Keeping it confidential: Understanding the risks of a government contractor’s access to classified information

Recent news reports have detailed the potential of new leaks of highly sensitive government data. What are the implications on the government contractor?

Advancements in leveraged technologies over the past several decades have accelerated the federal government’s outsourcing of critical services to the private sector believing that partnering with private sector firms offers tremendous value and operational efficiency. Privatization—defined here as the use of private-sector firms to assist the federal (and state) government, and its agencies, in the advancement and fulfilment of goods and services—has been in existence since the formation of the U.S. government in 1789. Today, U.S. government contractors are inextricably linked to the federal government, its agencies, and the constituents which they collectively serve.

With this linkage, private sector companies find themselves entrusted with access to highly sensitive data and information, which is needed to perform the services or provide the products detailed within the specifications of the contract. Even in circumstances where the original information is not sensitive or classified, government contractors are at risk of innocently transforming data into classified or sensitive materials by bringing together bulk data into aggregated sets.

In today’s digital world, this dynamic creates new risks for contractors to manage. Unauthorized access or release of protected data and information by rogue employees, criminals, nation states, and terrorist organizations has emerged as a top threat to contractors over the past several years.

Contractors are, therefore, continuously challenged to review the types of data that they store and contemplate the implications of aggregating such data and the necessary refinements to security and access controls for users/employees for the various data they control. We can point to several examples, recently made public, where breaches of confidential (protected) information and unintended consequences associated with data aggregation, have adversely affected and complicated long-standing relationships between contractors and their federal government and/or agency clients.

Not only do these matters create the potential for financial loss to the organization, they also create management liability risk for those in the boardroom and executive suite. This new reality calls into question the importance of quality insurance protection for not only the organization, but also its directors and officers, particularly in the government-contracting space, where the nature of sensitive work for the federal government creates heightened regulatory and shareholder risk.

The requirement of the government contractor to maintain the security of this highly sensitive information is critical and could be devastating to the continuing status of current contracts and the likelihood of winning future contracts in the event of a security breach.

The disclosure of sensitive data by a government contractor can occur in a broad variety of ways including:

• A network security breach.
• Improper disclosure by an individual who is authorised to deal with such data.
• Leakage or theft of information by employees (temporary or permanent).
• Failure with regard to a secure destruction policy.
• Accidental loss of paper records or electronic devices.
• The intentional leaking of sensitive government information by employees has had a significant impact on some government contractors and will continue to grow as an exposure. Employees are granted varying levels of access to government systems that increases the risk to a government contractor that their employees could steal or improperly access data. Protecting against this exposure is imperative to government contractors.

However an unauthorized disclosure arises, there are a number of ways in which a contractor could be adversely impacted, including:

• A third-party lawsuit.
• Regulatory actions and penalties.
• Liquidated damage losses, for example, where dealing with veterans’ protected health information.
• Direct, first-party, financial impact relative to the immediate suspension, cancellation, or nonrenewal of the government contract.
• Reputational harm, or impact to revenues due to adverse media coverage, across nongovernment-related services and products.
• The contractor’s traditional E&O coverage will respond to some of these exposures, but the direct first-party harm resulting from loss of revenue attributable to these contracts is potentially the most catastrophic aspect of a security breach and is not addressed by the traditional E&O and cyber programs.

Government contractors can get comprehensive help to deal with first- and third-party risks in protecting sensitive and confidential information. When administered properly, a consultative approach incorporating a broad assessment of any potential loss of revenue, including costs that may be incurred to resolve disputes with the government, will yield high value protection against the adverse financial consequences of security breaches and contractual violations of protected data. Addressing these unique coverage areas and customizing solutions surrounding the exposures is imperative to the delivery of maximum effectiveness and efficiency for clients.

Lockton has invested in resources and tools to facilitate a robust consultative approach which includes preunderwriting, risk identification, and risk quantification. Our dedicated practitioners are skilled leading the client-facing dialogue and developing customized solutions to address the unique myriad of risks facing government contractors.

Ryan Gibney, Assistant Vice President Account Executive, 202.414.2682, rgibney@lockton.com

Cliff White, Senior Vice President Global Technology and Privacy Practice, 011.44.207.933.2704, cliff.white@uk.lockton.com