The nation collectively gasped last week when the media reported that the IRS awarded Equifax a $7.25 million sole source contract to “verify taxpayer identities and help prevent fraud.”
Yes, that Equifax. The same company that suffered a colossal security breach that likely exposed the personally identifiable information of over 145 million Americans.
The IRS claims that it had to award the “tax fraud prevention contract” to Equifax, which held the previous contract, because it was set to expire on September 29th, and Equifax’s protest of the new contract award (to Experian) would not be decided until October 16th.
The IRS has explained that its hands were tied because it would either have to stop service (and shut down all online access to taxpayer accounts) or “do a bridge contract with Equifax until GAO decides on the protests and we move forward.”
GAO has correctly disputed this rationale, noting that the IRS could have allowed Experian to begin work on the contract if the agency determined that it was “in the best interest of the United States,” or there were “urgent and compelling circumstances that significantly affect interests of the U.S.”
As GAO Spokesman, Chuck Young, explained “Congress gave agencies, like IRS in this case, the tools to move forward under appropriate situations. They appear to be electing not to use it.”
Lawmakers are incensed by this award, and at least one — Senator Sherrod Brown — has called for Equifax’s debarment. Senator Brown has asked the Treasury Department to debar Equifax because its “negligent security practices” allowed their system to be breached. He also faults the company for failing to notify regulators and the public about the breach until weeks after it was discovered.
Citing to FAR 9.406-2(c), Senator Brown notes that a debarring official may debar “[a] contractor or subcontractor based on any other cause of so serious or compelling a nature that it affects the present responsibility of the contractor or subcontractor.” Brown argues that Equifax’s actions – before and after the breach – meet this standard.
At first glance, Senator Brown makes a pretty compelling argument. Equifax’s security protocols were, at best, negligent and its handling of the matter post-discovery has been abysmal. There is little information in the public domain that provides a sense of comfort regarding the company’s security practices.
But does this warrant debarment? If the U.S. Government’s discretionary debarment process was a sanctioning mechanism used to punish malfeasance, debarment would be a very enticing tool. However, as I have noted several times on the FCPA Blog (e.g., here and here) debarment is not a form of punishment and it’s illegal to treat it as such.
Instead, debarment is a means to protect the government from corrupt, untrustworthy, irresponsible or simply incompetent contractors. When a Suspension & Debarment Official (SDO) looks at a contractor like Equifax, he or she not only considers the company’s misdeeds, but the proactive steps the company has taken since the incident to mitigate the problems and prevent future transgressions from occurring. This is a two-step analysis that an SDO must undertake to comply with the law — he or she cannot simply base a debarment decision on the company’s misconduct.
Although Senator Brown’s letter acknowledges that an SDO must consider the FAR’s “mitigating factors” (a marked improvement over past calls by members of Congress to debar certain contractors), his application of the factors is rather incomplete. Indeed, given the information in the public domain, it would be difficult for most individuals to conduct a thorough analysis of the factors.
If the Treasury Department (or some other agency) decides to look into Equifax’s “present responsibility,” they will have far more information to consider when conducting the full debarment analysis. And that thorough analysis should provide clarity as to whether Equifax poses an ongoing threat to taxpayer dollars.
Although the idea of cutting off Equifax’s government revenue streams sounds pretty good to the millions of Americans impacted by the breach, debarment isn’t necessarily the answer.