Federal Privacy Act Criminal Penalties Apply to Government Contractors

For more than 20 years, government contractors and their employees that operate an agency’s system of records have been subject to the same criminal penalties as government employees for violations of the federal Privacy Act (PA).

These penalties have taken on new importance because a recent FAR amendment makes PA training required for certain federal contracts. Moreover, the training must include information on the criminal penalties a government contractor and its employees face for violating the PA. Specifically, violations are a misdemeanor punishable by a fine of up to $5,000; there is, however, no possibility of imprisonment.

Because the language Congress used to describe this criminal violation is so carefully drafted, it’s important to get into the law’s wording and details.

The criminal penalty provision of the PA punishes any contractor or its employees who “knowing that disclosure of the specific material is prohibited, willfully discloses the material in any manner to any person or agency not entitled to receive it.”

Unfortunately, it’s not easy to describe what these words mean because there are not a lot of reported court decisions interpreting them. According to U.S. Department of Justice, there are at least two reported decisions on this criminal law. Realistically, however, only one of them really helps to describe how anyone, including a government contractor, can violate the PA’s criminal provision.

That decision, actually a defeat for the government, involved a list of patients and their addresses prepared by Richard Trabert, the administrator of an Army hospital that was closing. A doctor at the closing hospital who would be seeing patients at a nearby private clinic asked Trabert to prepare the list which Trabert prepared from data in his computer. Trabert prepared the list and gave it to the administrator of the private clinic. The information on Trabert’s list was protected by the PA.

The government charged Trabert with violating the criminal provision of the PA but a judge concluded that the government had not proven that Trabert violated the PA beyond a reasonable doubt. The government had failed to prove that there was both a “knowing disclosure” and a “willful disclosure.”

Knowing disclosure

The government could prove a “knowing disclosure” from circumstantial evidence such as the fact that the employee had taken PA training. In Trabert’s case, however, there was no evidence he had received PA training and Trabert testified that he did not remember getting any PA training. In addition, senior personnel at the hospital knew Trabert was compiling the list but no one had told him it was illegal. Moreover, other lists had been prepared by others for the benefit of other clinics.

Another way the government could prove a “knowing disclosure” would be “a specific admonition provided as to the general application of the Privacy Act” which in Trabert’s case was a computer screen banner warning of the PA’s applicability to information in the computer every time the computer was turned on.

Significantly, the government did not have to prove that Trabert had been told specifically that the PA applied to the list he gave the clinic’s administrator.

But here, there was no “knowing disclosure” for several reasons including the fact that similar lists had been prepared on other occasions by other employees without any one being charged with a crime.

Willful Disclosure

The government had also failed to prove a “willful disclosure:” that Trabert voluntarily and purposely disclosed the information in violation of the Act. Here, Trabert was guilty at most of gross negligence. According to the judge, it was not clear to Trabert that the disclosure of the list was inappropriate. Trabert was not aware of any improper motive in providing the list to the clinic and he knew that the clinic could not produce the useful list itself. He did not know that the doctor requesting the list wanted it for expanding his practice at the new clinic. Nor did Trabert benefit financially for disclosing the list like getting a job at the new clinic; the government did not prove that he even wanted a job there.


Trying to distinguish an unfortunate “gross negligence” disclosure from a criminal “knowing and willful disclosure” is difficult. Trabert was wrong to prepare the list and give it to the private clinic. But he did not do it with the intention of violating someone’s privacy rights protected by the PA. United States v. Trabert, 978 F.Supp. 1368 (D.Colo. 1997).

A good example of conduct that goes beyond “gross negligence” comes from civil (not criminal) lawsuits against an agency (and not its employee like Trabert) that violated the employees PA rights.

Department of Energy employees filled out personnel security questionnaires after being told that the information would be used only for security clearances purposes. But the information was then sent to the Department of Justice for purpose of criminal prosecution. DOE had not told the employees that questionnaire information could be used for law enforcement purposes. Covert et al. v. Harrington, Secretary, Department of Energy, 876 F.2d 751 (9th Cir. 1989).

Perhaps a good summary of what it takes to violate the PA is this: the violation “must be so patently egregious and unlawful that anyone undertaking the conduct should have known it unlawful.” While Trabert’s conduct was wrong, you cannot say that his actions met this test.

Terrence O’Connor is a Partner and Director of Government Contracts at Berenzweig Leonard LLP, McLean, VA. He can be reached at