The Coronavirus Aid, Relief and Economic Security (“CARES”) Act has created a flurry of far reaching considerations for affected businesses, ranging from tax, employment, and even telehealth.  Beyond these issues, businesses that grant the federal government equity stakes in return for certain financial assistance, including potentially certain airlines, could find themselves needing to comply with additional privacy and data security regulatory burdens, including the Federal Information Security Management Act (FISMA) and the Privacy Act. 

Overview of FISMA and the Privacy Act

The Privacy Act establishes a Code of Fair Information Practice, including governing how federal agencies are able to disseminate, use and collect certain personally identifiable information maintained by federal agencies.  In certain circumstances, individuals are able to seek access and amendment to their records, and have certain rights regarding receiving information as to the disclosure of their records. 

On the information security side, FISMA, including as revised by the passing of the Federal Information Security Modernization Act of 2014 as signed by then President Obama, provides a framework for providing and managing information security that must be followed by federal government agencies as well as others, including many federal government contractors.  FISMA requires: 

• Minimum security requirements that must be met by selecting appropriate security controls as put forth in NIST.
• Risk assessment to validate the security control set and ascertain if further controls are needed. 
• System security plan that describes applicable security controls and is periodically reviewed.
• Certification and monitoring to ensure that security controls are functioning appropriately based upon identified risks, and that new risks are effectively dealt with via new or revised security controls. 

FISMA and the Privacy Act Could Apply to Businesses that Grant Federal Equity Stakes under CARES

Both FISMA and the Privacy Act could be made applicable to a business that grants the federal government equity stakes, should these equity stakes be seen to give the government control of the business.  The guidance regarding what constitutes control is relatively sparse, however given that this control would arise in the equity context, SEC guidance could easily be at least persuasive.  In the securities context, the term “control” can mean “the possession, direct or indirect, of the power to direct or cause the direction of the management and policies of a person, whether through the ownership of voting securities, by contract, or otherwise.”  In the context of an equity stake coupled with concessions as to future corporate activities, it is certainly possible that such control by the federal government could be found, making FISMA and the Privacy Act applicable to the entity that granted the equity stake.

[View source.]