In an interim final rule published on October 2, another layer has been added to the compliance landscape for defense contractors. In addition to complying with breach notification requirements in as many as 47 different states in the event of a breach involving personally identifiable information, Department of Defense (DoD) contractors now have to comply with the rapid notification rules issued by DoD in the event of a cyber incident involving covered Defense information.
These rules are noteworthy in that they require DoD contractors to report cyber incidents within 72 hours of discovering the incident. Most state breach notification statutes do not require that individuals be notified of a breach within a specific number of days, and the few state statutes that do have such a requirement contain a much more lenient timeframe of 45 to 90 days.
The interim rule applies only to “cyber incidents” which are defined in the rule as involving “actions taken through the use of computer networks” that result in a compromise or adverse affect on a contractor’s systems or the information on those systems.
Keep reading this article at: http://www.mondaq.com/article.asp?articleid=434116
