Call 855-808-4530 or email [email protected] to receive your discount on a new subscription.
A new wave of False Claims Act cases is crashing ashore. Based on the federal government's inclusion of toughened cybersecurity requirements for government contractors in the Federal Acquisition Regulations (FAR) and agency supplemental regulations, numerous False Claims Act (FCA) cases will undoubtedly be filed and litigated in coming years against prime contractors and their major subcontractors for allegedly failing to comply with their contractual cybersecurity obligations.
We have seen this play out before. For years, FCA plaintiffs' strategy was to go after government contractors for selling goods made in China to agencies in violation of the Trade Agreements Act. Then plaintiffs moved on to various violations of contract terms under the General Services Administration Schedule program, and later to misrepresentations under the Small Business Administration's procurement regulations. While those areas of alleged non-compliance are still active, the time has come for a host of new FCA cases based on presumed cybersecurity violations.
Initially, cybersecurity was an afterthought in government contracts (other than those for classified materials). Contractors and their suppliers were supposed to maintain adequate computer systems safe from hacking, but specific cybersecurity requirements were not spelled out in government contracts. Like the private sector, the federal government was content to muddle along, treating hacking like nothing more than an annoyance.
All this changed in 2011 when the Department of Defense (DoD) first proposed to regulate the safeguarding of unclassified but sensitive national security or privacy information that must be safeguarded from hacking. Specifically, DoD proposed adding a new subpart to the Defense FAR Supplement (DFARS) to require contractors and subcontractors to safeguard unclassified DoD information resident on or passing through their computer systems, and to promptly report all cybersecurity incidents. The regulations in DFARS Subpart 204.73: Safeguarding Covered Defense Information and Cyber Incident Reporting, and the clauses first issued under this subpart, have now expanded to cover "controlled unclassified information" in both a contractor's facilities and in the cloud, and to incorporate by reference the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.
In 2016 the government added an omnibus cybersecurity clause to the FAR to cover cybersecurity in civilian agency contracts. Newly added FAR Subpart 4.19: Basic Safeguarding of Covered Contractor Information Systems requires agencies to include FAR 52.204-21: Basic Safeguarding of Covered Contractor Information Systems (June 2016), in contracts (other than those of commercially available off-the-shelf items) that involve sensitive federal information. Among other obligations, the clause requires a contractor to limit access to authorized users, control and limit connections to external systems, limit physical access to systems, implement subnetworks for publicly accessible systems, update malicious code protection and perform real time scans of external files. Taken from NIST SP 800-171, these are all best practices, but not all companies have these policies in place, actually implement the policies that are in place, or monitor and audit the implementation and use of those policies.
The False Claims Act, 31 U.S.C. §3729-33, allows private citizens to sue a company that contracts with the federal government on the basis that the contractor billed the government despite its alleged non-compliance with material contractual requirements. Often the plaintiff asserts that the contractor has misrepresented and wrongly certified its compliance with its contractual obligations, thus perpetrating a fraud on the government. If successful, the private citizen — called the qui tam relator — can collect a hefty percentage of whatever damages and fines the government recovers from the contractor.
The relator, sometimes a disgruntled ex-employee or competitor, files an FCA complaint under seal unbeknownst to the contractor. The Department of Justice (DOJ) then investigates the complaint, often starting with subpoenas to the contractor who usually doesn't know what is going on or if they are even the target of the investigation. It often takes one to two years for DOJ to complete its investigation. At this point, the complaint is unsealed, and DOJ decides whether to intervene and lead the case, or to pass and let the qui tam relator continue to prosecute the case on his or her own. In either case the government gets the bulk of any recovery and the qui tam relator gets a share. The relator's share is larger if he is forced to prosecute the case without DOJ's help.
Among other elements of an FCA case, the plaintiff must prove that the defendant contractor's non-compliance was (or would have been) material to the government's decision to pay the contractor's invoices for the goods or services rendered. Universal Health Services, Inc. v. United States ex rel. Escobar, 136 S.Ct. 1989 (2016). While lack of materiality can be a strong defense in certain cases, it would not be surprising to see cybersecurity non-compliance treated as a material factor to the government's payment decision That is, had the government known a contractor was not complying with a contract's cybersecurity requirements, the agency almost assuredly would not have agreed to pay the contractor.
The FAR and DFARS cybersecurity clauses are relatively new, still evolving, and somewhat confusing. It is not yet known how the courts will treat cybersecurity violations in practice in FCA cases.
In May 2019, a federal district court refused to dismiss an FCA case brought by an ex-employee based on a government contractor's alleged failure to comply with its contractual cybersecurity obligations. United States ex rel. Markus v. Aerojet Rocketdyne Holdings, Inc., No. 2:15-cv-2245 (E.D.Ca.). While DOJ declined to join the case, the defendant contractor will now be forced to respond to the plaintiff's discovery requests for emails and documents. To avoid the substantial costs of litigation and a possible trial, the defendant contractor may be inclined to settle the case just to get out of costly litigation and move forward.
In July 2019, Cisco Systems agreed to pay $8.6 million to settle an FCA case filed by a qui tam whistleblower based on cybersecurity vulnerabilities in video surveillance systems sold to federal and state governments. U.S. et al. ex rel. Glenn v. Cisco Systems, Inc., No. 1:11-cv-0400 (W.D. NY). Not only did DOJ intervene in the case, but so too did 15 state governments under their respective false claims statutes. The federal government, state governments and the plaintiff — an ex-employee — will all share in the recovery.
To avoid cybersecurity liability under the FCA will require — in addition to executive buy-in — organization, attention to detail and discipline. It will require a contractor not only to commit to establishing and implementing cybersecurity best practices, but to monitoring the implementation of those practices on an on-going basis. Most vulnerable will be commercial item government contractors who are not fully aware of the cybersecurity regulations or of the dangers resulting from non-compliance.
|With the hacking of private and government systems constantly in the press, cybersecurity is obviously of growing importance. This, combined with the federal government's fortified cybersecurity contractual requirements, will almost certainly lead to a new wave of cybersecurity FCA cases in the months and years ahead.
*****
Andrew Mohr is a Partner with Morris, Manning & Martin, LLP's Government Contracts practice in Washington, DC. He has over three decades of experience that spans the entire range of federal, state and local government contract formation and administration. He can be reached at [email protected]. C. Kelly Kroll is Of Counsel at Morris, Manning & Martin, LLP's Government Contracts practice in Washington, DC. She has extensive experience with federal, state and local government contract formation and administration, assisting clients in every stage of the government procurement process, from analysis of the risks associated with entering the market to the issues arising during the solicitation, award, performance and close out of government contracts. She can be reached at [email protected].
|ENJOY UNLIMITED ACCESS TO THE SINGLE SOURCE OF OBJECTIVE LEGAL ANALYSIS, PRACTICAL INSIGHTS, AND NEWS IN ENTERTAINMENT LAW.
Already a have an account? Sign In Now Log In Now
For enterprise-wide or corporate acess, please contact Customer Service at [email protected] or 877-256-2473
In June 2024, the First Department decided Huguenot LLC v. Megalith Capital Group Fund I, L.P., which resolved a question of liability for a group of condominium apartment buyers and in so doing, touched on a wide range of issues about how contracts can obligate purchasers of real property.
With each successive large-scale cyber attack, it is slowly becoming clear that ransomware attacks are targeting the critical infrastructure of the most powerful country on the planet. Understanding the strategy, and tactics of our opponents, as well as the strategy and the tactics we implement as a response are vital to victory.
Latham & Watkins helped the largest U.S. commercial real estate research company prevail in a breach-of-contract dispute in District of Columbia federal court.
Practical strategies to explore doing business with friends and social contacts in a way that respects relationships and maximizes opportunities.