As prescribed in 811.503-70, insert the clause at 852.211-76, Liquidated Damages—Reimbursement for Data Breach Costs, in all solicitations, contracts, or orders, where VA requires access to sensitive personal information for the performance of a Department function where—
(1) Sensitive personal information (see the definition in 802.101) will be created, received, maintained, or transmitted, or that will be stored, generated, accessed, or exchanged such as protected health information (PHI) or utilized by a contractor, subcontractor, business associate, or an employee of one of these entities; or,
(2) When VA information systems will be designed or developed at non-VA facilities where such sensitive personal information is required to be created, received, maintained, or transmitted, or that will be stored, generated, accessed, exchanged, processed, or utilized.
(b) Insert the clause at 852.211-76 with its Alternate I in all solicitations, contracts, or orders, for commercial products or commercial services acquisitions awarded under the procedures of FAR part 8 or 12.
(c) Insert the clause at 852.211-76 with its Alternate II, in all solicitations, contracts, or orders, in simplified acquisitions exceeding the micro-purchase threshold that are for other than commercial products or commercial services awarded under the procedures of FAR part 13 (see FAR 13.302-5(d)(1) and the clause at FAR 52.213-4).
Liquidated Damages—Reimbursement for Data Breach Costs (FEB 2023) Alternate I (FEB 2023)
(a) Definition. As used in this clause, “contract” means any contract, agreement, order or other instrument and encompasses the definition set forth in FAR 2.101.
(b) Non-disclosure requirements. As a condition of performance under a contract, order, agreement, or other instrument that requires access to sensitive personal information as defined in VAAR 802.101, the following is expressly required—
(1) The Contractor, subcontractor, their employees or business associates shall not, directly or through an affiliate or employee of the Contractor, subcontractor, or business associate, disclose sensitive personal information to any other person unless the disclosure is lawful and is expressly permitted under the contract; and
(2) The Contractor, subcontractor, their employees or business associates shall immediately notify the Contracting Officer and the Contracting Officer's Representative (COR) of any security incident that occurs involving sensitive personal information.
(c) Liquidated damages. If the Contractor or any of its agents fails to protect VA sensitive personal information or otherwise engages in conduct which results in a data breach, the Contractor shall, in place of actual damages, pay to the Government liquidated damages of __ [Contracting Officer insert amount] per affected individual in order to cover costs related to the notification, data breach analysis and credit monitoring. In the event the Contractor provides payment of actual damages in an amount determined to be adequate by the Contracting Officer, the Contracting Officer may forgo collection of liquidated damages.
(d) Purpose of liquidated damages. Based on the results from VA's determination that there was a data breach caused by Contractor's or any of its agents' failure to protect or otherwise engaging in conduct to cause a data breach of VA sensitive personal information, and as directed by the Contracting Officer, the Contractor shall be responsible for paying to the VA liquidated damages in the amount of __ [Contracting Officer insert amount] per affected individual to cover the cost of the following:
(1) Notification related costs.
(2) Credit monitoring reports.
(3) Data breach analysis and impact.
(4) Fraud alerts.
(5) Identity theft insurance.
(e) Relationship to termination clause, if applicable. If the Government terminates this contract in whole or in part under the Termination for cause paragraph, FAR 52.212-4(m), Contract Terms and Conditions—Commercial Products and Commercial Services, the Contractor is liable for damages accruing until the Government reasonably obtains delivery or performance of similar supplies or services. These damages are in addition to costs of repurchase as may be required under the Termination clause.
(End of clause)
NONE