Massive data breaches dominated the headlines in 2018. In fact, if it seemed like there were even more stories about data breaches this past year than in 2017, that's because there were.
Although none were as newsworthy as the Equifax data breach of September 2017, occurrences were still on the rise this past year, with cyberattacks increasing by 32 percent in the first three months of 2018 and by 47 percent during the April to June period. And in December alone, high profile breaches of Dunkin', Marriott and Quora were announced within the span of a few days.
Billions of people have been affected by these hacks, and it's more likely than not that you're one of them, according to USA Today.
And it's not just corporations that are putting customers' personal information and other data at risk, but also government contractors that are sometimes entrusted with even more sensitive information about federal employees.
In light of these data breaches, the U.S. government's lead contracting agency recently announced changes to the requirements for how and when contractors are to disclose data breaches.
GSA announces new requirement for contractors
In November, the General Services Administration proposed a rule which would mandate that the GSA and the agency that's being served by the government contract have access to breached contractor systems. This would also require contractors to preserve images of the affected systems for the purpose of government review.
An independent agency of the United States government, the GSA supplies products for government offices, transportation and office space for federal employees and government-wide cost-effectiveness policies and other management tasks for federal agencies. Founded in 1949, the agency employs 12,000 federal employees, and is now the United States government's leading contracting agency.
The GSA's proposed rule regarding breached contractor systems is not scheduled to be published until February, and will come with a comment period that closes in April.
New rule a direct response to past contractor data breaches
This new requirement is likely inspired by the overall rise in cyberattacks, as well as recent incidents in which contractors were the victims of hacks.
For example, according to Nextgov, there were two separate contractor breaches in 2014 that exposed the background check information of approximately 73,000 government employees collectively.
The following year, there was the much larger Office of Personnel Management breach, which exposed background checks on more than 20 million current and former federal employees, as well as their families.
A February 2018 report from cybersecurity firm BitSight concluded that 5.6 percent of aerospace and defense contractors and 8 percent of health-sector government contractors had disclosed a data breach since January 2016.
The report also found that contractor cybersecurity was generally much lower than that of federal agencies.
Under the GSA's proposed amendments to the General Services Administration Acquisition Regulation, any data breach that compromises the "confidentiality, integrity, or availability" of data or information systems owned or managed on behalf of government agencies would need to be disclosed by government contractors. The mandate will also outline the ways in which the U.S. government will use and protect any proprietary information which a contractor shares in the process of a breach investigation.
"By incorporating cyber incident reporting requirements into the GSAR, the GSAR will provide centralized guidance to ensure consistent application of cybersecurity principles across the organization. Integrating these requirements into the GSAR will also allow industry to provide public comments through the rulemaking process," said the GSA.
