In January of 2017, an amendment to the Federal Acquisitions Regulation (“FAR”) went into effect related to protecting private personal information and requiring privacy training for all federal government contractors. The regulations were issued pursuant to The Privacy Act of 1974. 5 U.S.C. § 552a. The Privacy Act governs federal agency collection, maintenance, use, and dissemination of information about individuals that is maintained their systems of records. The regulations provide some interesting lessons for civilian companies in avoiding data breaches. See F.A.R. Subpart 24.301.
Avoiding Data Breaches: Training is Needed
The first lesson from the regulations is that training of employees is necessary.
How Often?
The second lesson is that training needs to be done regularly. The regulations require annual training. This is not surprising given the speed of advancements in technology, both in hardware and software. As quickly as antidotes to computer viruses are created, more viruses are created. As quickly as machine vulnerabilities are fixed, new access points are located.
When Must Employees be Trained?
And, all employees must receive their training at the beginning, before they start handling this type of information.
Who Must be Trained?
This is one of the more interesting aspects of the regulations. Subpart 24.301 states that contractors must provide training to the following three types of contractor employees:
- Those with access to a “system of records” being defined as a system from which information can be obtained revealing the name of an individual or any identifying number or mark that is distinctively assigned to the individual
- Those who design, develop, maintain, and operate a “system of records”
- Those who create, collect, disclose, dispose of, disseminate, manage, process, store or in any way handle personally identifiable information (any data that can be used to determine an individual’s identity)
The government contracting officer is required to insert the privacy-training clause in solicitations and contracts when any contractor employees will have access to, or will design, develop, maintain, or operate a system of records, or when contractor employees will handle personally identifiable information.
What Does the Training Cover?
The regulations require contractors to cover certain topics with respect to how this personal information should be handled and safeguarded. The following elements are required:
- Unauthorized equipment — instructions about and limitations on use
- Confidentiality — rules
- Unauthorized use of the private information — who and what is prohibited
- How to properly handle and safeguard personal identifying information
- Information about the Privacy Act of 1974 and its role including penalties for violations
- Procedures to follow in the event of an actual or suspected breach
Lessons for Private Sector Companies
There are many lessons for private sector companies that can be gleaned from FAR subpart 24.301 for avoiding data breaches.
For businesses themselves, as noted, the first lesson is that training is necessary and that it must be done often. Moreover, a very extensive employee training regime is contemplated by the definitions of who is required to be trained. We’ve written before, that employees are often the first to identify a data breach. Training is mandated for anyone with access, who designs, develops, maintains, and operates and for those who handle the personal
This either suggest company-wide training protocols or the need to design the systems of records so that access is limited and segregated (thereby decreasing the number of employees who need training).
Just as importantly, private-sector companies concerned about data breaches, must strongly consider adding this type of training provision vendor contracts any other contracts made with third-parties who will have access to your system of records and who will handle the personal identification information collected, held and controlled by your company. Indeed, this may be necessary. If the government require privacy training for their contractors, shouldn’t your business? As we discussed recently with respect to the case of FTC v. Wyndham Worldwide Corp., 799 F. 3d 236 (3rd Cir. 2015), the Federal Trade Commission filed charges against Wyndham partly because Wyndham failed to adequately restrict access to its servers by third-party vendors and failed to restrict access to only those portions of the network that were needed. Wyndham suffered several data breaches where hackers stole personal and financial information for hundreds of thousands of consumers. The hackers made over $10.6 million dollars in fraudulent charges. The FTC and Wyndham eventually settled. See here.
What Should You Do?
-
- Review: A review of company policies and procedures should be done to ensure that training is being provided for the full range of employees that have access, are using or who are handling private information
- Audit: For larger companies, an audit is needed to detail exactly which employees have access and to what extent and to determine who is using and handling the private information
- Rewrite job descriptions: To the extent necessary, job duties and descriptions should be reviewed and rewritten to consolidate access and handling of private information
- Review current privacy procedures and policies should be reviewed to confirm compliance and add training regimens
- Implement a training program
- Review vendor contracts and insert privacy training provisions if any vendor employees will have access to, or will design, develop, maintain or operate a system of records or when vendor employees will handle personally identifiable information — require such training for subcontractors too
- Review independent contractor or consulting agreements for the same reasons
- Keep good records: Knowing who had access and when helps with breach containment and remediation; likewise, good records can help convince governmental authorities that your business was diligent and will be essential in any litigation that follows a data breach.
It can’t be emphasized enough, that business need to follow best practices and be aware of data breach notification laws both in the US and EU. Data breaches can be costly both in terms of lost business from loss of consumer confidence, required notifications and straight-forward costs in terms of litigation costs and the costs of responding to government investigators.
Contact Revision Legal Today
If you have questions or need more information about your legal responsibilities related to cybersecurity, contact the data breach lawyers at Revision Legal. Data breaches can be costly both in terms of lost business, lost reputation, required notifications and straight-forward costs in terms of litigation costs and the costs of responding to government investigators. It is advisable and cost-effective to prevent data breaches you need the an experienced and dedicated legal team. Call or write Revision Legal today. We can be reached by email or by calling us at 855-473-8474.
You Might Also Like: