Recent news reports have detailed the potential of new leaks ofhighly sensitive government data. What are the implications on thegovernment contractor?

Advancements in leveraged technologies over the past severaldecades have accelerated the federal government’s outsourcing ofcritical services to the private sector believing that partneringwith private sector firms offers tremendous value and operationalefficiency. Privatization—defined here as the use of private-sectorfirms to assist the federal (and state) government, and itsagencies, in the advancement and fulfilment of goods andservices—has been in existence since the formation of the U.S.government in 1789. Today, U.S. government contractors areinextricably linked to the federal government, its agencies, andthe constituents which they collectively serve.

With this linkage, private sector companies find themselvesentrusted with access to highly sensitive data and information,which is needed to perform the services or provide the productsdetailed within the specifications of the contract. Even incircumstances where the original information is not sensitive orclassified, government contractors are at risk of innocentlytransforming data into classified or sensitive materials bybringing together bulk data into aggregated sets.

In today’s digital world, this dynamic creates new risks forcontractors to manage. Unauthorized access or release of protecteddata and information by rogue employees, criminals, nation states,and terrorist organizations has emerged as a top threat tocontractors over the past several years.

Contractors are, therefore, continuously challenged to reviewthe types of data that they store and contemplate the implicationsof aggregating such data and the necessary refinements to securityand access controls for users/employees for the various data theycontrol. We can point to several examples, recently made public,where breaches of confidential (protected) information andunintended consequences associated with data aggregation, haveadversely affected and complicated long-standing relationshipsbetween contractors and their federal government and/or agencyclients.

Not only do these matters create the potential for financialloss to the organization, they also create management liabilityrisk for those in the boardroom and executive suite. This newreality calls into question the importance of quality insuranceprotection for not only the organization, but also its directorsand officers, particularly in the government-contracting space,where the nature of sensitive work for the federal governmentcreates heightened regulatory and shareholder risk.

The requirement of the government contractor to maintain thesecurity of this highly sensitive information is critical and couldbe devastating to the continuing status of current contracts andthe likelihood of winning future contracts in the event of asecurity breach.

The disclosure of sensitive data by a government contractor canoccur in a broad variety of ways including:

• A network security breach.
• Improper disclosure by an individual who is authorised to dealwith such data.
• Leakage or theft of information by employees (temporary orpermanent).
• Failure with regard to a secure destruction policy.
• Accidental loss of paper records or electronic devices.
• The intentional leaking of sensitive government information byemployees has had a significant impact on some governmentcontractors and will continue to grow as an exposure. Employees aregranted varying levels of access to government systems thatincreases the risk to a government contractor that their employeescould steal or improperly access data. Protecting against thisexposure is imperative to government contractors.

However an unauthorized disclosure arises, there are a number ofways in which a contractor could be adversely impacted,including:

• A third-party lawsuit.
• Regulatory actions and penalties.
• Liquidated damage losses, for example, where dealing withveterans’ protected health information.
• Direct, first-party, financial impact relative to the immediatesuspension, cancellation, or nonrenewal of the governmentcontract.
• Reputational harm, or impact to revenues due to adverse mediacoverage, across nongovernment-related services and products.
• The contractor’s traditional E&O coverage will respond tosome of these exposures, but the direct first-party harm resultingfrom loss of revenue attributable to these contracts is potentiallythe most catastrophic aspect of a security breach and is notaddressed by the traditional E&O and cyber programs.

Government contractors can get comprehensive help to deal withfirst- and third-party risks in protecting sensitive andconfidential information. When administered properly, aconsultative approach incorporating a broad assessment of anypotential loss of revenue, including costs that may be incurred toresolve disputes with the government, will yield high valueprotection against the adverse financial consequences of securitybreaches and contractual violations of protected data. Addressingthese unique coverage areas and customizing solutions surroundingthe exposures is imperative to the delivery of maximumeffectiveness and efficiency for clients.

Lockton has invested in resources and tools to facilitate arobust consultative approach which includes preunderwriting, riskidentification, and risk quantification. Our dedicatedpractitioners are skilled leading the client-facing dialogue anddeveloping customized solutions to address the unique myriad ofrisks facing government contractors.

Ryan Gibney, Assistant Vice President Account Executive,202.414.2682, [email protected]

Cliff White, Senior Vice President Global Technology andPrivacy Practice, 011.44.207.933.2704,[email protected]