In the TRICARE breach, unencrypted computer backup tapes containing information on 4.9 million beneficiaries were stolen from the car of an employee of a contractor, Science Applications International Corp. A $4.9 billion class action lawsuit, alleging privacy violations, has been filed in the case.
The proposed rule would amend the Federal Acquisition Regulation "to require contractors to complete training that addresses the protection of privacy, in accordance with the Privacy Act of 1974, and the handling and safeguarding of personally identifiable information."
Minimum Requirements Spelled OutThe intention of the proposal, according to the notice, is to set clear-cut, minimum requirements for privacy training "in order to ensure consistency across the government." The General Services Administration and the National Aeronautics and Space Administration joined the DoD in making the proposal, which reinforces other existing requirements.
The training provided, according to the proposal, must cover:
- The handling and safeguarding of personally identifiable information;
- The authorized and official use of a government system of records;
- Restrictions on the use of personally owned equipment to process, access or store personally identifiable information;
- The prohibition against access by unauthorized users;
- Breach notification procedures;
- Any agency-specific training requirements.