|
Federal Market Intelligence for Small Business |
|
|
|
|
Column: Cybersecurity, Implied Certifications, and the False Claims Actby Isaias “Cy” Alba, partner, PilieroMazza PLLCAs I am sure many of you know and have read about already, the first False Claims Act (FCA) case (US Ex rel. Markus v. AeroJet Rocketdyne Holdings, Inc., et al., No. 2:15-cv-2245) has been filed in the Eastern District of California by a disgruntled former Director of Cyber Security Compliance and Controls, and it survived a motion to dismiss in May of this year. When the existence of the AeroJet case is layered over the Supreme Court’s findings in Universal Health Servs., Inc. v. US Ex rel. Escobar, 136 S.Ct. 1989 (2016), which confirmed FCA liability based upon implied certifications, a worrisome result can occur. Namely, can disgruntled employees, aggrieved subcontractors, consultants who seek a quick buck, spouses in a contentious divorce, or any other random individual with basic knowledge of your IT systems file an FCA case against you claiming that you impliedly certified, by merely accepting a federal contract, that you were in full and unequivocal compliance with all NIST 800-171 standards and that you had all documentation required by DFARS 252.204-7012? The answer is absolutely “YES.” Small to mid-sized government contractors should note that their lack of diligence can be used as evidence of recklessness which gives rise to FCA liability. The most disconcerting part of the AeroJet/Escobar connection is that, due to the confusing nature of the NIST 800-171 standards, IT departments at different firms develop wildly divergent interpretations of what is actually required at the technical level. If it is difficult for even IT professionals to understand what is actually required, down to the specific details, this leaves a huge gulf that can only be filled with case law…which necessarily means litigation. While the Defense Dept. rules went into full effect Jan. 1, 2018, many contractors, especially small and mid-sized companies, believe that it is not “really” in effect or that the government isn’t “really” enforcing it yet. This is where the FCA implications loom large because it does not matter whether the government is enforcing the law or not, the fact that the regulation is final, and incorporated into nearly all DOD contracts (note there are similar non-regulatory contract clauses found in civilian contracts as well), means that by accepting a contract with any such requirements means that, under Escobar, you are certifying, or have already certified if a contract was awarded after Jan. 1, 2018, that you are in full compliance. Here, however, because an objective understanding of the NIST 800-171 requirements is elusive, this raises even greater risk that a relator, even if acting in good faith, could see your interpretation of full compliance to be non-compliance and file an FCA suit against you. Thus, it is important to show those in your IT department, or those who may have the access and knowledge of your policies and procedures:
If current employees understand the actions you took and they see you are careful with compliance, they are far less likely to have an actionable suit. While lthere are always unscrupulous individuals, and equally unscrupulous lawyers who will take any case to try to force a settlement, that risk can be greatly mitigated with clear communication with employees and those with access. That said, it is important to note that FCA liability does not arise due to mere negligence; there has to be actual knowledge of non-compliance or reckless disregard for the truth with regard to such non-compliance. This, however, does not mean you can fail to investigate or to understand the regulations and claim mere negligence. Indeed, the Justice Dept. (DOJ), in a number of cases I have handled in the past decade, has demanded to see documentation (printed documents, emails, etc.) showing your attempts to fully understand the law. Only if you have taken the time to understand the law and come to a good faith and reasonable conclusion of the meaning of the law or its requirements, can you avail yourself of the mere negligence defense. Many small to mid-sized firms believe that because they did not realize the law even existed or they did not look at and investigate the meaning of the regulation, that they can still claim negligence. But that notion is false. DOJ will view your lack of diligence as evidence of recklessness, which gives rise to FCA liability. Now each case is different, and we can certainly evaluate the arguments that may exist in each situation but, as a general rule, DOJ views the failure of a company to educate itself to the maximum practicable extent as a sign of recklessness, not negligence. The “good” news is that DOD does plan to remedy this confusion, and therefore make the risk of FCA liability due to ignorance far less by finalizing its Cybersecurity Maturity Model Certification standards. This, we hope, will be a clear set of requirements that will end in a certification given to the contractor. While it may be costly or time consuming to achieve, it is far less costly than a 5+ year FCA lawsuit, and we hope the maturity model standards will mitigate against the risks noted above. Unfortunately, the standards are likely a couple years off as they have to be developed, go through notice and comment rulemaking, and then be adopted into the DFARS and, likely, later the FAR. We will of course keep our clients and friends up to date on all the latest but, in the meantime, be aware of the FCA risks and make sure you are in full good faith compliance with the cybersecurity regulations or other contractual requirements to avoid the wrath of a relator looking for a payday.
This article was reprinted with permission from the PilieroMazza Legal Minute blog. Visit them at: www.pilieromazza.com.
|
Washington Insider:
|
Copyright © 2019 Business Research Services Inc. All rights reserved.