Ransoming Sensitive Personal Information: Will OPM’s Data Breach Trigger Your Insider Threats?

Perhaps it’s the books I’ve been reading or the television shows I’ve been watching, but my mind can’t seem to stop linking the recent barrage of cybersecurity attacks with those ne’er-do-wells that plagued the Caribbean from 1650 through the 1730s.  Yes, I’m talking about pirates, but not the Errol Flynn/Johnny Depp-style buccaneer, more the Edward Teach model, the notorious “Blackbeard.”  One of Blackbeard’s most infamous successes occurred in Charleston, South Carolina in 1718 when he blockaded Charleston Harbor and held some of the town’s leading citizens for ransom.  Rather than demand the typical jewels and money, Blackbeard wanted something else – he held both the town and its people ransom for £300 of medicine.  After a circus of errors conspired to delay the ransom payment, Blackbeard received his medicine and released both the harbor and his prisoners – minus, of course, much of their finer possessions (they were pirates after all) – and sailed off into legend.  So what does this jaunt down piracy lane have to do with cybersecurity and federal contractors?  Simple, sometimes we don’t know what’s really of value and how that value can be used.  Case in point – the OPM breach. Continue Reading

Seventh Circuit Rejects FCA Implied False Certification Theory

On June 8, 2015, the U.S. Court of Appeals for the Seventh Circuit rejected the doctrine of implied false certification in a False Claims Act (“FCA”) lawsuit, U.S. ex rel. Nelson v. Sanford-Brown Ltd.  No. 14-2506, 2015 WL 3541422.  In a welcome decision for government contractors, the Court held that the FCA is “not the proper mechanism” for Government enforcement of regulations.  Instead, regulatory violations should be handled by the appropriate Government agency–not the courts. Continue Reading

ALERT: NIST Issues Final Guidance on Federal Contractor Cybersecurity Standards for Controlled Unclassified Information

On June 19, 2015, the National Institute of Standards and Technology (“NIST”) published the final version of guidance for federal agencies to ensure sensitive information remains confidential when stored outside of federal systems.  The guidelines, Special Publication 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, apply to nonfederal information systems and organizations that process, store, or transmit federal controlled unclassified information, or “CUI,” and match the guidelines published for public comment last fall.  The new guidance is step two in a three-part plan with the National Archives and Records Administration (“NARA”), discussed in last month’s blog, to ensure the confidentiality of sensitive federal information no matter where it is stored.  As data breaches continue to make near-daily news, federal contractors not using the “recommendations” laid out in SP 800-171 would be wise to take another look, as they contain, more than ever, the Government’s express expectations of how it wants its information protected. Continue Reading

SCOTUS: No Unlimited Suspension of the Statute of Limitations Under the False Claims Act; “First-to-File” Doctrine Does Not Bar Related Suits in Perpetuity

In an opinion released May 26, 2015, Kellogg Brown & Roots Services, Inc. v. United States ex rel. Carter, the U.S. Supreme Court unanimously held that whistleblowers cannot extend the statute of limitations for war-related civil false claims under the Wartime Suspension of Limitations Act (“WSLA”), reinstating an already generous statute of limitations period under the civil False Claims Act (“FCA”).  The Court also settled a split between the U.S. Courts of Appeals for the D.C. Circuit and the Fourth Circuit.  For purposes of the FCA’s “first-to-file” bar, the FCA only limits a lawsuit based on the same underlying facts as another case that is actually open and pending when the later lawsuit is filed.  In reaching these holdings, the Court relied heavily on the plain meaning of the statutory language, simultaneously handing a victory to both Defendants (on the statute of limitations issue) and Plaintiffs (on the first-to-file issue).  But, the holding relating to the WSLA may prove to be the greatest legacy from the KBR decision, reigning in aggressive whistleblowers and government lawyers who would try to allege a case of “fraud” decades after the conduct occurred, and long after a Defendant is able to defend itself effectively. Continue Reading

Another Prologue to Cybersecurity Regulations: Controlled Unclassified Information (“CUI”) – What Contractors Need to Know and Why They Should Care

Government contractors should take note of a proposed new rule that could impose significant new data storage obligations when finalized.  The Federal Government is taking another baby-step towards cybersecurity regulation with a proposed rule intended to standardize protocols relating to designating and safeguarding unclassified information that is to be withheld from public disclosure (also known as “controlled unclassified information” (“CUI”)).  See 80 Fed. Reg. 26501 (proposing amendments to 32 CFR Part 2002).  On May 8, 2015, the National Archives and Records Administration (“NARA”) published a proposed new rule that goes a long way in creating a standardized system intended to replace the litany of improvised CUI control markings that have been used by various Federal agencies and, unintentionally, hindered inter-governmental information sharing for decades.  The effort, however, is more than a simple housekeeping exercise, the re-designation of CUI will also bring changes to the manner in which contractor-generated information residing on contractor-owned systems is stored and secured. Continue Reading

When it Comes to Crop Insurance, the FCA Bears Fruit

The federal crop insurance program is an often overlooked area of potential liability under the False Claims Act (“FCA”).  The program, which is governed by a substantial body of regulatory law, is subject to intense oversight by the U.S. Department of Justice.  So much so that the U.S. Department of Agriculture’s Risk Management Agency maintains and keeps public a long list of DOJ prosecutions for fraud and violations of the False Claims Act.  See DOJ Prosecutions.  These prosecutions include criminal charges brought against North Carolina tobacco farmers, Texas peanut growers, and California fruit and vegetable producers for fraudulently filing claims against the USDA crop insurance program. Continue Reading

Suspensions and Debarments on the Rise – A Brief Review of the ISDC’s FY 2014 Stats

The upward trend of suspensions and debarments continued in FY 2014.  According to the Interagency Suspension and Debarment Committee (“ISDC”) Report to Congress, released March 31, 2015, while referrals to the suspending and debarring officials decreased 12% from FY 2013, suspensions, debarments, and proposed debarments increased, Government-wide, by almost 8%. Since the ISDC began collecting data in 2009, these actions have continued to increase markedly. Continue Reading

Those NDAs May Not Be Worth the Paper They Are Written On

It is a given that companies strive to protect their intellectual property.  Over the years, as an instrument of that protection, companies have made increasing use of non-disclosure agreements to advance that objective.  A recent decision of the Court of Federal Claims – Liberty Ammunition v. United States – calls into serious question the efficacy of NDAs signed by U.S. Government personnel. Continue Reading

I’m Not Dead Yet (Or: A Brief Look at the Future of the Price Reductions Clause in Light of GSA’s Proposed Transactional Data Reporting Rule)

Not enough Government contracts blogs incorporate movie trivia.  So here’s my contribution to fill this obvious gap in the procurement blogosphere:  Is the following quotation (a) from a famous Monty Python skit or (b) from a conversation between two Government auditors discussing GSA’s recently-proposed effort to do away with (at least in part) the Price Reductions Clause? Continue Reading

Add Importers to Those Facing Expanding Whistleblower Claims Under the False Claims Act

On February 12, 2015, the Department of Justice (“DOJ”) announced that three U.S.-based importers had agreed to pay more than $3 million to resolve a lawsuit brought by the United States under the False Claims Act (“FCA”).  The Government alleged that the importers had made false declarations to U.S. Customs and Border Protection (“CBP”) and conspired with other domestic companies to make false declarations to CBP in order to avoid paying “antidumping” and “countervailing” duties.  No Government contracts were involved.  These were “reverse” FCA claims based upon underpayment of duties for private sector import transactions. Continue Reading

LexBlog