The nation collectively gasped last week when the media reported that the IRS awarded Equifax a $7.25 million sole source contract to “verify taxpayer identities and help prevent fraud.”
Yes, that Equifax. The same company that suffered a colossal security breach that likely exposed the personally identifiable information of over 145 million Americans.
The IRS claims that it had to award the “tax fraud prevention contract” to Equifax, which held the previous contract, because it was set to expire on September 29th, and Equifax’s protest of the new contract award (to Experian) would not be decided until October 16th.
The IRS has explained that its hands were tied because it would either have to stop service (and shut down all online access to taxpayer accounts) or “do a bridge contract with Equifax until GAO decides on the protests and we move forward.”
GAO has correctly disputed this rationale, noting that the IRS could have allowed Experian to begin work on the contract if the agency determined that it was “in the best interest of the United States,” or there were “urgent and compelling circumstances that significantly affect interests of the U.S.”
As GAO Spokesman, Chuck Young, explained “Congress gave agencies, like IRS in this case, the tools to move forward under appropriate situations. They appear to be electing not to use it.”
Lawmakers are incensed by this award, and at least one — Senator Sherrod Brown — has called for Equifax’s debarment. Senator Brown has asked the Treasury Department to debar Equifax because its “negligent security practices” allowed their system to be breached. He also faults the company for failing to notify regulators and the public about the breach until weeks after it was discovered.
Citing to FAR 9.406-2(c), Senator Brown notes that a debarring official may debar “[a] contractor or subcontractor based on any other cause of so serious or compelling a nature that it affects the present responsibility of the contractor or subcontractor.” Brown argues that Equifax’s actions – before and after the breach – meet this standard.
At first glance, Senator Brown makes a pretty compelling argument. Equifax’s security protocols were, at best, negligent and its handling of the matter post-discovery has been abysmal. There is little information in the public domain that provides a sense of comfort regarding the company’s security practices.
But does this warrant debarment? If the U.S. Government’s discretionary debarment process was a sanctioning mechanism used to punish malfeasance, debarment would be a very enticing tool. However, as I have noted several times on the FCPA Blog (e.g., here and here) debarment is not a form of punishment and it’s illegal to treat it as such.
Instead, debarment is a means to protect the government from corrupt, untrustworthy, irresponsible or simply incompetent contractors. When a Suspension & Debarment Official (SDO) looks at a contractor like Equifax, he or she not only considers the company’s misdeeds, but the proactive steps the company has taken since the incident to mitigate the problems and prevent future transgressions from occurring. This is a two-step analysis that an SDO must undertake to comply with the law — he or she cannot simply base a debarment decision on the company’s misconduct.
Although Senator Brown’s letter acknowledges that an SDO must consider the FAR’s “mitigating factors” (a marked improvement over past calls by members of Congress to debar certain contractors), his application of the factors is rather incomplete. Indeed, given the information in the public domain, it would be difficult for most individuals to conduct a thorough analysis of the factors.
If the Treasury Department (or some other agency) decides to look into Equifax’s “present responsibility,” they will have far more information to consider when conducting the full debarment analysis. And that thorough analysis should provide clarity as to whether Equifax poses an ongoing threat to taxpayer dollars.
Although the idea of cutting off Equifax’s government revenue streams sounds pretty good to the millions of Americans impacted by the breach, debarment isn’t necessarily the answer.
_____
Jessica Tillipman is a Senior Editor of the FCPA Blog and Assistant Dean at The George Washington University Law School. You can follow her on Twitter at @jtillipman
2 Comments
excuse me? But I say HELL YES they should be debarred! Because of their actions and the other 2 two years ago, when I had identity theft, and sh*t wasn't done about it! My credit score is in the toilet and do they care? Hell No! All they want to do is sell you credit information to companies to make a profit, they don't care about untrue negative marks on your credit score, and when you file letters of dispute, there's no guarantee that they will remove the negative marks. The worse a consumers credit score is, the better for the 3 credit monitoring companies. I do know how the credit "GAME" works, and now I can't even get a free meal, let alone a small business loan now. If consumers are liable for their credit actions and choices, so should the credit monitoring agencies be held accountable for their F' Up's just the same, not held to better than others standards, or double standards.
Debarment IS an appropriate outcome in this case, not because they are uncaring profiteers, which they may be, but because they had a very high responsibility in having access to so much personal information and they failed in every respect. If they were window cleaners, I might see the point in giving them a second chance if they improved their practices but in this case, let Equifax prove themselves in the private sector before giving them another mandate in the public domain.
Comments are closed for this article!