48 C.F.R. §§ 852.211-76

Current through October 31, 2024
Section 852.211-76 - Liquidated Damages-Reimbursement for Data Breach Costs

As prescribed in 811.503-70, insert the following clause:

Liquidated Damages-Reimbursement for Data Breach Costs (FEB 2023)

(a)Definition. As used in this clause, "contract" means any contract, agreement, order or other instrument and encompasses the definition set forth in FAR 2.101.
(b)Non-disclosure requirements. As a condition of performance under a contract, order, agreement, or other instrument that requires access to sensitive personal information as defined in VAAR 802.101, the following is expressly required-
(1) The Contractor, subcontractor, their employees or business associates shall not, directly or through an affiliate or employee of the Contractor, subcontractor, or business associate, disclose sensitive personal information to any other person unless the disclosure is lawful and is expressly permitted under the contract; and
(2) The Contractor, subcontractor, their employees or business associates shall immediately notify the Contracting Officer and the Contracting Officer's Representative (COR) of any security incident that occurs involving sensitive personal information.
(c)Liquidated damages. If the Contractor or any of its agents fails to protect VA sensitive personal information or otherwise engages in conduct which results in a data breach, the Contractor shall, in place of actual damages, pay to the Government liquidated damages of __ [Contracting Officer insert amount] per affected individual in order to cover costs related to the notification, data breach analysis and credit monitoring. In the event the Contractor provides payment of actual damages in an amount determined to be adequate by the Contracting Officer, the Contracting Officer may forgo collection of liquidated damages.
(d)Purpose of liquidated damages. Based on the results from VA's determination that there was a data breach caused by Contractor's or any of its agents' failure to protect or otherwise engaging in conduct to cause a data breach of VA sensitive personal information, and as directed by the Contracting Officer, the Contractor shall be responsible for paying to the VA liquidated damages in the amount of __ [Contracting Officer insert amount] per affected individual to cover the cost of the following:
(1) Notification related costs.
(2) Credit monitoring reports.
(3) Data breach analysis and impact.
(4) Fraud alerts.
(5) Identity theft insurance.
(e)Relationship to termination clause, if applicable. If the Government terminates this contract, purchase order, or agreement, in whole or in part under clause 52.249-8, Default-Fixed-Price Supply and Service, or any other related FAR or VAAR clause included in the contract, in addition to the required liquidated damages for data breach-related expenses specified in paragraph (c) above, the Contractor is liable for excess costs for those supplies and services for repurchase as may be required under the Termination clause.

(End of clause)

Alternate I (FEB 2023). In commercial products or commercial services acquisitions awarded under the procedures of FAR part 8 or 12, substitute this paragraph (e) in lieu of paragraph (e) in the basic clause:

(e)Relationship to termination clause, if applicable. If the Government terminates this contract in whole or in part under the Termination for cause paragraph, FAR 52.212-4(m), Contract Terms and Conditions-Commercial Products and Commercial Services, the Contractor is liable for damages accruing until the Government reasonably obtains delivery or performance of similar supplies or services. These damages are in addition to costs of repurchase as may be required under the Termination clause.

Alternate II (FEB 2023). In simplified acquisitions exceeding the micro-purchase threshold that are for other than commercial products or commercial services awarded under the procedures of FAR part 13 (see FAR 13.302-5(d)(1) and the clause at FAR 52.213-4), substitute this paragraph (e) in lieu of paragraph (e) in the basic clause:

(e)Relationship to termination clause, if applicable. If the Government terminates this contract in whole or in part under the Termination for cause paragraph, FAR 52.213-4(g), Terms and Conditions-Simplified Acquisitions (Other Than Commercial Products and Commercial Services), or any other applicable FAR or VAAR clause, the Contractor is liable for damages accruing until the Government reasonably obtains delivery or performance of similar supplies or services. These damages are in addition to costs of repurchase as may be required under the Termination clause.

48 C.F.R. §§852.211-76

88 FR 4752 , Jan. 25, 2023
88 FR 4752 , 2/24/2023