reporting, without abrogating prior requirements

Key points on reporting (cont d) Subcontractors must report to the prime contractor, and directly to DoD This could lead to inconsistent reports Pertains not just to unclassified controlled technical information Think CDI, not UCTI

Key points on reporting (cont d) Covered defense information is unclassified information that is Provided to the contractor by or on behalf of DoD in connection with contract performance; or Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of contract performance

Key points on reporting (cont d) And is: Controlled technical information, Critical information (operations security), Export control, or Any other information, marked or otherwise identified in the contract, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Governmentwide policies (e.g., privacy, proprietary business information)

Key points on reporting (cont d) And is: Controlled technical information, Critical information (operations security), Export control, or Any other information, marked or otherwise identified in the contract, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Governmentwide policies (e.g., privacy, proprietary business information)

When to report? Discovery of a cyber incident that affects A covered contractor information system, Covered defense information residing in a covered contractor information system, or The contractor s ability to perform contract requirements that are designated as operationally critical support

Cyber incident Actions taken through the use of computer networks that result in a compromise or an actual or potentially adverse effect on an information system and/or the information residing therein

Cyber incident Actions taken through the use of computer networks that result in a compromise or an actual or potentially adverse effect on an information system and/or the information residing therein

Cyber incident Actions taken through the use of computer networks that result in a compromise or an actual or potentially adverse effect on an information system and/or the information residing therein

New definitions 48 C.F.R. 202.101

Compromise Disclosure of information to unauthorized persons, or A violation of the security policy of a system, in which unauthorized intentional or unintentional Disclosure, modification, destruction, or loss of an object, or the copying of information to unauthorized media may have occurred

Compromise Disclosure of information to unauthorized persons, or A violation of the security policy of a system, in which unauthorized intentional or unintentional Disclosure, modification, destruction, or loss of an object, or the copying of information to unauthorized media may have occurred

Media Physical devices or writing surfaces including, but not limited to, magnetic tapes, optical disks, magnetic disks, largescale integration memory chips, and printouts onto which covered defense information is recorded, stored, or printed within a covered contractor information system

Reporting obligations Conduct a review for evidence of compromise and analyze the systems involved Rapidly report cyber incidents to DoD This still means within 72 hours

What to provide? A cyber incident report; Malicious software, if detected and isolated; and Media (or access to covered contractor information systems and equipment) upon request

Is my reporting protected? Trade secret or otherwise proprietary information? Might reporting be interpreted as an admission of failing to provide adequate security?

Limitations on use Access and use of information received or created in the performance of the contract Is limited to the purpose of furnishing advice or technical assistance directly to the Government in support of its activities and Shall not be used for any other purpose Contractor must protect the information from unauthorized release or disclosure

Limitations on use (cont d) Contractor must ensure that its employees are subject to use and nondisclosure obligations prior to being provided access to or use of the information Reporting party is a third-party beneficiary of the non-disclosure agreement between the Government and the contractor

Limitations on use (cont d) Contractor shall include this clause in all subcontracts that include support for the Government s activities related to safeguarding covered defense information and cyber incident reporting, including subcontracts for commercial items

Limitations on use (cont d) Information shared shall not, by itself, be interpreted as evidence that the contractor failed to provide adequate information safeguards for covered defense information. A breach of the reporting obligations or restrictions can give rise to criminal, civil, administrative, and contract actions

Cloud services

Cloud computing defined [A] model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management effort or service provider interaction. 48 C.F.R. 239.7601

Cloud computing defined (cont d) This includes other commercial terms: On-demand self-service, Broad network access, Resource pooling, Rapid elasticity, and Measured service Also, any -as-a-service

On cloud services Before contracting, contractors must declare any intent to use cloud computing DoD will first require provisional authorization by Defense Information Systems Agency

On cloud services (cont d) Services must be provided in accordance with the Cloud Computing Security Requirements Guide http://iase.disa.mil/cloud_security/pages/index.aspx Must not access, use, or disclose Government data unless specifically authorized by contract, task order, or delivery order

On cloud services (cont d) Without written authorization, cloud computing service providers must maintain all Government data that is off of DoD premises within The 50 states, The District of Columbia, or The outlying areas of the United States

On cloud services (cont d) Contractors shall ensure that employees are subject to the access, use, and disclosure prohibitions and obligations Prohibitions and obligations survive the contract

On cloud services (cont d) Without written authorization, cannot use Government-related data for any purpose other than to manage the environment that supports the Government data Must notify the Government of any requests for access to Government-related data (e.g., warrant, seizure, or subpoena)

Selected changes in local data security breach notification laws

Notable changes in Washington No longer just computerized data Secured means Encrypted to meet or exceed NIST standard or Otherwise modified to render PI unreadable, unusable, or undecipherable by an unauthorized person

Notable changes in Wash. (cont d) Must notify Washington Attorney General if more than 500 residents are affected Must notify In the most expedient time possible and without unreasonable delay But within 45 days (with exceptions for law enforcement and measures to determine the breach scope or restore system integrity)

Notable changes in Oregon Personal information now includes biometric data used for transactions E.g., fingerprint, iris, retina, etc. Must notify the Oregon Attorney General if more than 250 residents are affected

Notable changes in Ore. (cont d) No notification needed upon reasonable determination that consumers are unlikely to suffer harm Document in writing Maintain the writing for five years (Perhaps retain longer depending on risk profile) Expansion of personal information to include, e.g., certain health policy numbers

Discussion

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information