Obama’s Cybersecurity Order Could Squeeze Contractors

By Dietrich Knauth

Law360, New York (February 26, 2013, 8:01 PM EST) — President Barack Obama’s recent cybersecurity executive order envisions a more centralized approach to protecting the government from hackers, but contractors worry a slew of new costs and burdensome information-sharing requirements could also accompany the well-intentioned move.

Government contractors, already a target for hackers because of their closeness to government data, are among the biggest groups affected by Obama’s Feb. 12 cybersecurity executive order, which pushes federal agencies to work more closely with defense contractors, banks, electric power companies, communications providers and other critical infrastructure operators through voluntary security standards and increased dialog about cyberthreats. The order and an accompanying policy directive also direct the agencies to consider changing the Federal Acquisition Regulation to include cybersecurity concerns in new government contracts.

But the government’s effort to incorporate cybersecurity standards into acquisition planning, and to harmonize existing procurement requirements could be a mixed bag for contractors. While the new standards will likely carry new compliance costs, those additional costs could be offset by smoothing out a “Tower of Babel” of conflicting agency-by-agency and even contract-by-contract approaches, according to Crowell & Moring LLP partner David Bodenheimer.

“It is not all downside. An upside to a FAR regulatory scheme for cybersecurity would be greater uniformity and less compliance burden on contractors,” Bodenheimer said. “One of the problems right now, for federal contractors, is having to comply with a host of changing federal regulations at the agency level.”

But many are concerned that new regulations arising out of the executive order will ask too much of contractors, especially because the government will have to frequently update its standards in order to combat rapidly evolving cyberattacks and new techniques employed by hackers.

“The goal sounds like a good idea, but we’ll have to wait and see what’s proposed,” said Elizabeth Ferrell, a partner at McKenna Long & Aldridge LLP. “Consistency would be helpful but there’s always concerns that the standards will be too strict and too much of a burden on contractors.”

Contractors will also be asked to take part in the executive order’s voluntary information sharing program, which is based on a pilot program already underway between the DOD and some defense contractors. As long as the information sharing remains voluntary, contractors, as with other companies affected by the order, will closely watch as the government settles on a mix of incentives and penalties to encourage the cooperation they’re seeking.

Many companies are worried that reporting on cyberthreats and data breaches will open them to new liability, from exposure of trade secrets and proprietary data, to liability for inadvertently disclosed personal information, to damaged corporate reputations. Contractor groups, including the Professional Services Council and TechAmerica, have already called for granting indemnification to companies that meet cybersecurity standards or exempting their disclosures from Freedom of Information Act requests, steps that would assure contractors, but would require legislative action.

In addition to the reporting risks faced by other companies affected by the order, contractors face a few unique risks when reporting data breaches or cyberattacks — particularly if they lead the government to see the contractor as a less secure partner than potential competitors. Many federal agencies now include information security and safeguards as an element of past performance and experience during a contract competition, according to Bodenheimer.

“That breach may be used against it in other contexts as well, such as being penalized in a competitive source selection,” Bodenheimer said.

Information also carries more risk for contractors than most private sector companies, because government contractors are subject to a number of additional statutory, regulatory and contractual reporting requirements. Noncompliance with one of those additional reporting requirements could open up government contractors to accusations of procurement fraud or whistleblower suits under the False Claims Act.

“Government contractors, by nature, are very cautious because there are a lot of potential liabilities associated with any kind of noncompliance,” Ferrell said. “False Claims Act liability certainly is one of those, so I think that would be on a list of potential lawsuits that a company might face that might originate from voluntary disclosures.”

There is also the fear, perhaps well-grounded, that the voluntary information sharing framework in the executive order will be a mere stepping stone to a mandatory reporting requirement in the future.

Defense contractors, whose early efforts provided a framework for the executive order’s information sharing program, experienced something similar in December, when the 2013 National Defense Authorization Act required contractors with security clearances to report cyberattacks and system breaches.

“If I was an industry member, I would wonder if we’ll see a broader mandatory disclosure requirement that will apply to non-cleared contractors,” said Jon Burd, a government contracts attorney at Wiley Rein LLP. “None of that is on the immediate horizon, but  it’s reasonable to wonder out loud whether that is a path that we may head down in the not too distant future.”

Published by Law360