Significant Changes to Online Copyright (DMCA) Safe Harbor and DoD Contractor Cybersecurity (NIST 800-171) Requirements Take Effect at the End of This Year.

Important Change Affecting Digital Millennium Copyright Act (DMCA) Safe Harbor Becomes Effective December 31, 2017
If your business operates a website that displays or allows posting of third-party content, you should be aware of the Digital Millennium Copyright Act and possible safe harbor protections from copyright infringement liability.

What is the Digital Millennium Copyright Act?
The Digital Millennium Copyright Act (“DMCA”) provides some safe harbors from copyright infringement liability for online service providers. To qualify for safe harbor protection, certain kinds of service providers—for example, those that allow users to post or store material on their systems, search engines, directories, and other information location tools—must designate an agent to receive notifications of claimed copyright infringement. To select an agent, a service provider must do two things: (1) make sure contact information for the agent is available to the public on its website; and (2) provide the same information to the U.S. Copyright Office, which maintains a centralized online directory of designated agent contact information for public use. The service provider must also ensure that this information is up to date.

What has Changed?
As we indicated in a prior Client Advisory, in December 2016 the Copyright Office introduced an online registration system and implemented an electronically generated directory to replace the Copyright Office’s old paper-based system and directory. Accordingly, the Copyright Office no longer accepts paper designations. To designate an agent, a service provider must register with and use the Copyright Office’s online system.

What Action is Immediately Necessary?
Any service provider that has designated an agent with the Copyright Office before December 1, 2016, to maintain an active designation with the Copyright Office, must submit a new designation electronically using the online registration system by December 31, 2017. Any designation not made through the online registration system will expire and become invalid after December 31, 2017. Service providers will be required to renew their electronic designations every three years. Failure to comply with the registration requirements may result in loss of safe harbor protections and expose the service provider to statutory and other liability.

Under the new electronic system, the fee to designate a DMCA agent with the Copyright Office will drop from $105 to $6.

McNair Attorneys are Available to Provide Assistance
McNair Attorneys are available to discuss: the requirements of DMCA, safe harbors, other copyright issues, the particulars of the new electronic agent designation, how to properly notify users of your DMCA policy, and how to respond if a notice (a “take-down”) is received from a third party alleging website-related copyright violations.
------
December 31, 2017, Deadline Approaches For Defense Contractors And Suppliers To Comply With DFARS Implementation Of NIST 800-171 Security Requirements
No later than December 31, 2017, prime contractors, and their subcontractors and suppliers of all tiers, doing work under contract with the U.S. Department of Defense (DoD) are required by the DFARS to comply with National Institute of Standards and Technology (NIST) Special Publication 800-171, dealing with information security. If you directly or indirectly do business with DoD, McNair strongly urges you to immediately assess your exposure and take steps toward full compliance with this critical and extensive requirement – including more than 100 controls in 14 categories. The full text of NIST 800-171 can be accessed here. 

What is NIST 800-171?
NIST 800-171 provides minimum security and durability standards to ensure all systems that process, store, or transmit Controlled Unclassified Information(CUI) are protected (e.g., secured and hardened) in accordance and consistent with the established standards. Generally, CUI is information other than classified information that is required by law, regulation, or government policy to be safeguarded. The security policies address many aspects of physical, digital, and cybersecurity, including breach reporting and mitigation.

Who is Affected by NIST 800-171?
Anyone (individual or business/contractor) who processes, stores, or transmits information (that falls into one of many CUI categories) for or with DoD is potentially impacted. As a result of mandatory incorporation and flow down provisions of DFARS 252.204.7012, this includes all government contractual relationships, including all tiers of subcontractors and subsuppliers. The contracting officer for the specific contract is to determine and indicate in the solicitation/contract when triggering information will be provided. A mechanism is provided for the DoD CIO through the contracting officer to provide an exclusion from the requirements (on a case-by-case basis) for specific lower tier subcontractors or suppliers (the request must be made through each higher tier), but this possibility should not be relied upon as an excuse for failing to comply with the deadline. Absent such specific written exclusion, the flow down / incorporation will apply to require compliance by the lower tier party.

What are the Risks Of Non-Compliance?
Any contractor or supplier of any tier that fails to comply with the applicable DFARS could be subject to liability under existing laws and regulations. It is reasonable to expect DoD will terminate prime contractors over failure to comply with NIST 800-171 requirements and that DoD will hold the prime responsible for non-compliance by its subcontractors, regardless of tier. Civil breach of contract and negligence actions could also arise between contracting parties. A False Claims Act violation – a criminal act – might be alleged where a contractor states that it is compliant when it knows it is not.

As with many federal regulations and guides, the issues raised by and implementation of NIST 800-171 in accordance with DFARS 252.204 are complex. McNair Attorneys recommend you seek knowledgeable legal counsel if you have questions about these topics.