FEDERAL LABOR RELATIONS AUTHORITY OALJ 17-13
Office of Administrative Law Judges
WASHINGTON, D.C. 20424
DEPARTMENT OF TRANSPORTATION
FEDERAL AVIATION ADMINISTRATION
PROFESSIONAL AVIATION SAFETY SPECIALISTS, AFL-CIO
Case No. WA-CA-16-0195
Ashton K. Hupman
For the General Counsel
For the Respondent
For the Charging Party
Before: RICHARD A. PEARSON
Administrative Law Judge
In the summer of 2015, the U.S. Office of Personnel Management (OPM) announced that personal information concerning millions of federal employees and their family members had been stolen in two related cyberattacks. In response to the attacks, one of the unions representing FAA employees proposed (among other things) that the FAA offer free credit monitoring services and identity theft insurance for bargaining unit employees and their families, through a specific contractor, CSID.
Subsequently, the FAA submitted a counterproposal, and the parties engaged in a single day’s worth of bargaining, all of it via email. The Agency counterproposal adopted one portion of the Union’s proposal and offered the Union representation on a committee devoted to cybersecurity matters, but it did not offer identity theft services like those sought by the Union. The Union negotiator responded that the Agency’s counterproposal was “not even close to being acceptable” and he declared an impasse. Despite the purported impasse, the Agency negotiator explained at length the rationale for the Agency’s proposal, and she further argued that the Agency had no duty to bargain over the Union’s proposal. This prompted the Union to inquire, “So is it the Agency’s position that it has no duty to bargain, or that it cannot agree with the Union’s proposal – or both?” The Agency official replied, “I would be foolish not to argue from every conceivable angle. We do not believe there is a duty to bargain but if there is, then we cannot agree with the terms you are proposing.” No further bargaining occurred, and the Union filed this unfair labor practice charge.
There are two main questions before us. The first is whether the Agency had an obligation to bargain over the Union’s proposal. Because the proposal requires the Agency to provide identity theft and other insurance with a particularly company, it improperly restricts management’s right to contract out, and thus it is not negotiable under § 7106 of the Statute.
The second question is whether the Agency bargained in good faith. Since I have already indicated that there was no duty to bargain over the Union’s proposal, this question is moot. But even if the Agency had a duty to bargain, I would find that it satisfied that duty. Because the Agency negotiator presented a substantive and detailed counterproposal to the Union and tried to persuade the Union to continue discussions, even when the Union had declared an impasse, I conclude that the Agency bargained in good faith, with a sincere desire to reach agreement.
STATEMENT OF THE CASE
This is an unfair labor practice proceeding under the Federal Service Labor-Management Relations Statute, Chapter 71 of Title 5 of the U.S. Code, 5 U.S.C. §§ 7101-7135 (the Statute), and the Rules and Regulations of the Federal Labor Relations Authority (the Authority or FLRA), 5 C.F.R. part 2423.
On January 21, 2016, the Professional Aviation Safety Specialists (the Union, Charging Party, or PASS) filed an unfair labor practice (ULP) charge against the Department of Transportation, Federal Aviation Administration, Washington, D.C. (the Agency, Respondent, or FAA). GC Ex. 1(a). After investigating the charge, the Acting Regional Director of the FLRA’s Washington Region issued a Complaint and Notice of Hearing on June 14, 2016, on behalf of the General Counsel (GC), alleging that the Agency violated § 7116(a)(1) and (5) of the Statute by refusing to negotiate in good faith with the Union regarding the two cyberattacks. GC Ex. 1(c). The Respondent filed its Answer to the Complaint on July 8, 2016, denying that it violated the Statute. GC Ex. 1(e).
On August 4, 2016, the GC filed a Motion for Summary Judgment (MSJ), and on August 9, 2016, the Respondent filed a brief in opposition thereto (Oppos. to MSJ). (At the hearing, these pleadings were entered into evidence as GC Exs. 1(j) & 1(k), respectively, but the exhibits that were originally attached to the MSJ and the Opposition to MSJ were not entered into evidence.) The motion was denied, because material facts remained in dispute.
A hearing was held in this matter on August 17, 2016, in Washington, D.C. All parties were represented and afforded an opportunity to be heard, to introduce evidence, and to examine witnesses. The GC, the Charging Party, and the Respondent filed post-hearing briefs, which I have fully considered. Based on the entire record, including my observations of the witnesses and their demeanor, I make the following findings of fact, conclusions of law, and recommendations.
FINDINGS OF FACT
The Respondent is an agency within the meaning of § 7103(a)(3) of the Statute. The Union is a labor organization within the meaning of § 7103(a)(4) of the Statute and is the certified exclusive representative of two bargaining units of employees at the Agency. GC Exs. 1(c) & 1(e). The Respondent and the Union have negotiated separate collective bargaining agreements for these two units, one for Air Traffic Organization employees (referred to as the ATO-CBA) and one for Aviation Safety employees (referred to as the AVS-CBA). GC Ex. 1(j) at 2-3; see also GC Ex. 1(k) at 3; Tr. 12-13.
In June 2015, OPM announced that there had been a cybersecurity breach involving the theft of personnel records of approximately 4.2 million current and former federal employees. GC Ex. 2 at 1; Resp. Ex. 1 at 1; Resp. Ex. 2 at 1. The stolen data, stored on OPM’s computer network, included names, birth dates, home addresses, and Social Security numbers. GC Ex. 2 at 1. Eight days later, OPM announced a separate but related cybersecurity breach involving the theft of background investigation records from OPM’s computer network, affecting approximately 19.7 million background investigation applicants and 1.8 million spouses or cohabitants of applicants. Id. Data compromised in this breach included Social Security numbers, dates and places of birth, residence and educational history, employment history, and financial history for both applicants, employees, and their family members. Id. at 5. Of the individuals affected by the two incidents, about 44,000 were FAA employees, including about 11,000 employees in the two PASS bargaining units. Tr. 16-17, 93, 95.
In response to these attacks, OPM contracted with CSID, a company specializing in identity theft protection, to provide affected individuals with free membership for eighteen months. Affected individuals were automatically enrolled in CSID’s identity theft insurance program, which provided $1 million in coverage, and they were given the option of receiving credit monitoring services. Resp. Ex. 1. Individuals affected by the background investigation breach were provided services through another company, ID Experts. Resp. Ex. 2 at 16.
On June 30, the Agency sent an email to employees regarding the cyberattacks. The Agency informed employees that OPM was still in the process of notifying individuals whose personally identifiable information (PII) had been compromised in the cyberattacks. In addition, the Agency reminded employees that OPM was offering affected employees free services from CSID. Resp. Ex. 1.
Many employees were worried about the attacks and brought their concerns to the Union. Tr. 17. Based on these discussions, the Union believed the offer of free CSID membership was insufficient, because it lasted only eighteen months and was not contractually guaranteed. Tr. 18, 20. In order to address these concerns, Michael Derby, the Union’s General Counsel, notified the Agency on July 1 that it was initiating midterm bargaining, and it submitted a proposal in the form of a memorandum of agreement (MOA).
Carol McCrarey, a Labor Relations Specialist at the Agency, contacted Derby upon receiving the Union’s proposal. McCrarey knew that it would take her longer than usual to respond to the proposal, and she told Derby that she “wasn’t trying to delay unnecessarily.” Tr. 68-69. Later that month, McCrarey met with Derby to discuss the Union’s proposal, and she informed him that the second cyberattack had compromised information pertaining to employees’ family members. Tr. 69-70. This led Derby to modify the Union’s initial proposal on July 30; it was virtually identical to the initial proposal, except that coverage was also extended to family members of unit employees. Tr. 21; Jt. Ex. 2.
It ended up taking McCrarey five months to submit the Agency’s counterproposal to the Union. McCrarey testified that this was much longer than it normally takes her to prepare a counterproposal, but several factors complicated were process. She explained that the issues related to the cyberattack and the Union’s proposed response were complex. “I was having difficulty finding case law and I just wasn’t sure how to proceed. I were proceeding very cautiously . . . .” Tr. 68. McCrarey was also waiting for more information. “[T]he situation . . . was still so fluid,” she testified, “I couldn’t even determine exactly what was going on at OPM . . . what the nature of the breach was, the extent of the breach. I didn’t even have a list of the employees.” Tr. 68-69. Moreover, her counterproposal needed to be approved by other offices within the Agency. Tr. 72-73.
Derby testified that during this time, there were “emails and . . . conversations” in which he and McCrarey discussed issues pertaining to the Union’s proposal and touched base about the status of the Agency’s counterproposal. Tr. 21. With respect to the information he received, Derby elaborated, “[W]e were told that the Agency didn’t have the funding to provide these services, that they were in discussions with their internal security office, program office, about the impact of the Union’s proposals and that we’d get a counterproposal at some[ ]time in the future.” Tr. 21-22.
On December 1, McCrarey emailed the Agency’s counterproposal to Derby. Jt. Ex. 3. The counterproposal essentially adopted the “most favored nation” clause suggested by the Union, but did not include other key aspects of the Union’s proposal. The Agency offered to include a PASS representative on an Agency committee dealing with cybersecurity – the Breach Assessment Recovery Team or BART – which already included a representative from at least one other union. Tr. 54, 56, 77-78. But the Agency’s proposal did not provide for credit monitoring or identity theft insurance.
Derby and McCrarey spent the rest of that day, December 1, engaged in an email dialogue about the Union’s proposal and the Agency’s counterproposal. Derby sent McCrary a terse response to the Agency’s offer: “Not surprisingly, the Agency’s counter is not even close to being acceptable and certainly does not address the specific data theft that prompted our proposal. As such, I think it is fair to say that the Parties are at impasse and we will take steps to resolve the impasse.” Jt. Ex. 4 at 2. McCrarey’s reply was somewhat longer; she began by explaining management’s reasoning for its offer:
I understand. We allow NATCA to take part in conversations about our response to FAA security breaches of PII. Therefore I concluded that it is reasonable to offer you a part in the discussions following a data breach as to how the FAA will respond – the steps it will take to protect our employees.
Jt. Ex. 4 at 1. She continued by explaining why the Agency could not accept the Union’s demand for credit monitoring and identity theft insurance over and above what the Agency already offers, and what OPM has obtained:
As I already explained, the Agency does not have the funding to provide credit monitoring and identity theft insurance for the length of time you propose or the amount you proposed. . . . Even with the additional funding, OPM is not offering anything near what you were seeking. We have provided credit monitoring every year since 2009 and we have options for four additional years. We already offer identity theft insurance up to 30k.
Id. Finally, McCrarey indicated that she was doubtful the Agency had any duty to bargain with the Union at all about the theft of data from OPM’s computers:
The data breach was not a change in a condition of employment caused by the FAA through the exercise of a management right. In fact the data breach is in no way the result of any action or inaction on the part of the FAA. Obviously employees must provide various bits of personal data in order to gain employment and they do have the right to expect that the government will protect that data but there are no absolute guarantees. This is probably why we have a CBA article on personal and Information Systems Data Security. This article deals with breaches of PII maintained by the Agency. It doesn’t address a breach of PII maintained by another federal agency. OPM has no duty to bargain with PASS and I am not convinced that the FAA has a duty to bargain with PASS over an incident that occurred outside of the Agency.
Id. Derby immediately inquired of McCrarey, “So is it the Agency’s position that it has no duty to bargain, or that it cannot agree with the Union’s proposal – or both?” Id. And she immediately responded, “I would be foolish not to argue from every conceivable angle. We do not believe there is a duty to bargain but if there is, then we cannot agree with the terms you are proposing.” Id. With that, bargaining ended. Tr. 85.
On December 18, Congress passed and the President signed the Consolidated Appropriations Act, 2016 (Appropriations Act). As relevant here, the Appropriations Act required that OPM provide any individual whose Social Security number was compromised complimentary identity theft protection for a period of not less than ten years and in an amount not less than $5,000,000. Pub. Law No. 114-113, § 632, 129 Stat. 2242, 2470-71 (2015).
At the hearing, Derby and McCrarey elaborated on a number of issues regarding the parties’ proposals and negotiations. McCrarey testified that the information affected by the cyberattacks, including employee Social Security numbers, “would not have been collected but for the fact the individuals were seeking employment” with either the FAA or another agency within the government. Tr. 52. McCrarey added, “I couldn’t have gotten a job had I not submitted an application with that information on it.” Id. Derby similarly testified that supplying one’s Social Security number and similar data, including a background investigation form and a list of references and family members, was necessary to “obtain and retain” one’s job at the FAA. Tr. 31, 49. In addition, Derby asserted that cyber thieves could use the stolen data in a way that would damage employees’ credit scores, and that a low credit score could put employees at a disadvantage when applying for promotions or for jobs at other agencies. Tr. 17-18.
McCrarey testified that the cost of the Union’s proposal might mean that the proposal was nonnegotiable, because “the right to determine our budget is a management right . . . And actually this is one of the few times where that might actually have stuck, because you’re talking about vast sums of money.” Tr. 81. McCrarey further asserted that the services that the Union wanted – “lifetime credit monitoring and . . . $1 million . . . in identity theft insurance” – would cost “a great deal of money and it was certainly outside any budget that we had for that.” Tr. 54-55. McCrarey and Derby were both unable to say exactly how much the Union’s proposal would have cost the Agency, though McCrarey asserted that the overall per person cost of the OPM data breach was at least $3,000. Tr. 36, 93-95. However, it was clear to McCrarey that the Union’s proposal was prohibitively expensive, and she advised Derby that the Agency viewed it as such. She testified, “I could not get approval for lifetime, $1 million.” Tr. 103.
Relatedly, McCrarey testified that the FAA had previously suffered cyberattacks similar to the ones OPM had suffered. Since 2009, the FAA has had one-year agreements with Identity Force, a private contractor, to provide employees free credit monitoring services and $30,000 in identity theft insurance. McCrarey stated that these agreements had been renewed annually. Tr. 74-76. She reminded Derby of these facts in her December 1 email.
Derby testified that the Union specified that CSID should provide the proposed services to employees and family members, because it was the same contractor that OPM had chosen to provide those services. “[W]hat we wanted to try to do is make a bargaining proposal that was as acceptable to the FAA as possible to try to get it done.” Tr. 28.
At the hearing, McCrarey and Derby also addressed, briefly, whether the Union’s proposal was covered by the relevant collective bargaining agreements. In this regard, McCrarey noted that the Agency and the Union “have a contract . . . in which we negotiated that we would . . . abide by various cyber security rules and regulations, and we did all that . . . .” Tr. 51. McCrarey also noted that the Agency had bargained with the other FAA unions concerning earlier data breaches. Tr. 54
With regard to negotiations that occurred on December 1, Derby explained that the Union was “frustrated” by the Agency’s counterproposal, both because it took five months for McCrarey to deliver it, and because it “[didn’t] contain any services . . . which is a main part of our proposal. The identity theft and credit monitoring services . . . [n]ot that they had to be; I’m not saying they had to, but they just didn’t do it so it was inadequate.” Tr. 22-23. In Derby’s view, the Agency’s counterproposal was “so unresponsive . . . that I didn’t think that there would be any reasonable cause to continue the bargaining process with her.” Tr. 34. He added, “We might as well just go to impasse.” Id. Derby recognized, however, that management “gave in a little bit” by adopting the Union’s “most favored nation” clause. Tr. 34-35.
McCrarey testified that she wrote the three-paragraph email to Derby because she “didn’t really want him to stop the negotiations.” Tr. 79. McCrarey continued, “I really felt like we could come to a meeting of the minds. So I explained to him . . . why I was giving him that particular counterproposal. I know it wasn’t what he was looking for, but this is
why I did it.” Tr. 79-80. McCrarey added that she raised the issue of conditions of employment because she wanted to “remind [Derby] . . . it’s not a surefire win for you . . . it would probably be better for you to compromise with me and let’s get an agreement that gives you something. That was the message there.” Tr. 80.
Derby testified he then asked McCrary whether she was saying management had no duty to bargain, because:
I needed to know which avenue to start pursuing on this, either the impasse or the ULP. Because it had already been delayed for 5 months and, having dealt with the FAA long enough to know that delay is one of their tactics, I wanted to try to short circuit that and not start moving down . . . the wrong track.
Tr. 25. Derby acknowledged that McCrarey did not tell him that she was refusing to bargain any further. Tr. 38. However, Derby interpreted McCrarey’s reply to mean that “maybe they’ll talk but they’re not bargaining.” Id. McCrarey disagreed with that interpretation, noting that it is not unusual for a negotiator to bargain over a proposal, even though the proposal may be outside the duty to bargain. Tr. 87. McCrarey also dismissed the idea that the parties were at an impasse. She did not label her counterproposal as a “last best offer,” she testified, because “[w]e weren’t there yet.” Tr. 85-87.
McCrarey testified that she didn’t try to call Derby after the email dialogue had ended, because, “I gave the last proposal; now the ball is in his court . . . .” Tr. 85. Similarly, Derby testified that he did not submit a Union counterproposal because “[w]e didn’t think there was any point at that – at this time to do that. It would be futile in our view, a waste of more time.” Tr. 26.
POSITIONS OF THE PARTIES
In support of its claim that the Agency unlawfully refused to negotiate in good faith with the Union, the General Counsel starts from the premise that a union is entitled to initiate bargaining, during the term of a collective bargaining agreement, over its own negotiable proposals, unless the issue is already contained in or covered by a provision in the agreement. GC Br. at 12. The GC argues that the Union’s proposal here concerns conditions of employment and is not specifically provided for by statute. Therefore, since the Agency had a duty to bargain over the proposal, McCrarey violated that duty when she sent “the unmistakable message that the Respondent was unwilling to bargain with the Union over the additional cybersecurity protections.” Id. at 16.
The GC asserts that the Union’s proposal concerns conditions of employment because it pertains to bargaining unit employees and relates to information employees need to submit in order to obtain and retain employment at the Agency. Id. at 13. Although the proposal extends benefits to non-employee family members, it is still within the duty to bargain,
because it “vitally affects” bargaining unit employees’ conditions of employment. Id. The GC rejects the Respondent’s argument that § 632 of the Appropriations Act “specifically provided for” the subject of identity theft: first, because the statute is “unrelated” to the Union’s proposal, and second, because the law was passed after the Agency had already refused to bargain. Id. at 14-15.
Finally, the GC argues that McCrarey’s repeated assertions to Derby that the Agency had no duty to bargain over the proposal superseded her earlier submission of a counterproposal, and that her denial of that duty “amounted to a refusal to negotiate . . . .” Id. at 15. The GC cites a variety of cases holding that a party negotiates in bad faith when it signals to the other party that it would be futile to submit additional proposals. See Fed. Bureau of Prisons, Fed. Corr. Inst., Bastrop, Tex., 55 FLRA 848, 855 (1999) (FCI Bastrop); Blue Grass Army Depot, Richmond, Ky., 50 FLRA 643, 653 (1995) (Blue Grass); and U.S. Dep’t of Health & Human Servs., Pub. Health Serv., Indian Health Serv., Indian Hosp., Rapid City, S.D., 37 FLRA 972, 981 (1990) (IHS).
The Union reiterates the General Counsel’s position that its proposal concerns a condition of employment. Bargaining unit employees and applicants were required by the Agency to provide the personal information that was subsequently stolen from OPM; therefore, the cybertheft was directly related to their work status. CP Br. at 5-6. The Union also contends that McCrarey acted insincerely in her dealings with Derby and thus bargained in bad faith. In this regard, McCrarey’s insistence that the Agency had no duty to bargain was inconsistent with her submission of a counterproposal, and she made it clear that pursuing further negotiations would have been futile. Id. at 8.
The Agency asserts a number of reasons why it had no duty to bargain over the Union’s proposal. First, it insists that the proposal does not concern conditions of employment. Resp. Br. at 14. While it acknowledges that the proposal relates to bargaining unit employees, it argues that it does not pertain to how employees perform their jobs, and therefore does not meet the definition of “conditions of employment,” as articulated in Antilles Consol. Educ. Ass’n, 22 FLRA 235, 236-37 (1986) (Antilles). Resp. Br. at 15-17. Moreover, since the subject matter of the Union’s proposal (identity theft protection for federal employees affected by the OPM data breach) is specifically provided for by federal statute (§ 632 of the Appropriations Act), which gives OPM sole discretion to provide benefits in response to the cyberattacks, the proposal is not a condition of employment.
Id. at 23-25.
Next, the Agency argues that the Union’s proposal affects management’s right to contract out under § 7106(a)(2)(B) of the Statute because it “dictate[s] that the Agency use CSID as the provider of the services it was seeking.” Id. at 25-26. The Agency contends that the proposal is not an appropriate arrangement under § 7106(b)(3) of the Statute, because it requires that the contract with CSID last for as long as employees are in the bargaining unit,
and because employees were already receiving identity protection services through OPM and Identity Force. Id. at 19-20, 26-27. In addition, the Respondent contends that the Union’s proposal is outside the duty to bargain because it extends coverage to non-employee family members. Id. at 16, 20-21 (citing Nat’l Ass’n of Gov’t Emps., Local R1-109, 61 FLRA 593, 597 (2006) (NAGE)).
The Respondent further argues that the Union’s proposal is covered by Article 20 (of the ATO-CBA) and by Article 94 (of the AVS-CBA). Id. at 28. Like the Union’s proposal, the contract articles address the problem of records maintained by the FAA being stolen or improperly disseminated and prescribe a specific course of action; therefore, Respondent insists that further bargaining on the same issue is not required.
Finally, the Agency contends that at the same time as McCrarey was expressing her doubts to the Union whether the Agency was required to bargain over the data breach, she was in fact negotiating with Derby and did so in good faith. In support, the Agency notes that McCrarey responded to the Union’s bargaining request; kept Derby informed as to the Agency’s preparation of a counterproposal; submitted a counterproposal which incorporated one portion of the Union’s proposal; and explained in detail to Derby why the Agency could not accept other aspects of the Union’s proposal. Moreover, McCrarey never stated that she was unwilling to engage in further bargaining. Id. at 10-14. Although the Agency refused to accept the Union’s proposal for additional identity theft insurance, McCrarey’s communications with Derby did not convey the impression that further negotiations were futile; on the contrary, they should have encouraged the Union to continue the dialogue.
ANALYSIS AND CONCLUSIONS
The GC’s Motion to Strike
After post-hearing briefs were submitted, the General Counsel filed a Motion to Strike portions of the Respondent’s brief, because they refer to matters or documents that are not part of the record. The GC asks that I strike: (1) excerpts of Article 20 of the ATO-CBA and Article 94 of the AVS-CBA, as well as references to Article 70 of both CBAs, because the Respondent failed to enter these articles into evidence at the hearing; (2) the Respondent’s covered-by argument, because it is based on Articles 20 and 94; (3) “Agency
Attachment 1,” which was appended to Respondent’s brief and contains excerpts of the hearing transcript, because it is not an exhibit and “serves to confuse the record”; and (4) references to identity theft protection provided to employees through a company called Magellan, because there is no reference to, or details of, such protection in the record. The GC further asserts that it would be prejudiced by a consideration of facts that it did not have an opportunity to contest at the hearing.
Respondent filed the Agency’s Response to General Counsel’s Motion to Strike, asserting that: (1) Article 20 of the ATO-CBA and Article 94 of the AVS-CBA were referenced in the General Counsel’s Motion for Summary Judgment (MSJ) and the Agency’s Opposition to the MSJ (Opposition), which were admitted into evidence at the hearing as GC Exhibits 1(j) and 1(k); (2) Article 70 of both CBAs is also part of the record, although it
does not specify where; (3) the Respondent raised its covered-by defense in its Opposition, and McCrarey explained the basis for the defense at the hearing (see Tr. 51); and (4) the attachment was provided as a courtesy and does not prejudice any party. Respondent also appears to assert that its reference to Magellan identity theft protection should not be stricken, but it does not provide any arguments explaining why.
The Authority has indicated that it is proper for an administrative law judge to refuse to consider documents that could have been, but were not, entered into evidence. See Pension Benefit Guar. Corp., 59 FLRA 48, 50 n.5 (2003) (PBGC) (finding that the judge did not err in refusing to admit certain documents when the respondent failed to introduce those documents prior to filing its post-hearing brief); see also U.S. Dep’t of the Treasury, U.S. Customs Svc., Sw. Region, Hous., Tex., 43 FLRA 1362, 1368 (1992) (documents not admitted into evidence at the hearing may not be submitted after the hearing).
The Magellan contract, allegedly providing identity theft protection to the Agency’s employees through its Employee Assistance Program, was never mentioned at the hearing or offered into evidence. I see no justification for the Respondent to inject any reference to that contract into the record after the hearing, and the Respondent has not offered any persuasive justification. Therefore, I will strike any references to the Magellan contract or any details about it.
It is less clear, however, whether Articles 20, 70, and 94 are part of “the record.” Respondent correctly notes that the GC first cited these articles in its MSJ, anticipating (correctly) that the Respondent would use them as the basis for a covered-by defense. The GC referred to the three CBA provisions in general in its motion, but didn’t quote the precise language of the articles. See MSJ (GC Ex. 1(j)) at 7-8 & Ex. 1 of MSJ at 1-2. However, the Respondent did attach the entirety of Articles 20 and 94 (but not Article 70) as Exhibit 9(a) of its Opposition (GC Ex. 1(k)). For reasons that were not addressed or otherwise explained, the General Counsel offered the briefs in support and in opposition to the MSJ at the hearing
as part of the Formal Papers (GC Ex. 1), but the exhibits in support of those briefs were not incorporated into the Formal Papers. As a result, the hearing transcript is incomplete. Nonetheless, we do have the text of Articles 20 and 94 in “the record,” as both the MSJ and the Opposition were properly filed and are a part of the record of this case. Therefore, while it might have been preferable for the Respondent to support its covered-by defense by offering the text of those articles as a hearing exhibit, it is still appropriate to consider them now. And while the record does not include the actual text of Article 70, both parties asserted in their arguments regarding the MSJ that Article 70 relates to midterm bargaining, and I will consider the Respondent’s references to Article 70 in that respect. Therefore, I deny the motion to strike the Respondent’s references to Articles 20, 70, and 94 in its post-hearing brief. Moreover, since the text of Articles 20 and 94 is part of the record, the Respondent had an evidentiary basis for its covered-by defense, and I deny the GC’s request to preclude the Respondent entirely from raising the defense.
With respect to the excerpts of the transcript attached to the Respondent’s post-hearing brief, I consider them to be part of the Respondent’s arguments, and I see nothing improper or prejudicial in them. Although the Respondent could have simply cited directly to the transcript in its brief, without the attachment, this is within the discretion of counsel, and I deny the motion to strike the attachment.
Respondent Was Not Obligated To Bargain Over the Union’s Proposal
Agencies are obligated during the term of a collective bargaining agreement to bargain on negotiable union proposals concerning conditions of employment not covered by the existing agreement, unless the union has waived its right to bargain about the subject matter involved. U.S. Dep’t of the Interior, Wash., D.C., 56 FLRA 45, 54 (2000). The Agency insists that the Union’s proposal in this case does not concern conditions of employment; that benefits for employees’ family members are outside the duty to bargain; that the proposal is covered by the CBAs with the Union’s two bargaining units; and that it is not negotiable because it excessively interferes with management’s right to contract out. I agree with the Respondent that by requiring the Agency to obtain identity theft insurance with a specific company, the Union’s proposal is not consistent with applicable law, and the Agency was therefore not required to bargain over it. However, I disagree with Respondent’s other reasons for denying its duty to bargain, and I will address these reasons first, so that the parties will understand their obligations going forward.
One note of explanation: Throughout this decision, I refer generally to the Union’s “proposal,” even though the Union offered an “initial bargaining proposal” on July 1
(Jt. Ex. 1 at 1) and a “revised bargaining proposal (“U2”)” on July 30 (Jt. Ex. 2 at 1). I do so because I interpret the revised proposal – both its literal language as well as the parties’ conduct in discussing the issues related to it – as superseding the initial proposal. While U2 does not explicitly state that the earlier proposal was being withdrawn or replaced, U2 incorporates the language of the earlier proposal virtually verbatim, except that the credit
monitoring services and identity theft insurance apply to both employees and their family members. Additionally, the discussions on December 1 between Derby and McCrarey referred only to one proposal (i.e., U2). Therefore, I will evaluate the Agency’s bargaining obligation only regarding U2.
The Union’s Proposal Concerns Conditions of Employment
The parties dispute whether the Union’s proposal concerns conditions of employment. Section 7103(a)(12) of the Statute defines “collective bargaining” as “the performance of the mutual obligation . . . to . . . bargain in a good-faith effort to reach agreement with respect to
the conditions of employment affecting such employees . . . .” Section 7103(a)(14), in turn, defines “conditions of employment” generally as “personnel policies, practices, and matters, whether established by rule, regulation, or otherwise, affecting working conditions.” The latter section excludes from the definition of conditions of employment “such matters [that] are specifically provided for by Federal statute.” 5 U.S.C. § 7103(a)(12)(C).
In order to determine whether a matter concerns a condition of employment, the Authority applies a two-pronged test, asking whether the matter pertains to bargaining unit employees and whether there is a direct connection between the matter and the work situation or employment relationship of unit employees. Antilles, 22 FLRA at 237.
It is clear to me that the Union’s proposal for identity theft insurance and credit monitoring concerns a condition of employment. With respect to the first prong of the test, there is no dispute that the cyberattacks affected bargaining unit employees. With respect to the second prong, there is a direct connection between the matter addressed by the proposal (the personnel and background investigation data which was compromised in the cyberattacks) and the work situation or employment relationship of unit employees. The data breached in the cyberattacks was contained in employee personnel files and background investigation records. Almost by definition, information contained in personnel files and the like concerns the work situation or employment relationship. Cf. Davis-Monthan AFB, Tucson, Ariz., 42 FLRA 1267, 1275 (1991) (leave and earning statements concern conditions of employment). A direct connection is also indicated by the fact that the data breached in the cyberattacks was data that individuals needed to submit in order to work at the Agency. The connection is further supported by Derby’s testimony that the personnel data stolen in the cyberattacks could damage employees’ credit ratings and harm their chances for promotions. Employees have a strong interest in ensuring that their personnel information remains secure, and in protecting themselves from financial damage when their privacy is breached. The Agency itself has recognized a link between the work situation of its employees and
providing those employees with credit monitoring and identity theft protection, as it has offered employees such protection and related services since 2009. When the 2015 data breaches were discovered, the Agency reminded employees in its June 30 email that such services were available. Resp. Ex. 1 at 1-2. That letter expressed the Agency’s clear understanding that the theft of employee personnel data affected the work situation of FAA employees directly, unlike other widely-publicized thefts of financial information from private businesses. The Antilles test has been met.
The Respondent’s arguments to the contrary are not persuasive. It claims that conditions of employment pertain only to the ways employees perform their jobs. However, the term is far broader than the Respondent claims. See Am. Fed’n of Gov’t Emps., Local 1547, 64 FLRA 635, 636-37 (2010) (proposals relating to food prices concern conditions of employment); Gen. Servs. Admin., Region 10, Auburn, Wash., 47 FLRA 585, 593 (1993) (the availability of day care facilities concerns conditions of employment). The Authority has held that employee fringe benefits such as health insurance are conditions of employment, where they are not otherwise fixed by statute. Am. Fed’n of Gov’t Emps., Local 1857, 36 FLRA 894, 899-901 (1990). Respondent further argues that the Union’s proposal was triggered by the theft of data from an OPM database, and that the FAA has no
control over the security procedures used by OPM. But the Union is not proposing that OPM take specific actions as a result of the data breach; it is proposing that the FAA offer certain insurance protections to bargaining unit employees who provided personal information to the FAA, which was then forwarded to OPM and stolen, jeopardizing the credit and finances of FAA employees. Just as the Agency had previously purchased credit monitoring services and insurance for employees starting in 2009, it was within the Agency’s discretion to expand the amount of that insurance and to extend it to employees’ family members whose personal data had been stolen.
The Respondent also argues that the subject matter of the Union’s proposal is not a condition of employment because it is specifically provided for by federal statute – § 632 of the Appropriations Act. Section 7103(a)(14)(C) of the Statute excludes from the definition of “conditions of employment,” and thus from the duty to bargain, matters that are “specifically provided for by Federal statute;” but a mere reference to a matter in a statute is not sufficient for this purpose. A matter is “specifically provided for” within the meaning of subsection (C) only to the extent that the governing statute leaves no discretion to an agency. Insofar as an agency has discretion, the discretion is subject to negotiation. Int’l Ass’n of Machinists & Aerospace Workers, Franklin Lodge No. 2135, 50 FLRA 677, 681-82 (1995).
Section 632 of the Appropriations Act requires that OPM provide individuals affected by the two data breaches with complimentary identity protection coverage of at least $5,000,000 for at least ten years. But while it imposes some requirements and restrictions on OPM, it does not impose any restrictions on the FAA. And even if the restrictions on OPM also apply to the FAA, the Act still leaves the FAA with some discretion. For example, while it establishes a minimum amount of coverage, it does not establish a maximum amount of coverage or set other details regarding coverage. For these reasons, I reject the Respondent’s claim that the Union’s proposal is specifically provided for by statute.
The Respondent similarly argues that § 632 gave OPM sole discretion to provide benefits in response to the cyberattacks. When a law or regulation gives an agency “sole and exclusive discretion” over a matter, the Authority has found that it would be contrary to law to require that discretion to be exercised through collective bargaining. In resolving an agency’s claim of sole and exclusive discretion, the Authority examines the wording and legislative history of the statute or regulation at issue. The Authority has found that laws giving agency officials the authority to make certain determinations “without regard to the provisions of other laws,” or “notwithstanding any other provision of law,” demonstrate sole and exclusive discretion. See, e.g., Am. Fed’n of Gov’t Emps., Local 3295, 47 FLRA 884, 894-95 (1993).
As discussed above, § 632 of the Appropriations Act pertains to OPM, not the FAA. Accordingly, the Appropriations Act does not provide the Agency with sole and exclusive discretion over a matter. Moreover, nothing in § 632 indicates an intent to give OPM unfettered discretion regarding identity theft protection for all federal employees or to prohibit collective bargaining over identity theft protection. For example, the provision does
not state that it is to be considered “without regard to the provisions” of the Statute. Further, since the provision does not set a maximum amount of coverage or fix other details concerning coverage, the language strongly suggests that discretion can be exercised by individual agencies in collective bargaining. Rather than comprehensively regulating the subject of identity theft protection for federal employees or reserving the entire subject to OPM control, § 632 is very narrow and specific in its scope. Accordingly, and as the Respondent cites no legislative history to support its contrary claim, I find that the Appropriations Act does not give OPM sole and exclusive discretion over the subject of the Union’s proposal.
In summary, the proposal pertains to bargaining unit employees, is directly connected to employees’ employment relationship, and is not specifically provided for by federal statute. It therefore concerns conditions of employment.
The Proposal is Not Covered by the CBAs
Next, the Respondent argues that the Union’s proposal is covered by Article 20 of the ATO-CBA and Article 94 of the AVS-CBA. The “covered by” doctrine excuses parties from bargaining when they have already bargained and reached agreement on the matter at issue. U.S. Dep’t of the Treasury, IRS, 63 FLRA 616, 617 (2009) (citing U.S. Dep’t of HHS,
Soc. Sec. Admin., Balt., Md., 47 FLRA 1004, 1015 (1993) (SSA)). The Authority has established a two-pronged test to determine whether a matter is covered by a collective bargaining agreement. A party raising the defense bears the burden of providing a record to support it. See Nat’l Fed’n of Fed. Emps., Fed. Dist. 1, Local 1998, IAMAW, 66 FLRA 124, 126 (2011) (Local 1998).
The first prong involves an examination as to whether the subject matter is expressly contained in the agreement. An exact congruence of language is not required; instead, the matter is “covered” if a reasonable reader would conclude that the contract provision settles the matter in dispute. SSA, 47 FLRA at 1018. The Authority has found that the subject matter of a proposal is expressly contained in a contract provision when the proposal would modify or conflict with the express terms of the provision. Local 1998, 66 FLRA at 126. If the agreement does not satisfy the first prong of the test because it does not expressly contain the matter, the Authority applies the second prong, to consider whether the subject is inseparably bound up with, and thus plainly an aspect of, a subject covered by the agreement.
SSA, 47 FLRA at 1018. Doing so may involve an examination of the parties’ intent and bargaining history. A matter must be more than tangentially related to a contract provision to be covered by the agreement. Rather, the party asserting the “covered by” argument must demonstrate that the subject matter of the proposal is so commonly considered to be an aspect of the matter set forth in the agreement that the negotiations that resulted in that provision are presumed to have foreclosed further bargaining over the matter. Id. at 1018-19.
The Respondent bases its covered-by argument on Article 20 of the ATO-CBA, and Article 94 of the AVS-CBA, which provide:
Section 2. The parties recognize the growing threat of identity theft and the importance of protecting Personal Identifiable Information (PII) provided by employees. If any record(s) maintained by the Agency on any bargaining unit employee(s) become lost, stolen, and/or improperly dispersed, the Agency shall immediately notify the Union at the national level and the affected employee(s). The Agency shall assist the Union and the employee(s) in resolving the problem.
GC Ex. 1(k), Exs. 9(a) and (b); also contained at Exs. 9(a) and (b) of Agency’s Opposition to GC’s MSJ.
The Respondent argues that the Union’s proposal is covered by this contractual language, as the proposal concerns records maintained by the Agency on bargaining unit employees that were stolen in the cyberattacks. Id. at 29. While it is not entirely clear whether the 2015 cyberthefts involved records maintained by the FAA, since the thefts were of OPM records at least partially forwarded to OPM by FAA, I will assume that the language of Articles 20 and 94 addresses the type of breaches that occurred in 2015. After all, the Union and the General Counsel rely on the fact that FAA employees were victimized because they provided personal information to the FAA, which was subsequently stolen, and it is this connection which supports the Union’s proposal. But while Articles 20 and 94 address the general subject of the misuse of personal data, they merely open the book on the subject
without settling anything. While these articles state that the Agency “shall assist the Union and the employee(s) in resolving the problem[,]” the Union’s current proposal seeks to specifically address how to resolve it: namely, by providing the employees and their family members with identity theft insurance and credit monitoring. As such, the Union’s proposal – which provides specific steps in response to the cyberattacks at issue here – does not modify or conflict with Articles 20 and 94. Significantly, Articles 20 and 94 do not even impliedly prohibit such insurance and protection; indeed, the “assistance” cited in those articles could conceivably include identity theft insurance and credit monitoring, if the parties so agreed. For these reasons, I conclude that the proposal is not covered by the CBAs under the first prong of the covered-by test.
There is also insufficient evidence to find that the Union’s proposal is inseparably bound up with, and thus plainly an aspect of, Articles 20 and 94. In this regard, the Respondent has not cited bargaining history or other extrinsic evidence showing that the parties had previously bargained over identity theft insurance or credit monitoring. Moreover, the fact that Articles 20 and 94 do not state specific steps that the Agency must take in response to data theft indicates that it was assumed that the parties would determine such steps in subsequent negotiations. See U.S. Dep’t of Hous. & Urban Dev., 66 FLRA 106, 109 (2011) (noting that the Authority has declined to find a matter covered by an agreement where the agreement specifically contemplates bargaining). As such, it cannot be said that Articles 20 and 94 were intended to foreclose bargaining on the matters raised by the Union’s proposal. For these reasons, I find that the Union’s proposal is not covered by the CBAs under the second prong of the covered-by test.
Proposed Coverage of Family Members Vitally Affects Unit Employees
Over the years, the Authority and the courts have faced recurring disputes over union proposals that affect both bargaining unit employees and individuals outside the unit. Looking at various sections of the Statute, the Authority begins with the premise that “a union’s rights to bargain and to take other actions are confined to matters pertaining to the employees in the bargaining unit.” Am. Fed’n of Gov’t Emps., Local 32, 51 FLRA 491,
498-507 (1995) (AFGE II). In the context of our case, this means that the Union represents the employees in the ATO and AVS bargaining units, not the spouses and children of those employees. But even proposals directed toward unit employees have a persistent habit of affecting individuals outside the unit as well, and that is where the difficulties arise.
In AFGE II, the Authority reviewed the roller-coaster history of this issue, culminating in its adoption of a “vitally affects” test. After having utilized different methods of weighing or balancing the impact of a proposal on employees (or non-employees) inside and outside the unit, and after being repeatedly urged to do so by the D.C. Circuit, the Authority adopted, in Am. Fed’n of Gov’t Emps., Local 32, AFL-CIO, 33 FLRA 335 (1988) (AFGE I), the same test that the Supreme Court had applied to private sector bargaining proposals implicating third parties: “[T]he question is not whether the third-party concern is antagonistic to or compatible with the interests of bargaining-unit employees, but whether it vitally affects the ‘terms and conditions’ of their employment.” Allied Chemical & Alkali
Workers of Am., Local Union No. 1 v. Pittsburgh Plate Glass Co., Chemical Div.,
404 U.S. 157, 179 (1971) (footnote omitted), quoted by the Authority in AFGE II, 51 FLRA at 503. Thus the Authority held in AFGE I that it would no longer consider the effects of a proposal on nonunit employees; instead, it would find a proposal within the duty to bargain if it “(1) vitally affects the working conditions of unit employees, and (2) is consistent with applicable law and regulations.” AFGE I, 33 FLRA at 338.
The Authority followed this approach too far, however, and it was forced to limit the scope of the test. In U.S. Dep’t of the Navy, Naval Aviation Depot, Cherry Point, N.C. v. FLRA, 952 F.2d 1434, 1441-43 (D.C. Cir. 1991), the same court that pushed the Authority to adopt the vitally affects test held that the test could not be applied to union proposals that
directly implicate the interests of supervisors or employees in other bargaining units. The court explicitly recognized, however, that the vitally affects test was appropriate in evaluating the duty to bargain over proposals implicating the rights of non-employees and employees who are not part of any bargaining unit. Id. at 1442.
That brings us to the Union’s proposal in our case, which seeks to provide credit monitoring services and identity theft protection to a specific group of non-employees: unit employees’ family members whose personal data was also stolen from OPM. Are unit employees’ conditions of employment vitally affected by offering identity theft protection to their family members?
In Am. Fed’n of Gov’t Emps., Local 1923, 44 FLRA 1405 (1992), the Authority applied the “vitally affects” test to a proposal that required the agency to use EEO principles toward both employees and job applicants. The Authority found that unit employees had a “significant and material interest in eliminating discrimination in the unit,” and that the union’s efforts in this regard “would be severely impeded . . . if it were required to wait until the hiring process is complete.” Id. at 1420 (citing an NLRB decision, Star Tribune, 295 NLRB 543, 549 (1989)). It distinguished the anti-discrimination proposal from a proposal in Nat’l Ass’n of Gov’t Employees, Fed. Union of Scientists & Eng’rs, Local R1-144, 42 FLRA 730 (1991) (Local R1-144), that would have required contractors on the naval base to undergo drug testing. In the latter case, there was no evidence regarding the extent of contact between unit employees and contractors, which might support a need to drug-test contractors, and the proposal had, “at best, an indirect or incidental effect on unit employees’ working conditions.” Id. at 743. Similarly, in Nat’l Ass’n of Gov’t Emps., Local R-109, 66 FLRA 278 (2011), a proposal to prohibit the agency from assigning certain types of duties to Compensated Work Therapy patients did not vitally affect the working conditions of unit employees. The patients in question were part of a federal program that allows some patients in VA facilities to perform certain types of work, for pay, for therapeutic purposes; however, the patients are not considered federal employees. While the union argued that its proposal sought to protect the safety of unit employees, the Authority held that the union had not submitted any evidence that the proposal vitally affected their conditions of employment. Id. at 279-81.
I find ample evidence to conclude that the proposal to provide identity theft protection for family members affects the vital interests of bargaining unit employees. OPM notified employees that personal data had been stolen not only from federal employees but also from their families. In applying for positions at the FAA, applicants and employees had entrusted the Agency with personal information about themselves and about family members; that information was forwarded to OPM and then stolen twice. The Union sought credit monitoring and identity theft insurance for unit employees, because the data theft may enable unauthorized people to obtain credit or to perpetrate some other criminal act in their name. But those protections were also sought for the family members of unit employees, because many of those family members were also victims of the cybertheft and were equally vulnerable to financial or even criminal liability. Moreover, this potential vulnerability of family members was directly attributable to the fact that a bargaining unit employee had provided that information to the FAA. Thus, bargaining unit employees are significantly and
materially affected in two ways by obtaining identity theft and other coverage to their family members: First, a financial loss incurred by a family member will also harm the unit employee, and insurance may prevent or ameliorate such a loss. Second, if family members are not covered, those family members (and relatives of future applicants and employees) will be less likely to cooperate in the future in allowing their personal information to be given to the FAA, thereby making the entire application, promotion, and security clearance processes much more difficult for everyone. In the Appropriations Act, Congress recognized these factors as well and considered them important, as it authorized identity theft insurance not just for federal employees, but for each “affected individual” whose Social Security number was compromised. Resp. Ex. 3 at 5.
Accordingly, I conclude that the proposal vitally affects the conditions of employment of bargaining unit employees. However, the test has a second requirement, that it must be consistent with applicable law, including the management rights provisions of § 7106 of the Statute. Local R1-144, 42 FLRA at 746-50. I will address this issue in the next section, as it affects both the proposal to protect employees and the proposal to protect family members of employees.
The Proposal Interferes with the Agency’s Right to Contract Out
An agency’s obligation to bargain is predicated on the union’s submission of negotiable proposals, and an agency may refuse to bargain when it contends that the proposals submitted by the union are nonnegotiable. In an unfair labor practice case, the respondent has the burden of demonstrating that all the proposals on the table are nonnegotiable. PBGC, 59 FLRA at 50; see also U.S. Patent & Trademark Office, 57 FLRA 185, 192 (2001). The Authority has indicated that a proposal that dictates the company with which an agency contracts affects management’s right under § 7106(a)(2)(B) to contract out. See Int’l Org. of Masters, Mates & Pilots, Pan. Canal Pilots Branch, 32 FLRA 269, 272-73 (1988) (Panama Canal) (“Management cannot be required to contract with specific laboratories for the performance of drug tests.”) Even when union proposals have imposed less specific restrictions on an agency’s right to contract out, the Authority has found them
nonnegotiable. Am. Fed’n of Gov’t Emps., Local 12, 61 FLRA 209, 210 (2005) (management of agency fitness center); Nat’l Fed’n of Fed. Emps., Local 1214, 45 FLRA 1222, 1224 (1992) (“Proposals that establish substantive criteria governing the exercise of a management right directly interfere with that right.”)
As Derby acknowledged, the Union’s proposal requires the Agency to use a specific contractor, CSID, to provide free credit monitoring services and identity theft insurance to employees and non-employee family members. Tr. 28. By requiring the Agency to use CSID, rather than another contractor of the Agency’s choosing, the Union’s proposal affects management’s right to make determinations with respect to contracting out. Because the Union’s proposal affects that right under § 7106(a)(2)(b) of the Statute, it is necessary to consider whether the proposal is nevertheless negotiable under § 7106(b) of the Statute. See U.S. Dep’t of the Navy, Naval Aviation Depot, Jacksonville, Fla., 63 FLRA 365, 370 (2009).
Because requiring the Agency to contract with a particular vendor to provide identity protection services concerns substantive rather than procedural matters, I cannot find that the Union’s proposal is negotiable under § 7106(b)(2). Similarly, the proposal does not involve a matter on which the Agency might elect to negotiate under § 7106(b)(1).
Looking next to § 7106(b)(3) of the Statute, I consider whether the proposal is an appropriate arrangement for employees adversely affected by the Agency’s exercise of a management right, utilizing the analytical framework set forth in Nat’l Ass’n of Gov’t Emps., Local R14-87, 21 FLRA 24 (1986) (KANG). Under this framework, the Authority first determines whether the proposal is intended to be an arrangement for employees adversely affected by the exercise of a management right. Id. at 31. In order for a proposal to be an arrangement, there must be adverse effects or reasonably foreseeable adverse effects on employees that flow from the exercise of management’s rights. Id. An arrangement must also be tailored to compensate employees suffering adverse effects attributable to the exercise of management’s rights. Am. Fed’n of Gov’t Emps., Local 3935, 59 FLRA 481, 483 (2003). However, an arrangement need not target in advance the specific employees who will be adversely affected. Am. Fed’n of Gov’t Emps., Local 1170, 64 FLRA 953, 959-60 (2010). If the proposal is an arrangement, then it must be determined whether it is appropriate, or whether it is inappropriate because it excessively interferes with the relevant management rights, weighing the benefits afforded to employees against the intrusion on the exercise of management’s rights. See KANG, 21 FLRA at 31-33. Proposals depriving an agency of all discretion in exercising management rights have been found by the Authority to excessively interfere with those rights. See, e.g., Am. Fed’n of Gov’t Emps., Council of Prison Locals 33, Local 506, 66 FLRA 929, 937 (2012).
The Union’s proposal fails at virtually every step of this analysis. Most fundamentally, the proposal clearly was not designed at all to address the Agency’s exercise of a management right; instead, it was a midterm proposal by the Union to help employees adversely affected by the theft of their personal information stored by OPM. There was no action taken by the FAA, pursuant to its § 7106(a) management rights, that the Union was responding to; accordingly, the “impact and implementation” provisions of § 7106(b) are not
triggered at all. And while the proposal seeks to require the Agency to enter into a contract for credit monitoring and identity theft insurance (a contract which would involve the exercise of a management right under 7106(a)), the proposal is not designed to ameliorate the “adverse effects” of such a contract.
But even if the Union’s proposal were viewed as an arrangement under 7106(b)(3), it is clearly not appropriate. By requiring the Agency to provide identity theft protection services through CSID, the proposal deprives the Agency of any discretion whatsoever to select a vendor of these services on its own. Thus it is unnecessary to weigh the benefits and costs of the proposed arrangement, as the proposal totally ties the Agency’s hands in the selection of a vendor. In the Panama Canal case, the objectionable proposal simply required the use of a testing laboratory “mutually agreeable to the employee and the agency.” 32 FLRA at 270. Nonetheless, the Authority held that it “directly interferes” with the
agency’s right to contract out, and that it was outside the duty to bargain. Id. at 273. Similarly, I find that the Union’s proposal excessively interferes with management’s right to contract out, and that it is not an appropriate arrangement under § 7106(b)(3) of the Statute.
As noted above, both the Union’s initial proposal (to cover bargaining unit employees) and its revised proposal (to cover employees and their family members) share the fatal requirement that CSID provide the insurance and other services. Therefore, while the proposal for credit monitoring and identity theft for family members vitally affects the interests of bargaining unit employees, it is not negotiable, because it is not consistent with
§ 7106 of the Statute. The proposal to provide unit employees with these protections does not need to meet the “vitally affects” test, but it is nonnegotiable for the same reason.
Accordingly, the Respondent had no duty to bargain over the Union’s proposal, in either its initial or its revised form.
Respondent Bargained in Good Faith with the Union
Notwithstanding McCrarey’s statements to Derby that she was “not convinced” the Agency had a duty to bargain regarding the data breaches, the Agency did submit a counterproposal to the Union, and the parties did engage in substantive bargaining on the subject. Thus, even if the Agency had a duty to bargain over the Union’s proposal, I conclude that it satisfied that obligation and bargained with the Union in good faith.
Section 7103(a)(12) of the Statute defines collective bargaining as the “performance of the mutual obligation of the representative of an agency and the exclusive representative of employees in an appropriate unit in the agency to meet at reasonable times and to consult and bargain in a good-faith effort to reach agreement with respect to the conditions of employment affecting such employees . . . .” However, this obligation “does not compel either party to agree to a proposal or to make a concession.” 5 U.S.C. § 7103(a)(12). In addition, § 7114(b)(1) and (3) state that “[t]he duty of an agency and an exclusive
representative to negotiate in good faith . . . shall include the obligation . . . to approach the negotiations with a sincere resolve to reach a collective bargaining agreement . . . [and] . . . to meet at reasonable times and convenient places as frequently as may be necessary, and to avoid unnecessary delays.”
The Authority analyzes the totality of the circumstances in determining whether a party bargained in good faith. Am. Fed’n of Gov’t Emps., Council of Prison Locals 33, Locals 1007 & 3957, 64 FLRA 288, 290 (2009) (citing U.S. Dep’t of the Air Force Headquarters, Air Force Logistics Command, Wright-Patterson AFB, Ohio, 36 FLRA 524, 531 (1990) (Wright-Patterson AFB)). In so doing, the Authority looks at the parties’ actions to determine whether a party “has attempted to evade or frustrate the bargaining responsibility” outlined in § 7114(b) of the Statute. Div. of Mil. & Naval Affairs, State of New York, 7 FLRA 321, 338 (1981). For example, the Authority has found a failure to negotiate in good faith where an agency: failed to respond to a request to negotiate, failed to set dates for negotiation sessions, failed to attend a negotiation session in full, and submitted proposals that, among other things, would have precluded the union from seeking third-party
assistance in resolving impasses (Wright-Patterson AFB, 36 FLRA at 531-34); failed for five months to provide specific proposed dates for negotiations, and violated the parties’ ground rules (U.S. Dep’t of Justice, Exec. Office for Immigration Review, N.Y.C., N.Y., 61 FLRA 460, 465-66 (2006)); and did not submit negotiation proposals to the union (U.S. Dep’t of the Air Force, 12th Flying Training Wing, Randolph AFB, San Antonio, Tex., 63 FLRA 256, 261 (2009)). On the other hand, the Authority has declined to find an unfair labor practice when the respondent was not shown to have violated any of the basic obligations of good faith bargaining listed in § 7114(b). Nat’l Ass’n of Gov’t Emps., Local R3-10, 51 FLRA 1265, 1270 (1996).
Here, the record demonstrates that McCrarey approached the negotiations with Derby with a sincere resolve to reach an agreement concerning a response to the data breach. I base this in part on the fact that McCrarey engaged in open and substantive communications with Derby and demonstrated a willingness to accommodate the Union’s interests. Promptly upon receiving the Union’s proposal, she contacted Derby to discuss the proposal, and she advised him that it would take her longer than normal to develop a counterproposal. Tr. 68-69. The Union and management met that same month, and McCrarey alerted the Union when she learned that data pertaining to the family members of employees had also been compromised. She kept in touch with Derby periodically to provide updates on the status of the Agency’s counterproposal, and after she submitted that counterproposal to the Union, McCrarey attempted to keep the discussion going, even after Derby slammed the door shut. These factors support the conclusion that the Agency was bargaining in good faith.
One factor that gives me pause in reaching that conclusion is the five months it took for McCrarey to submit the Agency’s counterproposal. But as I noted above, rather than leaving the Union in the dark about management’s position, she explained why this issue was more complex than normal, why it required her to obtain approval from other departments in the Agency, and why she needed to research whether management even had a duty to bargain.
Tr. 69-70, 72-73. The counterproposal that McCrarey submitted also indicates that the Agency was acting in good faith. By adopting the Union’s “most favored nation” clause and offering the Union a seat at the BART committee, McCrarey showed that the Agency was looking for areas on which the parties could agree. As Derby conceded, the Agency “gave in a little bit[.]” Tr. 35.
The substantive bargaining between the Agency and the Union began and ended on December 1, and a comparison of the parties’ conduct on that date leaves the impression that McCrarey was more interested in give and take than Derby. Showing no appreciation for McCrarey’s attempt to find compromise language, Derby dismissed the Agency’s proposal out of hand and declared an impasse. Since the Agency’s proposal was “not even close to being acceptable[,]” Derby concluded that the parties were at impasse, and he appeared to slam the door shut on further discussion. Jt. Ex. 4 at 2. I believe that the declaration of impasse was premature, as the parties had only gone through a single round of exchanging written proposals and had yet to sit down in person to discuss the substantive details of each other’s offers. McCrarey’s immediate response to the declaration of impasse further shows
that the declaration was unfounded, as her willingness to continue discussions suggests that further bargaining might have produced progress toward an agreement. See Davis-Monthan AFB, 42 FLRA at 1279 (no impasse, where evidence did not show that further bargaining would have been fruitless).
If the Agency had been uninterested in reaching an agreement, as the Union claims, Derby’s immediate declaration of impasse on December 1 would have been a perfect opportunity for the Agency to terminate negotiations. In response to Derby’s assertion that they were at impasse, McCrarey explained the reasons for management’s proposal, and she further explained why the Agency could not afford to pay for an expansion of the credit monitoring and identity theft insurance that it (as well as OPM) already provided. Although McCrarey was firm in explaining the Agency’s position, she made a sincere attempt to keep the bargaining process going. By stating that the Agency could not pay for these services “for the length of time you propose or the amount you proposed[,]” McCrarey essentially invited Derby to submit a compromise proposal, one that offered services for a different length of time or in a lower amount. Jt. Ex. 4 at 1. Derby ignored that invitation, without even explaining why these issues didn’t warrant further discussion. Instead, he seemed more intent on proceeding to the impasse resolution procedure, in order to “short circuit” what he perceived to be the Agency’s stalling tactics. Tr. 25. While the Union was certainly entitled to move toward impasse resolution, its rush to do so contradicts its claim that the Agency was uninterested in reaching an agreement. Taken as a whole, McCrarey’s words and actions show that the Agency was negotiating in good faith.
The contrary arguments raised by the General Counsel and the Charging Party are not persuasive. The General Counsel asserts that McCrarey’s statements “amounted to a refusal to negotiate . . . .” GC Br. at 15 (emphasis added). To the extent that the GC is asserting that McCrarey actually refused to negotiate with the Union, I reject the claim. McCrarey did not refuse to negotiate, and Derby acknowledged this at the hearing. Tr. 38. I also reject any claim that McCrarey’s refusal to accept the credit monitoring/identity theft insurance portions of the Union’s proposal was a sign of bad faith, as the Statute “does not compel either party to agree to a proposal or to make a concession.” 5 U.S.C. § 7103(a)(12). In rejecting those portions of the Union’s proposal, McCrarey explained her reasons for doing so, which was more communicative than Derby’s abrupt declaration of impasse.
The GC and the Union argue that the Agency acted in bad faith because McCrarey stated that the Union’s proposal was outside the duty to bargain. I reject this claim too, as it is based on an incorrect premise. Rather than denying a duty to bargain outright, McCrarey clearly offered that as an argument made simultaneously with an alternative argument that accepted the possibility that the Agency had a duty to bargain. Jt. Ex. 4 at 1. Since McCrarey accepted the possibility that the Agency might have a duty to bargain, and since she acted as if the Agency had such a duty (by offering a counterproposal and attempting to keep the Union at the table), I reject the conclusion that McCrarey’s questioning of the Agency’s duty to bargain is an indication of bad faith. Indeed, McCrarey may have actually
been doing the Union a favor – her questioning gave Derby an opportunity to prove her wrong without resorting to litigation, and it also gave Derby another opening to submit additional proposals. 
Moreover, even if McCrarey’s words could be interpreted as an unqualified assertion that the Union’s proposal was outside the duty to bargain, that alone would not prove bad faith. In this regard, the Authority has indicated that unless an agency refuses to bargain over a proposal substantially identical to one which the Authority has previously determined to be negotiable under the Statute (neither the GC nor the Union has cited such a proposal here), an agency’s mere assertion that a proposal is outside the duty to bargain is not unlawful. Dep’t of Veterans Affairs, Wash., D.C., 53 FLRA 236, 240 (1997). For these reasons, I find that it was not unlawful for McCrarey to express doubt about the Agency’s obligation to bargain over the Union’s proposal.
The General Counsel asserts that McCrarey’s emails on December 1 signalled to the Union that it would be futile to submit additional proposals. But given the evidence discussed above – including McCrarey’s willingness to compromise by adopting the Union’s “most favored nation” clause, and her attempt to bring Derby back to the table – it is clear that McCrarey was inviting further negotiations rather than foreclosing them.
Similarly, the decisions cited by the GC do not support its “futility” argument, as those decisions involve situations where the agency refused to bargain on any proposals that might be submitted. In FCI Bastrop, 55 FLRA at 855, the agency said it would consider, but not negotiate, the union’s proposals; in Blue Grass, 50 FLRA at 653, the agency indicated that no union proposal, however valid, would be entertained; and in IHS, 37 FLRA at 979-81, management refused to entertain any proposals over a change in conditions of employment. Here, by contrast, the Agency tempered its expressions of doubt regarding its duty to bargain with substantive discussions about the details of the Union’s proposal, with a substantive counterproposal of its own, and with an effort to keep the discussion open even when the Union sought to close it. While it is impossible to surmise whether further negotiations would have produced an agreement, I can state with confidence that McCrarey was trying to find common ground for agreement, and that she was not telling Derby that further bargaining was futile. The Union made a decision on its own that further bargaining would not be successful, and while this was within its rights, it cannot accuse the Agency of bad faith bargaining.
For the reasons discussed above, I find that while some of the objections raised by the Agency to bargaining over the Union’s proposal were without merit, one of those objections was valid (i.e., the proposal that a specific company provide the credit monitoring and identity theft coverage excessively interferes with the Agency’s statutory right to contract out). Additionally, while the Agency questioned whether it had a duty to bargain over the proposal, it proceeded to do so, and it negotiated in good faith. Therefore, I conclude that the Agency did not violate § 7116(a)(1) and (5) of the Statute.
Accordingly, I recommend that the Authority issue the following order:
It is ordered that the Complaint be, and hereby is, dismissed.
Issued, Washington, D.C., March 22, 2017
RICHARD A. PEARSON
Administrative Law Judge
 Hereafter, all dates are in 2015, unless otherwise noted.
 The Union’s July 1 proposal states, in pertinent part:
1. The Agency shall provide all [bargaining unit] employees . . . the opportunity to apply for credit monitoring services and identity theft insurance from CSID in order to mitigate the risk of fraud and identity theft. These services shall be offered at no cost to the employees. The opportunity to participate in these services from CSID shall be provided for the full length of each employee’s employment in an FAA bargaining unit position. The identity theft insurance coverage shall be at a coverage limit of $1,000,000. This insurance coverage limit shall be increased from time-to-time by agreement of the Parties to keep pace with the industry standard regarding identity theft insurance. If there comes a time when CSID no longer provides services for federal employees, the Parties shall reopen this agreement to agree on a substitute vendor for credit monitoring and identity theft insurance services.
2. If the Agency agrees to terms with any other FAA union concerning the subject matter of this agreement that are more favorable to employees than those set forth in this agreement, this agreement shall be reopened at the request of the Union for the purpose of automatically incorporating the more favorable terms.
Jt. Ex. 1 at 2.
 The Agency’s counterproposal states, in pertinent part:
1. [PASS] will identify a point of contract (POC) for Data Security/Cyber Breach issues at the national level, who will be included in discussions to determine the appropriate level of identity theft protection to be provided in response to a cyber-breach in which personally identifiable information (PII) is stolen.
2. In the event of a loss of government maintained PII, collected as a result of employment with the FAA, regardless of whether the data breached is within the control of the FAA, the FAA will notify the PASS POC when the Agency learns of a breach.
3. The [PASS] POC will be on official time, if otherwise in a duty status, for all meetings described in Section 1.
4. If the Agency agrees to terms with any other FAA union concerning the subject matter of this agreement that are more favorable to employees than those set forth in this agreement, this agreement shall be reopened at the request of the Union for the purpose of automatically incorporating the more favorable terms.
Jt. Ex. 3 at 2.
 Statement by the Press Secretary on H.R. 2029 (Dec. 18, 2015), available at https://www.whitehouse.gov/the-press-office/2015/12/18/statement-press-secretary-hr-2029.
 Section 632 of the Appropriations Act provides:
(a) The Office of Personnel Management shall provide to each affected individual as defined in subsection (b) complimentary identity protection coverage that—
(1) is not less comprehensive than the complimentary identity protection coverage that the Office provided to affected individuals before the date of enactment of this Act;
(2) is effective for a period of not less than 10 years; and
(3) includes not less than $5,000,000 in identity theft insurance.
(b) DEFINITION.—In this section, the term “affected individual” means any individual whose Social Security Number was compromised during—
(1) the data breach of personnel records of current and former Federal employees, at a network maintained by the Department of the Interior, that was announced by the Office of Personnel Management on June 4, 2015; or
(2) the data breach of systems of the Office of Personnel Management containing information related to the background investigations of current, former, and prospective Federal employees, and of other individuals.
Pub. Law No. 114-113, § 632, 129 Stat. 2242, 2470-71 (2015).
 McCrarey did testify about a different contract providing employees with identity theft protection, with Identity Force (Tr. 74-76). That evidence is part of the record and is not affected by the Motion to Strike.
 Ignoring U1 does not make any practical, legal difference, because my legal conclusions would be exactly the same if I analyzed the negotiability of the two proposals independently. The initial proposal suffers from the same fatal defect as the revised proposal: they both require the Agency to use CSID as the identity theft insurance provider. One of the Agency’s objections to U2 was that a demand for insurance benefits covering family members exceeds the lawful scope of bargaining; that objection would not apply to U1, which covers only employees, but I have rejected that objection.
 In a case involving similar objections raised by the Department of the Air Force to bargaining proposals concerning credit monitoring and identity theft protection for employees in response to the two OPM data breaches, Chief Judge Center recently reached the same conclusions. In Dep’t of the Air Force, Luke AFB, Ariz., Case No. DE-CA-15-0410 (Oct. 27, 2016), the Chief Judge rejected the agency’s argument that the union’s proposed response to the data breach was not a condition of employment. Even though the data was stolen from OPM, he found that the breach was directly connected to the employment relationship of unit employees, and that the matter was not specifically provided for by § 632 of the Appropriations Act.
 While the expression of conflicting positions may sometimes be indicative of bad faith, it is justifiable in relation to an agency’s duty to bargain. Parties frequently elect to negotiate on permissive subjects and § 7106(b)(1) of the Statute explicitly provides for such bargaining. Nonetheless, a party may subsequently decide not to continue negotiations on a permissive issue, and there is nothing improper in such conduct. Although the issue in dispute in our case was not an elective subject under 7106(b)(1), McCrarey and the Agency could legitimately choose to bargain regarding the Union’s identity theft proposal, while still reserving the right to declare the proposal nonnegotiable at a later time.