Agencies propose privacy training in wake of TRICARE data theft

Featured eBooks
CDM
Read Now

Future-Ready Workforce

Read Now

Health Tech

Read Now
Insights & Reports
Redefining Mission Security
Presented By Babel Street
Download Now
Defending government cloud against advancing threats
Presented By CrowdStrike
Download Now
Bob Brewin By Bob Brewin,
Editor at Large

By Bob Brewin

|

Draft rule requiring all contractors to brush up on handling sensitive information in many cases codifies policies already in place.

The Defense Department, General Services Administration and NASA released a proposed regulation Friday requiring all contractors that handle federal records containing personally identifiable information to complete privacy training.

The proposed regulation comes just one month after defense contractor Science Applications International Corp. reported the theft of a computer tape containing the health records of 4.9 million TRICARE beneficiaries from an employee's car, and four days after the filing of a class action lawsuit asking Defense to pay $4.9 billion in damages from that theft.

The new rule would, in many cases, codify already existing privacy training practices governmentwide. TRICARE, the Army, Navy, Air Force and the Veterans Affairs Department already require contractors to take privacy training.

The Navy, which mandated privacy training in a December 2008 message, emphasized such coaching was necessary because "virtually all" the breaches of personally identifiable information in the service were the result of "carelessness and human error."

Training is "foundational" to the protection of personal information, the Navy message said.

Friday's Federal Register notice would add a new section to the Federal Acquisition Regulation that would preclude any contractor employees from accessing federal records, databases or information systems containing personally identifiable information unless they complete training. In most cases instruction would be provided by the agency the contractor supports.

Topics covered by this training, the proposed regulation said, should include:

--Handling and safeguarding personally identifiable information;

--Authorized and official use of a government system of records;

--Restrictions on the use of personally owned equipment to process, access or store personally identifiable information;

--The prohibition against access to personally identifiable information by unauthorized users, and inappropriate handling of such information by authorized users;

--Breach notification procedures.

Defense, GSA and NASA said record-keeping requirements for the proposed rule are minimal, and they will request a contractor's training records only if they have a particular reason to check on that company's compliance. Comments on the proposed privacy training regulation are due to the Office of Management and Budget or GSA by Dec. 13, and can be submitted through Regulations.gov.

NEXT STORY: Top Tech Pay