Download: docx | pdf

^Supporting Statement

Paperwork Reduction Act Submission

Department of Veterans Affairs Acquisition Regulation (VAAR)

852.211-76, Liquidated Damages-Reimbursement for Data Breach Costs

2900-XXXX

1. JUSTIFICATION

1. Explain the circumstances that make the collection of information necessary. Identify legal or administrative requirements that necessitate the collection of information.

As a result of proposed rule, RIN 2900-AQ41 posted to the Federal Register 86FR64132 on November 17, 2021, VAAR case 2015-V016, this is a request from the Department of Veterans Affairs (VA) for OMB approval of a new Information Collection (IC).

In accordance with Veterans Affairs Acquisition Regulation (VAAR), section 811.503-70, Contract clause, VA is proposing to add clause 852.211-76, Liquidated Damages-Reimbursement for Data Breach Costs, for insertion in solicitations, contracts, and orders, where VA requires access to sensitive personal information for the performance of a Department function.

This VAAR clause requires the Contractor, subcontractor, their employees or business associates to notify the VA through the Contracting Officer and the Contracting Officer’s Representative (COR), of any security incident that occurs involving sensitive personal information.

This information collection requirement is needed to protect the safety and health of the nation’s Veterans and to protect the security and integrity of VA information, VA sensitive information, and information systems.

2. Indicate how, by whom, and for what purposes the information is to be used; indicate actual use the agency has made of the information received from current collection.

VAAR 852.211-76 Liquidated Damages—Reimbursement for Data Breach Costs, is required in solicitations and contracts where sensitive personal information will be created, received, maintained, or transmitted, or that will be stored, generated, accessed, or exchanged such PHI or utilized by a contractor, subcontractor, business associate, or an employee of one of these entities; or, when VA information systems will be designed or developed at non-VA facilities where such sensitive personal information is required to be created, received, maintained, or transmitted, or that will be stored, generated, accessed, exchanged, processed, or utilized. This VAAR clause requires the Contractor, subcontractor, their employees or business associates to notify the VA through the Contracting Officer and the Contracting Officer’s Representative (COR), of any security incident that occurs involving sensitive personal information. This will help VA protect Veterans and the security and integrity of VA information and VA sensitive information.

3. Describe whether, and to what extent, the collection of information involves the use of automated, electronic, mechanical, or other technological collection techniques or other forms of information technology, e.g., permitting electronic submission of responses, and the basis for the decision for adopting this means of collection. Also describe any consideration of using information technology to reduce burden.

The information collections do not involve the use of automation, however, if the VA solicitation so permits submission of the proposal electronically, VA would allow submission of the information collection by electronic means as well.

4. Describe efforts to identity duplication. Show specifically why any similar information already available cannot be used or modified for use for the purposes described in Item 2 above.

The inclusion of the clause in solicitations, contracts, orders and agreements is determined based on the actual requirements in the statement of work / performant work statement. There will be no duplication. While other VAAR clauses under VAAR part 839 require the reporting of data breaches, the information collection and reporting here would be in addition to those instances such as other contracts for goods and services involving VA sensitive personal information (i.e., contracts other than information technology or information technology related contracts under VAAR part 839). There is no similar information available which can be used or modified for this purpose.

5. If the collection of information impacts small businesses or other small entities, describe any methods used to minimize burden.

There are no special provisions that can be identified or implemented that would lessen burden on small businesses. Small businesses will be affected in the same way as large businesses in order to prevent the inadvertent release of VA sensitive personal information and to ensure timely reports are provided to the Government to alert the VA of any potential or actual data breaches.

6. Describe the consequences to Federal program or policy activities if the collection is not conducted or is conducted less frequently as well as any technical or legal obstacles to reducing burden.

Failure to collect the information could expose vulnerabilities in VA protecting Veteran’s sensitive personal information.

7. Explain any special circumstances that would cause an information collection to be conducted more often than quarterly or require respondents to prepare written responses to a collection of information in fewer than 30 days after receipt of it; submit more than an original and two copies of any document; retain records, other than health, medical, government contract, grant-in-aid, or tax records for more than three years; in connection with a statistical survey that is not designed to produce valid and reliable results that can be generalized to the universe of study and require the use of a statistical data classification that has not been reviewed and approved by OMB.

This clause is including in the contract and contractors have knowledge of the requirement at the start of the contract performance. Therefore, they have more than 30 days to provide the response. VA does not expect that any contractor/subcontractor (i.e., vendor) would submit a response more often than one per contract unless there is more than one incident per contract.

7. a. If applicable, provide a copy and identify the date and page number of publication in the Federal Register of the sponsor's notice, required by 5 CFR 1320.8(d), soliciting comments on the information collection prior to submission to OMB. Summarize public comments received in response to that notice and describe actions taken by the sponsor in responses to these comments. Specifically address comments received on cost and hour burden.

Note: this section will be updated when the proposed rule AQ41 (839) is published in the Federal Register and at the end of public comment period. Address comments received related to this IC, if any.

b. Describe efforts to consult with persons outside the agency to obtain their· views on the availability of data, frequency of collection, clarity of instructions and recordkeeping, disclosure or reporting format, and on the data elements to be recorded, disclosed or reported. Explain any circumstances which preclude consultation every three years with representatives of those from whom information is to be obtained.

There were no efforts to consult with persons outside the agency beyond the publication of this proposed rule in the Federal Register.

7. Explain any decision to provide any payment or gift to respondents, other than remuneration of contractors or grantees.

No payments or gifts have been provided.

7. Describe any assurance of confidentiality provided to respondents and the basis for the assurance in statute, regulation, or agency policy.

This information is disclosed only to the extent consistent with prudent business practices and current regulations.

7. Provide additional justification for any questions of a sensitive nature (Information that, with a reasonable degree of medical certainty, is likely to have a serious adverse effect on an individual's mental or physical health if revealed to him or her), such as sexual behavior and attitudes, religious beliefs, and other matters that are commonly considered private; include specific uses to be made of the information, the explanation to be given to persons from whom the information is requested, and any steps to be taken to obtain their consent.

The request for information does not include any questions of a sensitive nature.

7. Estimate of the hour burden of the collection of information:

1. The number of respondents, frequency of responses, annual hour burden, and explanation for each form is reported as follows:

VAAR 852.211-76 Liquidated Damages—Reimbursement for Data Breach Costs:

Total Burden Hours: 6.5.

Average Number of Respondents: 13.

Average Annual Responses: 13

No. of respondents	x No. of responses per respondent	x No. of minutes	÷ by 60	Number of Burden Hours
13	1	30		6.5

2. If this request for approval covers more than one form, provide separate hour burden estimates for each form and aggregate the hour burdens in Item 13 of OMB 83-1.

No other form is required by VAAR for use in this collection.

3. Provide estimates of annual cost to respondents for the hour burdens for collections of information. The cost of contracting out or paying outside parties for information collection activities should not be included here. Instead, this cost should be included in Item 14.

Total estimated annual cost to all respondents: $308 (6.5 hours at $47.42 per hour). This is based on the Bureau of Labor Statistics May 2020 Occupational Employment and Wages code “13-1020 Buyers and Purchasing Agents” mean hourly wage is $34.80 plus 36.25% fringe benefits per OMB Memo M-08-13 dated March 11, 2008.

13. Provide an estimate of the total annual cost burden to respondents or record keepers resulting from the collection of information. (Do not include the cost of any hour burden shown in Items 12 and 14).

There are no capital or start-up costs associated with the information collection.

14. Provide estimates of annual cost to the Federal Government. Also, provide a description of the method used to estimate cost, which should include quantification of hours, operation expenses (such as equipment, overhead, printing, and support staff), and any other expense that would not have been incurred without this collection of information. Agencies also may aggregate cost estimates from Items 12, 13, and 14 in a single table.

VAAR 852.211-76 Liquidated Damages—Reimbursement for Data Breach Costs

Total Estimated Burden Hours to the Government: 6.5.

Total Estimated Cost to the Government: $268.

$268 (6.5 hours at $41.26, based on 2021 OPM Salary Table, including benefits of 36.25% per OMB Memo m-08-13 dated March 11, 2008, of the average GS 11, Step 5, VA contracting officer).

OPM 2021 Salary Table can be located at Pay & Leave : Salaries & Wages - OPM.gov

14. Explain the reason for any burden hour changes since the last submission

This is a new information collection.

14. For collections of information whose results will be published, outline plans for tabulation and publication. Address any complex analytical techniques that will be used. Provide the time schedule for the entire project, including beginning and ending dates of the collection of information, completion of report, publication dates, and other actions.

There are no plans to publish any data received from this information collection.

14. If seeking approval to omit the expiration date for OMB approval of the information collection, explain the reasons that display would be inappropriate.

VA will display the expiration date for OMB approval of the information collection.

14. Explain each exception to the certification statement identified in Item 19, "Certification for Paperwork Reduction Act Submissions," of OMB 83-1.

There are no exceptions.

2. COLLECTIONS OF INFORMATION EMPLOYING STATISTICAL METHODS

Statistical methods will not be employed.

File Type	application/vnd.openxmlformats-officedocument.wordprocessingml.document
Author	Rennie, Crystal
File Modified	0000-00-00
File Created	2021-11-24