Contractors for the Department of Veterans Affairs will have a single hour to report security and privacy incidents after their discovery under a finalized change to departmental regulations.
A rule slated for publication in the Federal Register on Wednesday says the one-hour reporting requirement will apply to private sector entities handling “sensitive personal information.” The department, the largest civilian government agency, defines that term broadly as including data safeguarded by HIPAA, proprietary information or any information whose improper disclosure “could adversely affect the ability of VA to accomplish its mission.”
Any contractor reporting a breach under the updated VA acquisition regulations will also be subject to paying liquidated damages according to a formula the VA says “will be set forth in VA internal policy.” In the event that a contractor could provide evidence of the value of actual damages, the department could be willing to accept that amount in lieu of liquidated damages.
In a document responding to comments responding to a preliminary proposed rule published in November 2021, the VA downplays the burden of the one-hour reporting timeline, saying that it “is consistent with existing VA policy that all contractors must currently comply with.”
Privacy attorney David Holtzman of consulting firm HITprivacy LLC says that the Obama administration long ago issued requirements for the management of federal data systems requiring agencies and their contractors to report suspected incidents that may have resulted in the unauthorized disclosure of personally identifiable information within one hour of discovery.
What’s different about the VA’s approach is that the department is codifying the reporting requirement in its acquisition regulations, he says.
Reporting a security incident within 60 minutes of its discovery is possible, says regulatory attorney Rachel Rose.
“It is doable, but it needs to be front and center in any contracting organization’s breach notification policy and training,” she says. “The VA is emphasizing that this is material,” she says.
The new regulation may easily turn into fodder for whistleblower lawsuits, Rose warns. “From my perspective, this could be a significant area to watch in terms of potential False Claims Act liability. Incident response is tough; however, notifying is only the first step. Some incidents are easier than others to detect and report – ransomware, for example.”
‘Incident’ vs. ‘Breach’
Privacy attorney Iliana Peters of the law firm Polsinelli says the term “security incident” as defined in the new rule refers to an event that “actually or imminently” jeopardizes the integrity, confidentiality or availability of information systems or “constitutes a violation or imminent threat of violation” of security procedures and policies.
“This is different from the definition of a breach under state or federal law,” she says. “In other words, I read the requirements as notification to the contracting officer or their representative very early on in a security incident investigation about the nature of the incident itself, not notification of a breach and all that entails,” she says.
“While this is a very short time period, I would expect that contractors would be prepared pretty quickly to let the contracting officer know that they are undergoing, for example, a ransomware attack or a business email compromise.”