Regulations last checked for updates: Nov 25, 2024

Title 48 - Federal Acquisition Regulations System last revised: Nov 15, 2024
811.500 - 811.500 Scope.

This subpart prescribes policies and procedures for using a liquidated damages clause in solicitations and contracts that involve VA sensitive personal information. This also pertains to any solicitations and contracts involving VA sensitive personal information issued by another agency for or on behalf of VA through an interagency acquisition in accordance with FAR subpart 17.5 and subpart 817.5.

811.501-70 - 811.501-70 Policy—statutory requirement.

(a) Contracting officers are required to include a liquidated damages clause in contracts for the performance of any Department function which requires access to VA sensitive personal information (see the definition in 802.101), in accordance with 38 U.S.C. 5725(b). The liquidated damages are to be paid by the contractor to the Department of Veterans Affairs in the event of a data breach involving sensitive personal information maintained, processed, or utilized by contractors or any subcontractors.

(b) The purpose of the liquidated damages to be paid for by the contractor in the event of a data breach of personal sensitive information is for VA to provide credit protection services to affected individuals pursuant to 38 U.S.C. 5724(a)-(b).

811.503-70 - 811.503-70 Contract clause.

(a) Insert the clause at 852.211-76, Liquidated Damages—Reimbursement for Data Breach Costs, in all solicitations, contracts, or orders, where VA requires access to sensitive personal information for the performance of a Department function where—

(1) Sensitive personal information (see the definition in 802.101) will be created, received, maintained, or transmitted, or that will be stored, generated, accessed, or exchanged such as protected health information (PHI) or utilized by a contractor, subcontractor, business associate, or an employee of one of these entities; or,

(2) When VA information systems will be designed or developed at non-VA facilities where such sensitive personal information is required to be created, received, maintained, or transmitted, or that will be stored, generated, accessed, exchanged, processed, or utilized.

(b) Insert the clause at 852.211-76 with its Alternate I in all solicitations, contracts, or orders, for commercial products or commercial services acquisitions awarded under the procedures of FAR part 8 or 12.

(c) Insert the clause at 852.211-76 with its Alternate II, in all solicitations, contracts, or orders, in simplified acquisitions exceeding the micro-purchase threshold that are for other than commercial products or commercial services awarded under the procedures of FAR part 13 (see FAR 13.302-5(d)(1) and the clause at FAR 52.213-4).

source: 73 FR 2717, Jan. 15, 2008, unless otherwise noted.
cite as: 48 CFR 811.500