How Procurement Proposals In States Are Raising More Questions than Answers

State elected officials should take every necessary step to eliminate waste, fraud, and abuse from government programs. As guardians of taxpayer funds, they should make sure every dollar is spent in a responsible and accountable way.

This includes ensuring that state vendors are not overcharging or wasting taxpayer funds. Ostensibly, though, most vendors take steps to ensure responsible and accountable use of government funds. If the vendors were found to be wasting government resources, they would risk investigations from attorneys general and the inability to contract with state governments in the future.

One business has managed to introduce “model” legislation in almost half of the United States. This “model” legislation purports to verify whether vendors are honest, but seems to be much more about ensuring a sales channel for one company to sell its wares. This is perhaps the worst of rent seeking. The legislation requires vendors with contracts over a set sum, such as $100,000 or $500,000, to “use verification software to verify that hours billed for work… are legitimate.”

Among other requirements, the proposals would require vendors to use “verification software” that “automatically gather[s] verification of state-funded activity at least once every three minutes, while continuously monitoring keystroke frequency and mouse-event frequency.” The costs to sound public policy of such an approach are large. The policy leads to vendors losing control of data security, risking their intellectual property, and spending substantial funds complying with verification software requirements.

The requirements, and others found throughout the proposals, raise serious questions, including:

• Is there really a problem with contractors wasting taxpayer funds? The legislation presumes a problem but does not identify specific problems with vendors. At the least, whether a problem exists is something worth exploring before demanding vendors deploy verification software.
• Is the solution within the proposals the best solution? The proposal assumes both a problem and a specific solution—signing another vendor to watch over all covered contractors through keystroke logging, screenshots, and mouse-event logging. Assuming, arguendo, vendors are wasting taxpayer funds, is this the only solution, or are there other, potentially better, solutions?
• How will the software function? Is it something vendors must install on their computers? Can vendors create their own software that complies with the law, or must they use a third-party vendor? Will contractors be forced either to ensure their networks are compatible with the oversight software or will they be forced to integrate the software into their computer programs?
• With keystroke loggers and constant screenshots, will contractors be able to keep their trade secrets, intellectual property, and other programming secrets?
• What about data security? Contractors work throughout various state agencies that have access to very sensitive personal data, including social security numbers, addresses, state-issued IDs, tax returns, health information, and so on. Who is responsible for data security? The proposals provide, in part, that the vendors must “ensure appropriate treatment of data that are not public data,” but if the law requires a third-party vendor to provide the verification software, can the third-party vendor shift liability to the original vendor? Vendors ordinarily assume part of the responsibility for data security when they control the flow of data. If a third-party vendor starts capturing regular screenshots and key-logs, the contractor loses the ability to apply safeguards it believes is reasonable.
• If the oversight vendor keeps all the data, will it employ commercial-reasonable data security standards? If the oversight vendor keeps the data, will it require the state to indemnify it in the event of a data breach? Will the state keep the data, and if so, does the state have a plan to safeguard the data from bad actors?

State officials should take all necessary steps to ensure taxpayer funds are spent in efficient and accountable manners. Those steps, though, should not place vendors in the uncomfortable position of losing control of data security, risking their intellectual property, and spending substantial funds complying with verification software requirements. And states, before contemplating if they need laws verifying vendors are using taxpayer funds properly, should ascertain whether vendor misuse of funds is even a significant problem.