GAO finds contractors have inappropriate access to private data

Federal watchdogs have found that current governmentwide contracting policies give vendors inappropriate access to sensitive government data, and they recommend the White House instruct agencies to require vendors to sign nondisclosure agreements.

Nearly half the federal contracts the Government Accountability Office reviewed did not protect "all relevant types of sensitive information that contractors may have had access to through the program offices they support. In the absence of such safeguards, there is higher risk of unauthorized disclosure or misuse of sensitive information by contractors," the GAO report issued on Sept. 10 stated.

Sensitive refers to material that, if exposed, would compromise personal and medical privacy, national security, law enforcement, proprietary commercial rights or agency operations.

Auditors cited recent high-profile incidents in which contract employees at the State Department broke into the passport records of three 2008 presidential candidates, and where one contract employee stole the names, Social Security numbers and birthdates of government employees at the Transportation Security Administration in Boston. The study spanned nearly a year and a half, from May 2009 to September 2010.

GAO officials advised the White House to include nondisclosure agreements in pending changes to the Federal Acquisition Regulations, which are governmentwide procedures for procuring services and supplies. Nondisclosure agreements typically set forth restrictions on releasing confidential information to third parties.

The report focused on vendor agreements at the Defense, Health and Human Services, and Homeland Security departments because the three extensively rely on contractors. Of the 42 contracts GAO examined, 19 did not include riders to protect against unauthorized misuse and disclosure of every category of sensitive information.

In addition, Defense and HHS policies supplementing the FAR lacked guidance on nondisclosure agreements. Officials at DHS, which uses a standard nondisclosure form departmentwide, told auditors nondisclosure agreements have helped hold contractors accountable for properly handling government data because the clauses remind them of the consequences for breaches.

GAO officials advised the Office of Federal Procurement Policy to ensure any changes to the FAR include instructions on the use of nondisclosure agreements as a condition of access to sensitive information.

They also proposed OFPP make sure the new rules require companies to promptly notify agency officials if a contract employee releases or misuses sensitive information. Such a stipulation is not included in the FAR or the supplemental rules at Defense, HHS and DHS.

OFPP and DHS officials generally agreed with the report. Defense officials responded to a draft report with technical comments that were incorporated into the final version. HHS did not have comments, according to GAO officials.