Timeliness To Report Breach of Data

In the protest of First Financial Associates, Inc. File: B-415713; B-415713.2, the GAO was looking at provision regarding the timeliness requirements for reporting a data breach. The protester’s proposal stated it would provide notice within 12 hours. The protester was rated as marginal based on its “lengthy” reporting period which was also inconsistent with the requirements of . Homeland Security Acquisition Regulation special clause “Safeguarding of Sensitive Information (March 2015) included in the RFP which required reports to be submitted within 1 hour. The GAO denied the protest. Protester’s primary allegation was that the Agency improperly considered the requirement to notify the Agency of a data breech within 1 hour because that requirement was not in the evaluation factors. The GAO ruled, correctly, in my opinion, that the award decision was properly based on reading the RFP as whole. The key point this protest for future offerors is that they must ensure their proposals take into consideration all of the requirements in the RFP, i.e. they cannot ignore clauses that are in the RFP but not referenced in the evaluation factors.