Skip to main content
Please enter a legal issue and/or a location
Begin typing to search, use arrow keys to navigate, use enter to select

Find a Lawyer

More Options

Follow the Feds When it Comes to Supply Chain Cybersecurity

By Casey C. Sullivan, Esq. on June 17, 2015 | Last updated on March 21, 2019

We've said it before and we'll say it again: cybersecurity should be on the top of any GC's agenda. Not only is cybersecurity one of the main areas C-suite executives want their legal department to master, the costs of losing sensitive data can be massive, resulting in expensive litigation, loss of proprietary information, and reputation damage.

But how do you protect the data that's in the hand of suppliers, contractors, and the like? Don't worry, the federal government has been figuring that out for you.

Take it From the Feds

Security risks aren't just an in-house concern. When a company's data walks out the door, or potentially corrupted products come into the office, there's plenty of opportunities for expansive and damaging breaches. Three lawyers for Covington's privacy, data security and government contracts practice groups highlighted these risks in a recent piece for Inside Counsel. Luckily, while supply-chain risks abound, there's plenty of developed (and public) policies available to address them, in the form of government data security regulations.

Corporate counsel can learn a thing or two from these federal regulations. For example, companies contracting with the Department of Homeland Security are required to implement specific security controls for their IT system, allow audit access and meet monitoring and reporting requirements. The National Institute of Standards and Technology released this April a draft report laying out the "fourteen families of security requirements" that should be instituted to protect confidential and classified information.

Crafting Agreements With Cyber Security in Mind

In-house counsel should make sure their agreements with contractors and suppliers include requirements to mitigate cybersecurity risks. These agreements should not only include contractual obligations to safeguard sensitive data, but ways to monitor compliance. Similarly, contractors should be required to vet and monitor all their suppliers and contractors, making sure that data security is in place throughout the supply chain.

Finally, in-house counsel should make sure that they have in place a system for identifying and reporting incidents as they occur. Under DHS contract requirements, a contractor must report a breach within an hour of its discovery. Coupled with regular, effective monitoring, quick reporting can help companies discover and respond to breaches before too much damage is done.

Related Resources:

You Don’t Have To Solve This on Your Own – Get a Lawyer’s Help

Meeting with a lawyer can help you understand your options and how to best protect your rights. Visit our attorney directory to find a lawyer near you who can help.

Or contact an attorney near you:
Copied to clipboard