What happens when state and local governments respond to significant data breaches? They often turn to the private sector for breach response capabilities in order to mitigate damages. Speed is the name of the game, and state and local governments often move with alacrity to save face.
But what about procurement laws?
The rush to hire sophisticated private entities to support data breach response efforts is in tension with statutory competitive bidding mandates. Several state governments have already run into this quandary. Multiple media sources highlighted the 2012 data breach of the South Carolina Department of Revenue that precipitated the awarding of a $12 million contract to existing vendor Experian. Experian was contracted to provide credit monitoring services to the almost 4 million taxpayers whose private information was compromised by the breach. Although state officials claimed to have contacted and evaluated two other vendors to provide the services, the vendors themselves denied being solicited. The Department, and Governor Nikki Haley, were widely criticized for hurriedly contracting with Experian to the effective exclusion of other qualified vendors. The contract walked and talked like a no-bid deal to many who cried foul.
Nevertheless, the Experian credit monitoring contract might have complied with South Carolina’s broad emergency procurement provision which allowed the Department of Revenue to make no-bid procurements when there was an immediate threat to public health, welfare, critical economy and efficiency, or safety under emergency conditions as defined in regulations. South Carolina’s then-existing regulations identified serious threats to “the preservation or protection of property” as grounds for eschewing competitive bidding requirements. Despite the initial public uproar in South Carolina, no bid protests materialized as a result of the Experian contract.
It is an open question whether existing emergency procurement provisions are broad enough to cover these types of credit monitoring service contracts or other data breach responses in the wake of a security incident. Credit monitoring services provide protection to affected persons in the months and years after a data breach. As such, they are not prototypical “emergency services” fitting neatly into existing competitive bidding exceptions. For example, Massachusetts’ emergency procurement provision exempts state agencies and municipalities from competitive bidding requirements if “the time required to comply with [the requirements] would endanger the health or safety of the people or their property.” Would taking the time to publicly bid a credit monitoring services contract endanger property? The answer is unclear and there is no Massachusetts case law or guidance addressing this ambiguity.
Tension between swift data breach responses and competitive bidding mandates could become an emerging issue as state governments develop rapid response protocols and procedures. The more that these rapid response protocols involve private, third-party vendors, the more likely that they could run afoul of procurement laws. It may be time for state legislatures to act by more explicitly including data breach response procurements within emergency procurement provisions. Otherwise, state and local governments might find themselves facing bid protests at the worst possible time.