GAO denies Equifax bid protest involving IRS e-authentication services

The Government Accountability Office denied on Monday a bid protest filed by Equifax, on grounds the company’s arguments were “based on an unreasonable interpretation of the solicitation.”

Ralph White, GAO managing associate general counsel for procurement law, said in a statement the office denied Equifax’s protest against an Internal Revenue Service contract with Experian, because it concluded “the IRS reasonably found that the Experian offer would meet the agency’s needs.”

The IRS in a statement said it was looking forward to the start of the new contract.

“We will move as quickly as we can, but it will take some time to begin service under the new contract,” the agency said in a statement. “We are continuing to assess the time frame for the new service. In addition, we continue to review the status of our short-term contract with Equifax, which was temporarily suspended last week.”

Advertisement

An Equifax spokesman said in an emailed statement that the company is “engaging IRS officials to understand how they wish to proceed, and we remain ready to support the agency in the future.”

A request for comment from Experian was not immediately returned.

Meeting the needs of the IRS was at the heart of the protest, which gained attention after Equifax announced a massive data breach that impacted more than 145 million people.

IRS had two contracts with the credit reporting agency, one for credit monitoring and another for electronic authentication. The credit monitoring contract was recompeted and awarded to a new vendor. The e-authentication contract was awarded to a new vendor, Experian, but in July Equifax protested the decision.

“The solicitation, issued under request for quotations … was for a contractor to provide taxpayer identification and verification services for a period of one year,” White said in his statement. “The competition was limited to companies holding General Services Administration Federal Supply Schedule contracts for these services; the BPA [blanket purchase agreement] was to be issued to the lowest-priced offeror with a technically acceptable solution. The BPA awarded to Experian has a ceiling value of approximately $795,000. In its protest, Equifax argued that the approach set out in the Experian quotation (or offer) should have been found unacceptable, because, in Equifax’s view, Experian was not able to meet all of the technical requirements of the solicitation.”

According to GAO’s decision, both Equifax and Experian met the technical requirements and proved they could connect to IRS systems. Equifax proposed a $2.9 million price, while Experian proposed $795,000.

“The SSA [source selection authority] selected Experian as offering the lowest-priced, technically acceptable quotation,” GAO’s decision stated.

Equifax protested the claim based on its belief Experian didn’t meet IRS’ requirements for using an application programming interface to connect with the agency, and also that Experian’s price “should have caused the agency to question whether the firms understood and were responding to the same requirements.”

GAO’s Monday ruling applies to the year-long BPA awarded this summer, not the short-term contract IRS issued last month.

Because of the wait time for GAO’s ruling, IRS entered into a bridge contract in September with Equifax to continue e-authentication services for taxpayers. The short-term bridge contract is worth about $1.3 million for the first three months.

On Friday IRS announced it was suspending the contract  “as a precautionary step” while the agency reviews whether any taxpayer data was jeopardized as part of Equifax’s massive September data breach.

“Suspending the identity-proofing work provided under the contract means that the IRS will be temporarily unable to create new accounts for taxpayers using Secure Access, which supports applications including online accounts and transcripts,” IRS Spokesman Matthew Leas said in a statement. “Although people can’t create new accounts, current Secure Access users aren’t affected by this contract change and will continue to have access to their accounts. Other taxpayers still have options available for things such as obtaining transcripts, which can be ordered by mail. The IRS notes most of its services and tools are unaffected by this change.”

Despite IRS officials saying there’s no indication agency data was compromised as a result of the breach, the agency drew criticism for entering into the bridge contract with Equifax.

Others have also wondered by GAO waited until the end of its 100-day time frame to rule on the contract.

Terry O’Connor, director of government contracts and partner at the law firm Berenzweig Leonard, said it’s difficult to make an immediate bid protest decision. Once a protest is filed, “that exposes a whole bunch of information” from agency reports.

Agency reports can include details that prompt supplemental protests, which can take a month or more to prepare. Based on the July contract award, O’Connor said, that put GAO toward the end of one fiscal year and the beginning of another, when things are very busy and it’s not always possible to make an immediate ruling.

While parties do have the ability to request a predictive outcome determination, sort of an early temperature reading on how a GAO decision might be leaning, most parties rarely ask for one.

O’Connor also said it’s very common for a losing incumbent company to protest a bid,

“If nothing else, they usually end up getting a bridge contract,” O’Connor said, adding that that kind of contract is usually good for 100 days, the same amount of time GAO has to rule on a bid protest.

Red flags

While stakeholders wait for more details on the bid protest ruling, lawmakers are continuing to call for more answers from agencies, most recently GSA and its contracting requirements.

A letter from Democratic and Republican members of the House Energy and Commerce Committee points out that GSA awarded contracts to Equifax for not only the IRS, but the Social Security Administration and the Center for Medicare and Medicaid Services.

Members asked GSA in their letter about what circumstances would lead the agency to award a contract to a company that’s been the victim of a data breach. Members also wanted to know whether GSA considers consumer protection issues — such as data security practices — when it’s vetting applicants and awarding contracts.