Federal Contractors Required to Conduct Privacy Training Under Proposed Regulations

Posted on October 15, 2011 by Joseph Lazzarotti

A Federal Acquisition Regulation proposed on October 14, 2011 (76 Fed. Reg. 63896, 10/14/11), would require federal contractors to conduct privacy training before being given access to government records or handling personally identifiable information. For many entities, training may already be called for under a federal or state law, or contract provision. However, this regulation raises the bar by effectively halting a contractor's work until the training is performed. Contractors will need to watch this regulation closely as it may affect their businesses. The public may submit comments on this regulation until Dec. 13, 2011.

Key features of the proposed regulations:

  • Contractors would be required to provide initial training and annual training for employees who either —(1) require access to a government system of records; (2) Handle personally identifiable information; or (3) Design, develop, maintain, or operate a system of records on behalf of the federal government.
  • Federal agencies are required to provide contractors the training materials unless, on
    an exception basis, the contracting officer authorizes a contractor to provide its own privacy training materials.
  • The contractor is responsible to ensure the training is completed, and must maintain documentation of the training.
  • Certain privacy clauses will need to be added to the contract between the contractor and  the government.

Training must cover at least the following seven areas:

  1. The protection of privacy, in accordance with the Privacy Act (5 U.S.C. 552a);
  2. The handling and safeguarding of personally identifiable information;
  3. The authorized and official use of government system of records;
  4. Restrictions on the use of personally-owned equipment to process, access, or store personally identifiable information;
  5. The prohibition against access by unauthorized users, and unauthorized use by authorized users, of personally identifiable information or systems of records on behalf of the Federal
    Government;
  6. Breach notification procedures i.e., procedures for notifying appropriate individuals when privacy information is lost, stolen, or compromised) and
  7. Any agency-specific privacy training requirements.
Tags: , , ,

The White House's Cybersecuirty Legislative Proposal

Posted on May 12, 2011 by Jason C. Gavejian

Today the White House issued a Cybersecurity Legislative Proposal. The proposed legislation focuses on protecting the American people, the nation’s critical infrastructure, and the federal government's computers and networks.  While legislation of this nature would simplify the breach reporting process for businesses, and overall streamline cybersecurity laws, a number of legislative attempts to do this have previously failed.  It is important to note that while this proposal sets forth some guidelines, the specific details of how each provision would be instituted are not yet clear

Our critical infrastructure – such as the electricity grid, financial sector, and transportation networks that sustain our way of life – have suffered repeated cyber intrusion, and cyber crime has increased dramatically over the law decade. The President has thus made cybersecurity an Administration priority. 

  1.  To protect the American people, the proposed legislation calls for a national data breach reporting law which would simplify and standardize the existing patchwork of 47 state laws that contain these requirements. Additionally, the proposal calls for penalties for computer criminals and clarifies the penalties for computer crimes, synchronizes them with other crimes, and sets mandatory minimums for cyber intrusions into critical infrastructure.
  2. To protect our nation’s critical infrastructure the proposal calls on legislative changes to fully protect this infrastructure. Specifically, proposal will enable the Department of Homeland Security (DHS) to quickly help a private-sector company, state, or local government when that organization asks for its help. It also clarifies the type of assistance that DHS can provide to the requesting organization.

Additionally, the proposal permits businesses, states, and local governments to share information about cyber threats or incidents with DHS. To fully address these entities’ concerns, it also provides them with immunity when sharing cybersecurity information with DHS. At the same time, the proposal mandates robust privacy oversight to ensure that the voluntarily shared information does not impinge on individual privacy and civil liberties.

Further, the proposal emphasizes transparency to help market forces ensure that critical-infrastructure operators are accountable for their cybersecurity.

Finally, the proposal requires DHS to work with industry to identify the core critical-infrastructure operators and to prioritize the most important cyber threats and vulnerabilities for those operators. Critical infrastructure operators would then take steps to address cyber threats, develop risk mitigation plans, and permit DHS to modify the processes which are implemented if they are insufficient. 

  1.  To protect federal government computers and networks the legislative proposal includes: an update to the Federal Information Security Management Act (FISMA) as well as formalizing DHS’ current role in managing cybersecurity for the Federal Government’s civilian computers and networks, in order to provide departments and agencies with a shared source of expertise; giving DHS more flexibility in hiring highly-qualified cybersecurity professionals; the permanency of DHS’s authority to oversee intrusion prevention systems for all Federal Executive Branch civilian computers while codifying strong privacy and civil liberties protections, congressional reporting requirements, and an annual certification process; and preventions on states requiring companies to build their data centers in that state, as opposed to in the cloud, except where expressly authorized by federal law.

The Administration’s proposal also attempts to ensure the protection of individuals’ privacy and civil liberties through a framework designed expressly to address the challenges of cybersecurity. Some of these provisions include: requiring federal agencies (and likely federal contractors) to follow privacy and civil liberties procedures; limitations on monitoring, collecting, using, retaining, and sharing of information; requiring efforts to remove identifying information unrelated to cybersecurity threats; as well as immunity provisions for those business which comply with the proposal’s requirements.  

As the proposal concludes: 

Our Nation is at risk… [t]he Administration has responded to Congress’ call for input on the cybersecurity legislation that our Nation needs, and we look forward to engaging with Congress as they move forward on this issue.

Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Social Security Number Protection Act of 2010

Posted on December 23, 2010 by Jason C. Gavejian

On December 18, 2010 President Obama signed into law the Social Security Number Protection Act of 2010. The law has two key components. 

First, the law establishes that no Federal, State, or local agency may display the Social Security account number of any individuals or any derivative of such number, on any check issued for payment by said agency. 

Second, the law prohibits Federal, State, or local agencies from employing, or entering into a contract for the use or employment of, prisoners in any capacity that would allow such prisoners access to the Social Security account numbers of other individuals. 

As employers have been grappling with the recent uptick in state laws addressing safeguards for Social Security numbers, this new law tightens protections at the federal level.   Additionally, federal contractors may need to consider how this change impacts their other obligations under the Federal Information Security Management Act.

Tags: , , , , , , ,

Federal Agencies Tighten Data Security Screws on Federal Contractors

Posted on October 7, 2010 by Jason C. Gavejian

Federal contractors are subject to numerous requirements under federal law and, as we have previously highlighted here, need to keep pace with changes in law and regulation. 

Under the Federal Information Security Management Act of 2002 (FISMA) each federal agency is required to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source. Accordingly, FISMA provides authority for the imposition of requirements on those companies which qualify as federal contractors. 

By way of example, the Centers for Medicare and Medicaid Services (CMS), as well as the Department of Veterans Affairs impose specific requirements on their contractors.   

Adding new data protection requirements for federal contractors who use or handle U.S. Department of Defense (DOD) information, the DOD earlier this year issued an advanced notice of proposed rulemaking regarding amendments, 75 F.R. 9563, to the Defense Federal Acquisition Regulation Supplement (DFARS). 

The proposed amendments require “adequate security,” defined as “protection measures … commensurate with the risks of loss, misuse, or unauthorized access to or modification of information,” and have three main subparts; basic safeguarding, enhanced safeguarding, and cyber intrusion reporting. 

Basic safeguards, required for any unclassified DOD information, include:

  • Designating  the level of access and dissemination of informationProtecting DOD information on public computer or Web sites
  • Transmitting electronic information using technology and processes that provide the best level of security and privacy
  • Transmitting voice and fax information on with reasonable assurances that access is limited
  • Protect information by at least one physical or electronic barrier
  • Sanitize media in accordance with the National Institute of Standards and Technology (NIST) before external release or disposal
  • Provide protection against computer intrusions and the unauthorized release of data. 

In addition to the basic safeguards outlined above, contractors are required to implement enhanced safeguards to certain types of data. The enhanced safeguards include:

  • Encryption/Storage controls
  • Network intrusion protection
  • Implement information security controls

Additionally, a reporting requirement has now been proposed, requiring contractors to report to the DOD within 72 hours of any cyber intrusion event that affects DOD information resident on or transiting the contractor’s unclassified information systems.

The new proposed DOD amendments, along with the various other federal contractor requirements, including those imposed by CMS and the Department of Veterans Affairs, highlight the necessity for companies that qualify as federal contractors to be up to date on their legal obligations or risk loss of their federal contractor status. 

Tags: , , , , , , , , , , , , , , , , , , , , ,

Employers Go Green: Electronic On-Boarding - Personal Information and Other Challenges

Posted on November 5, 2009 by Joseph Lazzarotti

In good and not-so-good economic times, the on-boarding process – recruiting, application, hiring and orientation – is critical for employers to attract and welcome new talent. In recent years, technology has enabled employers to perform all or a part of this process on-line, significantly increasing efficiency and reducing costs. Moving to a web-based on-boarding system, however, raises many workplace challenges and considerations, including the privacy, security and management of personal data collected in the process.

Following are some of the key challenges and considerations employers should think about when moving to electronic on-boarding:

  • Can the on-line process be the exclusive method for applying and on-boarding? Consider, for example, applicants who cannot access or view the site because of a disability.
  • Are there laws limiting the personal information that may be collected from applicants? See, for example, Utah Employment Selection Procedures Act discussed in our article and the Utah law
  • How must personal information collected during the process be safeguarded, retained, preserved, and ultimately destroyed? A recent class action was filed alleging failure to safeguard on-line job application information. 
  • Is the process subject to collective bargaining?
  • Are there special rules for government contractors? See Office of Federal Contract Compliance Programs (OFCCP) guidance
  • Are on-line consents for fitness-for-duty examinations, background checks, and drug testing valid? Can non-compete agreements be executed electronically?
  • Are there any specific issues/disclosures for public sector employees/applicants?
  • Can the I-9 verification/e-verify process be completed on-line?
  • Do the rules change for applicants from other countries?
  • If an applicant is hired, how does collected information about the person transfer accurately and securely for benefit plan enrollment, payroll, personnel, and other purposes?
  • Has the on-boarding vendor been vetted and shown capable of safeguarding personal data and preserving the integrity of that data? Where is data stored by the vendor? Are appropriate contract provisions in place?
  • Can benefit plan enrollment forms be completed on-line?
  • Can handbooks and benefit plan documents be provided on-line as part of the on-boarding process? See ERISA electronic disclosure regulations.

Employers implementing an electronic on-boarding process will certainly realize significant savings of time and money. However, those savings can be short-lived if the on-line process is not designed to address the risks inherent in the new medium.
 

Tags: , , , , , ,