To kick off the New Year (and as is now tradition, since we put out a similar Recap & Forecast last year), Sheppard Mullin’s Governmental Practice Cybersecurity & Data Protection Team has prepared a cybersecurity-focused 2024 Recap (highlighting major updates and including links to the resources we put out over the past year) and a 2025 Forecast (previewing what we expect to see in 2025). This Recap & Forecast covers the following six high-interest topic areas relating to cybersecurity and data protection:Continue Reading Governmental Practice Cybersecurity and Data Protection: 2024 Recap & 2025 Forecast Alert

Cell phone and laptop searches do happen but they are relatively rare. Although the Fourth Amendment right to be free of unreasonable searches and seizures is drastically reduced at a port of entry, as are expectations of privacy, U.S. Customs & Border Protection (“CBP”) has internal protocols requiring Officers to have some basis for the search. Below, we dive into the CBP protocols and what to expect if you are selected for a search. Continue Reading Will CBP Search Your Laptop and Cell Phone at the Port of Entry?

On October 22, 2024, the Department of Justice (“DOJ”) announced that Pennsylvania State University (“Penn State”) has agreed to pay $1,250,000 to settle a False Claims Act (“FCA”) case brought against the University approximately two years ago. The whistleblower in the case, former chief information officer of the Penn State Applied Research Laboratory, alleged that Penn State failed to comply with cybersecurity requirements in fifteen contracts and/or subcontracts with the Department of Defense (“DoD”) and National Aeronautics and Space Administration (“NASA”) between 2018 and 2023.Continue Reading Update – Penn State to Pay Up for Cyber-Related FCA Case

On October 15, 2024, the Department of Defense (“DoD”) published the final version of its Cybersecurity Maturity Model Certification (“CMMC”) rule in Title 32 of the Code of Federal Regulations (the “Final Rule”). (Reminder, there are two CMMC rulemakings going on in parallel. This Final Rule updates DoD national security regulations while the other rulemaking effort under Title 48 will update the Defense Federal Acquisition Regulation (“DFARS”) and trigger requirements for DoD contractors.)Continue Reading Countdown to Compliance: DoD Finalizes the CMMC Program Rule

A federal district court in the Middle District of Florida issued a decision on Sept. 30th that threatens the federal government’s continued reliance on the False Claims Act (“FCA”) as the most powerful weapon in the Department of Justice’s enforcement arsenal. U.S. District Judge Kathryn Kimball Mizelle threw out a case against a group of Medicare Advantage organizations and providers on the grounds that an individual whistleblower suing on behalf of the federal government under the FCA, often called a “relator” in a “qui tam” lawsuit, violates the U.S. Constitution’s “appointments clause.” The Court concluded that relators, who are acting on behalf of the federal government, must be considered officers of the government and appointed in a manner consistent with Constitutional requirements. See U.S. ex rel Zafirov v. Florida Medical Associates, LLC, No. 8:19-cv-1236, 2024 U.S. Dist. LEXIS 176626, ECF No. 346 (M.D. Fl. Sept. 30, 2024).Continue Reading FCA Whistleblowers – No More?

While most contractors think of the Government Accountability Office and Court of Federal Claims (or even the agency) when considering whether to challenge a government contract award, there are additional options for small business set-asides – small business size and status protests. The government, recognizing the importance of small businesses to the American economy, provides small businesses certain preferences in government contracting, including only allowing eligible small businesses to compete for certain contracts (referred to as small business set-asides). But in order to be eligible for this exclusive federal marketplace (that was worth more than $178 billion dollars in FY 2023), a small business has to qualify as “small” under federal regulations. Small businesses are generally responsible for calculating their own size. But, a protester (usually a disappointed offeror), may bring a size protest alleging that the awardee on a small business set-aside contract is not actually a small business (and is thus ineligible for award) because it exceeds the applicable size standard. Below is the nuts and bolts of the size protest process.Continue Reading Keep Your Eyes on the Size: Small Business Size Protests

One forum to raise a protest against the award of a contract is at the agency responsible for the procurement, pursuant to the procedures set forth in Federal Acquisition Regulation (“FAR”) 33.103. The procedures require that a protester submit a protest to the agency that details the legal and factual grounds for the protest; describes the resulting prejudice to the protester; establishes that the protester is an interested party; requests a ruling by the agency; demonstrates timeliness; and includes a request for relief.Continue Reading Government Contractors Beware: The Trap of the Unintended Agency-Level Protest and Timeliness Implications

More than two years after announcing the first round of settlements in the ongoing “off-channel communications” probe, the SEC recently announced another round of settlements with 26 financial firms, totaling $390 million in fines. These most recent settlements are notable for two reasons: (1) they include the SEC’s second settlement with an entity operating solely as a registered investment adviser (“RIA”) with no associated broker-dealer, and (2) the SEC has again explicitly noted that companies that self-reported obtained lower fines.Continue Reading Latest Round of SEC “Off-Channel” Communications Settlements Highlights Risks for Investment Advisers and Benefits of Self-Reporting

On August 22, 2024, the United States Department of Justice (“DOJ”) filed a Complaint-In-Intervention (the “Complaint”) against the Georgia Institute of Technology (“Georgia Tech”) and Georgia Tech Research Corp. (“GTRC”). The 99-page DOJ Complaint alleges the defendants knowingly failed to meet contractual cybersecurity requirements in connection with various Department of Defense (“DoD”) contracts. The suit raises claims under the False Claims Act and federal common law (including fraud, negligent misrepresentation, breach of contract, unjust enrichment, and payment by mistake). This is the latest DOJ activity relating to its Civil Cyber Fraud Initiative (announced in October 2021), which we previously have written about here, here, and here.Continue Reading DOJ Sues Georgia Tech Entities for Cybersecurity Failures in the Latest Civil Cyber Fraud Initiative (CCFI) Activity