Federal government agencies, government-controlled corporations and some government contractors must comply with robust federal laws that govern federal agencies’ privacy and information security practices – the Privacy Act and FISMA, respectively. Now, these laws may apply to companies that accept federal government aid under the Coronavirus Aid, Relief, and Economic Security Act. The Privacy Act and FISMA may apply to companies in which the federal government takes an equity stake as part of the rescue. The CARES Act gives the government the power to take equity in such companies, and reports suggest the government will exercise that power (e.g., in rescuing the travel industry).
The thresholds for the applicability of the Privacy Act and FISMA are equity stakes that place the government in control of the company within the meaning of the two statutes. Although few cases address the meaning of “control” under the two laws, the SEC has described “control” as the power to direct the management and policies of the company. The SEC’s view on control is informative, even if it is not directly applicable to the Privacy Act and FISMA. The federal government could adopt the SEC’s view and exercise control of a company by owning voting securities or by agreement, with much less than a majority stake in the company.
The Privacy Act regulates the collection, maintenance, use and dissemination of personal information by government agencies.
Specifically, the law applies to any information about an individual that contains the individual’s name, their identifying number or symbol or some other identifying particular assigned to the individual, such as a finger or voice print or a photograph. The information could include the individual’s education details, financial transactions and medical, criminal or employment history. The requirements of the Privacy Act apply to personal information to the extent the information is part of a structured record, i.e., a record from which an individual’s information can be retrieved by the name of the individual, their identifying number or symbol or some other identifying particular assigned to the individual. The law refers to these records as “systems of records.”
With some exceptions, the Privacy Act:
- Requires public notice of systems of records
- Prohibits disclosure of personal information from systems of records without the individual’s written consent, subject to certain exceptions
- Gives individuals certain rights to access and amend records about them
- Imposes various recordkeeping requirements
Violations of the Privacy Act are subject to the private right of action. Privacy Act litigation has involved individual rights requests and allegations of improper data collection or records maintenance that adversely affected an individual.
Violations of the Privacy Act may also result in misdemeanor charges and fines of up to $5,000 for an agency employee who wrongfully discloses information about an individual or obtains an individual’s records under false pretenses.
FISMA imposes information security requirements on the processing of personal information. Specifically, agencies must develop, document and implement a comprehensive information security program.
The information security program that FISMA mandates must include:
- Periodic risk assessments
- Policies and procedures that are based on risk assessments, reducing risks and ensuring that information security is addressed throughout the life cycle of each information system
- Appropriate plans for information security for all relevant networks, facilities, information systems or groups of information systems
- Security training for personnel
- Periodic testing and evaluation of the information security policies, procedures, practices and security controls
- A process to evaluate and implement remedial actions
- An incident response plan
- An operations continuity plan
FISMA also requires agencies to prepare annual reports that evaluate the adequacy and effectiveness of their information security policies, procedures and practices, and specifically detail security incidents.
Companies that do not perform work for the federal government in the ordinary course of business may be caught flat-footed should they suddenly need to comply with the Privacy Act or FISMA. A similar rush to compliance happened in the wake of the 2008 financial crisis when companies participating in the Troubled Asset Relief Program suddenly became aware of the laws and their need to comply with them after accepting government assistance. Because of the complexity of the Privacy Act and FISMA, companies considering accepting funds from the federal government’s bailout should consider whether the government’s equity stake – if any – would be controlling, and, if it is, plan ahead to understand their compliance obligations under the Privacy Act and FISMA.