Data Breaches Spotlight Need for Greater Contractor Oversight by Congress

Americans are once again reading about another massive data breach that affects their privacy. This week, Capital One went public with a credit file breach affecting more than 100 million Americans and six million Canadians. Equifax recently agreed to pay $575 million of the fine it received from the Federal Trade Commission for a 2017 data breach. Perceptics, a Customers and Border Patrol (CBP) contractor, has also been in the news lately for a cybersecurity breach that led to its suspension from receiving any new federal government contracts.

Before Perceptic’s breach was disclosed last month, little was known about this subcontractor working to secure the border as part of a $230 million package. The hack revealed the company stored photos and license plate data of drivers in violation of its contract with CBP. Last week, United States Border Patrol chief Carla Provost testified before the House Appropriations subcommittee regarding oversight of her agency and admitted the agency had no idea how far the hack went. Since contractors performing work for the government are not subject to public records laws such as the Freedom of Information Act (FOIA), we may never know the full extent of the damage.

Only after the breached data was published online by hackers did Congress and members of the public learn more about the massive surveillance apparatus being deployed at the border. The public now knows that at the same time that Perceptics was lobbying Congress to downplay privacy concerns about license plate reader technology, it was also improperly storing travel information on its private servers while lobbying New York City to build travel profiles based on their data.

“One of the things a data breach of this size tells us is that huge troves of data about public business is sitting on private servers. Perceptics knows these systems and who they are working with but the public would have to play Battleship to find out who their clients are,” according to Dave Maas, a senior investigative researcher at the Electronic Frontier Foundation, an Open The Government coalition partner. Mass pointed to the numerous non-disclosure agreements that appear in the leaked data as further proof of the entrenched secrecy in these contracts.

For the most part, the federal government does not require companies to disclose when they have been hacked or lose customer data. This prevents regulatory agencies from providing critical oversight when personal information is lost by careless contractors. Indeed, a recent report by the Inspector General at the Department of Defense found “The DoD does not know the amount of DoD information managed by contractors and cannot determine whether contractors are protecting unclassified DoD information from unauthorized disclosure.” The report further acknowledged both the DoD and contractors were unable to protect internal systems from cybersecurity threats. 

When government relies on the use of private technology companies to perform critical functions that affect the public, Americans cannot use records laws to glean information about these contractors’ practices. A recent Supreme Court ruling will further impair the public’s ability to learn more about the inner workings of government and the companies they do business with if not countered by effective legislation such as the new Open and Responsive Government Act of 2019 to fix this problem. Congress needs to provide stronger oversight on agencies’ use of private contractors and ensure these private businesses are subject to FOIA in the same manner as federal entities.