Privacy and Security Requirements for Handling Government Records Under Scrutiny
Government agencies maintain large quantities of information about individuals, covering everything from physical description to the person’s family life, property, political activity, employment history, criminal records, and health condition. In a light of a recent finding that reports of information-security incidents at federal agencies have increased more than 650 percent over the past five years, it is unsurprising that data-handling requirements for government entities and contractors are a subject of ongoing concern. A roundup of recent developments:
- A recent General Services Administration (“GSA”) cloud computing procurement solicitation attempted to address data security concerns by limiting the foreign countries where vendors’ servers could be located, but this requirement was rejected on October 17 as unduly restrictive. Noting that the GSA had failed to explain its basis for differentiating between acceptable and unacceptable locations, the Government Accountability Office (“GAO”) recommended that the solicitation be revised to reflect the agency’s actual needs.
- On October 18, Sen. Daniel Akaka (D-HI) introduced the Privacy Act Modernization for the Information Age Act of 2011 to strengthen privacy protections for government records. Among other things, the bill would create a federal chief privacy officer position, update penalties for violating the Privacy Act, and establish a centralized website for information about records maintained by individual agencies.
- The Supreme Court will hear oral argument on November 30 in FAA v. Cooper, which examines whether a plaintiff can recover under the Privacy Act for nonpecuniary mental and emotional injuries. Cooper seeks to bring a claim based on mental and emotional distress he suffered after the Social Security Administration disclosed his HIV status to the Federal Aviation Administration.
- The National Institute of Standards and Technology is accepting public comments through December 2 on its draft U.S. Government Cloud Computing Technology Roadmap, which is designed to foster federal agencies’ adoption of cloud computing. One of the issues highlighted in the document is the need to ensure that government cloud services meet federal policy and regulatory requirements for security and privacy.
- Under a proposed amendment to the Federal Acquisition Regulation, government contractors who handle personally identifiable information would be required to complete privacy training upon award of the procurement and annually thereafter. Comments are due on December 13.