Protecting sensitive business information, especially pricing, is essential even in the GAO bid protest realm. As an agency found out, even an inadvertent release of such information could lead to a sustained protest.
This slip up resulted in the cancellation of a nearly $1 billion contract. Needless to say, this was a big deal. How did this happen, and what should parties be looking for to protect their confidential data?
The decision in the Matter of Inmarstat Government, Inc., B-419583, was a challenge to the terms of a solicitation, which was issued by DISA (Defense Information Systems Agency) to procure broadband satellite services for the Navy. Inmarstat was the incumbent contractor on the preceding DISA IDIQ awarded in 2016. As the incumbent contractor, Inmarstat was poised to submit a proposal for the newly issued solicitation. That is where things started to go off the rails.
On September 21, 2020, DISA posted a pre-solicitation announcement, which included a draft of the solicitation. In the draft solicitation was a Microsoft Excel workbook for offerors to use to calculate their fixed prices. The workbook contained 16 visible tabs with many different items on each tab. The tabs contained lists of many of the data sources used by the government to develop pricing data, including Inmarstat’s incumbent contract.
This obviously piqued the interest of both Inmarstat and its’ competitors. The Navy was seemingly unaware that in addition to the 16 visible tabs, 19 “invisible” tabs also came with the workbook. These “invisible” tabs could be made visible by right clicking on any visible tab, and clicking the unhide option. What was on these so-called “invisible tabs” you may ask? It was pricing data, including much of Inmarstat’s incumbent pricing data.
Specifically in these tabs were pricing data for line items, including operational support, installation, recurring costs, and the like. Inmarstat clearly would not want its competitors to have such pricing data information.
Inmarstat notified DISA of the release of the information, and DISA subsequently removed the draft solicitation from the web. Inmarstat requested that DISA investigate how and why its pricing data was included, albeit in hidden tabs, in the draft solicitation. DISA responded that effectively there was no way to unring the bell, short of removing the draft proposal from the website. DISA’s rationale was not to draw more attention to the data release. DISA responded later, asserting that no violations had occurred, this was just an inadvertent release, and there was no way a competitor could reverse-engineer the data.
On January 26, 2021 a competitor notified DISA about locating the hidden pricing data. The competitor advised it had scrubbed the information from its servers, and firewalled the two employees who discovered the information from the proposal team out of an abundance of caution. These companies are seeking a nearly $1Billion procurement, so they did not want to take any chances. The competitor even asked DISA to cancel the award.
Inmarstat protested, arguing that DISA “failed to mitigate the competitive harm caused by the accidental release” of its pricing data. GAO agreed with Inmarstat, finding the disclosure of source selection information to an unauthorized person during the course of a procurement was improper. Since the agency decided not to cancel the solicitation, Inmarstat needed to show the disclosure allowed an unauthorized recipient to gain an unfair advantage, or that Inmarstat was competitively prejudiced. An unfair competitive advantage is presumed when “competitively useful nonpublic information” is held by an unauthorized party.
GAO found DISA’s mitigation efforts lacking. GAO found that DISA did nothing to try and restrict the further release of the information. The agency did change some line items, but nothing that rose to the level of fixing the underlying release of the information. The contracting officer, at a hearing on the matter, indicated the mitigation efforts consisted of a clause in the solicitation which said the information release was not competitively useful.
The takeaway is two-fold from GAO’s decision. First, when receiving a solicitation, be sure to check and see if any of your proprietary data may be “hidden” in the document. The key there is to protect confidential information from competitors. Second, an agency must do more to mitigate the harm than just simply removing the solicitation from the website. As we all know, once it is on the web, it is forever. If DISA had proposed to scour the proposals for links to the data, or included clauses which required competitors to affirm they had not accessed the data, it may have survived this protest. Alas, a $1 billion procurement was canceled, and resulted in a cautionary tale for both competitors and agencies alike.
Questions about this post? Or need help with a government contracting legal issue? Email us or give us a call at 785-200-8919.