Government Contractor Compliance in the Cybersecurity World | Patterson Belknap Webb & Tyler LLP


Nothing is certain in life except death, taxes and now, data breaches. Data breaches are almost an inevitable cost of doing business in a globally connected world. As if falling victim to cybercriminals weren’t enough, cybersecurity and data privacy are increasingly at the center of private class actions and government enforcement actions.

But companies that contract with the federal government face even greater cybersecurity scrutiny, in the form of the False Claims Act (“the FCA”). As its name suggests, this law has long prohibited knowingly making false statements when contracting with the federal government. Whistleblowers (known as “reporters”) can sue under the FCA on behalf of the federal government in exchange for a reduction in treble damages to which the government is entitled if a violation is found. Historically, the FCA was designed to root out corruption in government procurement, but today the FCA has been given new life as a tool to enforce cybersecurity standards against government contractors. Recent developments show how.

In a recent FCA case, a parent accused a defense contractor, Aerojet, of falsely claiming compliance with various cybersecurity rules in the National Aeronautics and Space Administration’s procurement regulations, 48 CFR § 252.204–7012, and Department of Defense, 48 CFR § 1852.204-76. A federal judge declined to dismiss the lawsuit in May 2019, see United States v. Aerojet Rocketdyne Holdings, Inc., 381 F. Supp. 3d 1240 (ED Cal. 2019), leading to $9 million regulation in April 2022. Then, in October 2021, the Department of Justice (“DOJ”) announced its Civil Cyber ​​Fraud Initiativewho targets contractors with cybersecurity practices that endanger federal information and networks. Then, less than a year later, in March 2022, the DOJ reached its first settlement as part of this initiative, noting that instances of FCA in the cybersecurity space are likely to proliferate, especially as more federal agencies develop and publish cybersecurity rules that require contractors implement security measures and establish policies and practices designed to protect sensitive data. Failure to comply with these rules may lead to FCA’s liability.

But what if cybersecurity standards are non-specific, open-ended, or broadly worded? How can an entrepreneur “know” if he meets these standards? Take for example the Interagency Information Security Standards Guidelines, which provide data security standards for banks subject to the Gramm-Leach-Bliley Act. These standards simply state that a bank must “[d]design its information security program to control the identified risks, commensurate with the sensitivity of the information and the complexity and scope of the [bank’s] Activities.” 12 CFR Appendix B at Part 30, § 3(C)(1). The Standards then lists certain “security measures” – such as access controls, monitoring and encryption – that a bank “shall consider” and “adopt” if the bank itself concludes that these measures “are appropriate”. Identifier. Precisely assessing what cybersecurity measures a government contractor subject to such standards must adopt is unclear.

However, recent case law deciding issues under the FCA should reassure entrepreneurs facing a minefield of extensive government cybersecurity rules. The United States Court of Appeals for the Seventh Circuit (which oversees the federal courts of Illinois, Indiana and Wisconsin) was held in United States ex rel. Schutte v. SuperValu Inc.9 F.4e 455 (2021), and United States ex rel. Proctor v. Safeway, Inc., 30 F.4th 649 (2022), that an entrepreneur does not “knowingly” violate unclear regulation if he follows an objectively reasonable interpretation of that regulation. While these cases did not involve government-issued cybersecurity requirements, the principle applies with equal force.

Both Schutte and prosecutor involved allegations that supermarket pharmacies overcharged Medicare and Medicaid for prescription drug reimbursement. A federal regulation required supermarkets to seek reimbursement based on the “usual and customary price” they charge the “general public” for their drugs. Schutte9 F.4e at 460; Prosecutor30 F.4th at 653. Supermarkets sought reimbursement based on the list price of their drugs, rather than the discounted price they actually charged many customers for drugs under rebate and discount programs. alignment of supermarket prices. Schutte9 F.4e at 461; prosecutor30 F.4th at 654. This would have allowed supermarkets to compete with cheaper pharmacies like Wal-Mart, while forcing the government to pick up the difference. Schutte9 F.4e at 461; Prosecutor30 F.4th at 654.

The Seventh Circuit found in each case that the supermarkets had followed an objectively reasonable interpretation of the unclear phrase “usual and customary price” charged to the “general public”. Schutte9 F.4e at 472; prosecutor30 F.4th at 660. Although any customer could have taken advantage of the supermarket discounts, they had to participate in the discount program (either by joining for free or requesting a price match with a cheaper pharmacy). Schutte9 F.4th at 469; prosecutor30 F.4th at 659. The supermarkets, in the view of the Seventh Circuit, reasonably interpreted the “usual and customary price” charged to the “general public” to exclude prices charged to customers who participated in their discount programs. Schutte9 F.4e at 472; prosecutor30 F.4th at 660. And there was no “authoritative guidance” at the time, either from a court or from a government agency, that contradicted the supermarkets’ interpretation. Schutte9 F.4th at 471–72; Prosecutor30 F.4th at 660. This meant that the supermarkets could not have “knowingly” violated federal regulations by asking the government for higher Medicare and Medicaid reimbursements and therefore were not subject to liability under the FCA. Schutte9 F.4e at 472; prosecutor30 F.4th at 661–63.

The Supreme Court can consider Schuttewho love prosecutor applies Safeco Insurance Co. of America vs. Burr, 551 US 47, the 2007 Supreme Court decision interpreting a similar scientific provision in the Fair Credit Reporting Act. The relational petition for certiorari is pending and has attracted high profile support, including Senator Chuck Grassley, who sponsored the Fraud Enforcement & Recovery Act of 2009 and argue that the Seventh Circuit got the FCA wrong.

In light of Seventh Circuit rulings, government contractors should review the data privacy and cybersecurity requirements governing their government contracts, identify any ambiguities or missing agency guidance, and seek professional advice cybersecurity and data privacy and outside attorneys. Rules written in general or unclear terms may seem intimidating at first, but according to the reasoning of the Seventh Circuit, they are less likely to bring FCA liability, as long as the contractor follows an objectively reasonable interpretation of the rule or of the standard in question. Contractors should, of course, continue to follow industry best practices; however, regular review of applicable government data privacy and cybersecurity rules, agency guidelines, and court rulings with the assistance of outside counsel can help limit contractor exposure under the FCA.


Comments are closed.