© PILIEROMAZZA PLLC 2018 1 First Quarter 2018 Volume 19 Issue 1 LEGAL ADVISOR A PilieroMazza Update for Federal Contractors and Commercial Businesses PilieroMazza’s Bold Predictions for 2018 By Megan Connor For our first Legal Advisor of the year, we decided to forecast for readers what to expect in 2018. So, this issue provides our hot takes on corporate, employment, litigation, and government contracting matters that we believe will impact our clients this year. You can track these bold predictions and see others we are making in our blog and Weekly Newsletter as we focus at the outset of 2018 on the year ahead for our clients. As we enter 2018, there is no hotter issue in contracting than cybersecurity, thanks to DFARS 252.204‑7012, which requires DoD contractors with nonfederal information systems that contain controlled unclassified information (“CUI”) to implement the security requirements in National Institutes of Standards and Technology (“NIST”) Special Publication (“SP”) 800‑171. Defense contractors with contracts containing DFARS 252.204‑7012 and nonfederal information systems containing CUI were required to implement these requirements by December 31, 2017. Therefore, compliance with NIST SP 800‑171 may be a new expense your company is contending with in 2018. We predict these cybersecurity requirements will trickle down to civilian contractors. NIST SP 800‑171 itself indicates that a single FAR clause is planned to apply the requirements of NIST SP 800‑171 to all contractors with nonfederal information systems containing CUI. In the cybersecurity vein, Kimi Murakami and Jonathan Bush highlight the ways in which cybersecurity issues are becoming increasingly important in the mergers and acquisitions due diligence process in 2018. Also on the acquisitions front, Sharon B. Heaton of sb LiftOff predicts that 2018 will be a good year for business owners looking to sell, based on recently published data. Sharon explains why in her guest article in this edition. In the federal procurement world, we predict a narrowing of opportunities for small businesses, thanks to recent legislation. In particular, we will be watching how agency use of commercial e‑commerce portals, as directed by Section 846 of the National Defense Authorization Act (“NDAA”) for Fiscal Year 2018 (known as the “Amazon Amendment”), will impact small business contractors providing commercial items under GSA Schedule contracts and Governmentwide Acquisition Contracts. For more information about Section 846, check out Patrick Rothwell’s recent blog. In addition to e‑commerce portals, the NDAA also encourages use of Other Transaction Authority for prototype projects and doubles the dollar limits for this authority, which effectively allows DoD to award very large prototype projects to developers without competition, potentially closing the door on small businesses. John Shoraka’s article in this issue highlights other impacts the NDAA will have on small businesses and what these changes reveal about contracting trends. In This Issue PilieroMazza’s Bold Predictions for 2018.......................................1 Cybersecurity Concerns in M&A Due Diligence..........................2 Reading the Tea Leaves — NDAA 2018 ..........................................4 How Many People Do We Employ? Critical Employment Law Considerations for Small Businesses ..........5 Will 2018 Be A Good Time to Sell Your Company?....................8 Continued on page 2 © PILIEROMAZZA PLLC 2018 2 First Quarter 2018 Volume 19 Issue 1 Another contracting trend we are watching is investigations in the area of employee leasing. Cy Alba and Nichole Atallah discuss in this issue how the confusing definition of “employee” can lead to big trouble for contractors. We also predict that agency procurement officials will inject themselves into the internal employment matters of contractors by, for instance, launching their own investigations of harassment allegations, which Sarah Nash explains in her blog post. For guidance on how to handle sexual harassment claims as an employer, be sure to check out Matt Feinberg’s blog. We expect an increase in such claims in 2018. And our Litigation Group will be continuing to monitor the impact of e‑Discovery on litigation and how such costs may lead to resolution of claims through litigation alternatives. We also predict an increase in the sustain rate and effectiveness rate in GAO’s bid protests. The sustain rates in 2016 and 2017 were higher than in past years, as Julia Di Vito noted recently in her blog. The effectiveness rate also has seen an increase—up to 47% in 2017. The effectiveness rate represents the protests that ended in either GAO sustaining or an agency taking voluntary action. Based on recent history, we believe the sustain rate and effectiveness rate will remain higher than prior years. There are many factors at play for these increasing percentages, but one explanation we see is the retirement of experienced contracting officials and their replacement by younger, inexperienced personnel. The knowledge gap between these two levels of contracting officers creates increased errors in procurements, leading to more sustains and corrective actions in bid protests. As always, PilieroMazza will be there to guide and assist you. We look forward to working with you in 2018. About the Author: Megan Connor, a partner with PilieroMazza, focuses her practice in the areas of government contracts, small business programs, business and corporate law, and litigation. She may be reached at email@example.com. Cybersecurity Concerns in M&A Due Diligence By Kimi Murakami and Jonathan Bush Prominent news stories in the last couple of years have highlighted the increasing regulatory and commercial risks that businesses across industries are confronting related to cybersecurity attacks (e.g, Yahoo!, Home Depot, Sony, and Target). These attacks have underlined the key point that most businesses today are dependent to one degree or another on data and network systems. The consequences of such attacks can result in significant litigation, remediation and other costs in response, not to mention loss of consumer or industry goodwill and trust. The federal market reflects these broader realities. To combat threats and shift responsibility and potential liability to contractors, the government has been busy adding cybersecurity requirements to the FAR and DFARS. A very recent example that has affected many of our clients was the requirement for certain defense contractors to comply with NIST SP 800‑171 as of the start of this year. Given the increased focus on cybersecurity requirements for both commercial firms and government contractors, it is not surprising that we have started to see more attention paid to cybersecurity in some M&A transactions. However, in many M&A transactions, the parties are still not paying sufficient attention to the efforts of the target company to prepare for future attacks, especially considering how the target company’s value proposition may be significantly impacted by such attacks. Given the dependency of businesses across almost every industry upon digital data and systems, acquirers of businesses must include at the beginning of every due diligence investigation, an evaluation of whether a target has been or is the victim of a digital attack and, if not, whether it is vulnerable or unprepared for such an attack. If this is not done, then the acquirer will potentially “The effectiveness rate represents the protests that ended in either GAO sustaining or an agency taking voluntary action. Based on recent history, we believe the sustain rate and effectiveness rate will remain higher than prior years.” BOLD PREDICTIONS...............Continued from page 1 Continued on page 3 © PILIEROMAZZA PLLC 2018 3 First Quarter 2018 Volume 19 Issue 1 assume unknown damages and liabilities and may be acquiring assets that are substantially devalued. This is not the only risk, however. Integration of the target’s data and computer systems with the acquirer’s may allow attackers to exploit vulnerabilities across the whole enterprise. Acquirers in an M&A transaction must, therefore, approach due diligence surrounding cyberattacks and cybersecurity with the same level of thoroughness undertaken with respect to other commercial and legal due diligence. The following is just an introductory list of topics that should be addressed in undertaking any cybersecurity review of a target company. 1 Identification of the key digital assets of a target company. This review must begin by identifying critical digital assets that need protection as well as analyzing which digital assets are vital to the operation of the company and its business. This will allow an acquirer to begin to assess the potential impact of a cyberattack on a target company. This review should not only examine the target’s data, but all the surrounding systems that relate to such assets such as computer systems and servers, software, and communications infrastructure. The acquirer should ascertain not only what the digital assets are, but where they are stored, on what they are stored, and whether or not the target has control of such assets (i.e., does it own the location where they are stored and control access to their use). 2 Evaluation of the target company’s internal cybersecurity program. The due diligence evaluation must assess whether the target has an appropriate cybersecurity program in place. This evaluation should be made by the business and legal members of the acquirer’s team as a supplement to a technical cybersecurity review undertaken by IT security professionals. Evaluating a target’s cybersecurity program includes addressing issues such as: ; Is there a written system security plan or program in place? If so, how recent is it and is it regularly updated? ; How involved is senior management and the board of directors in overseeing and monitoring the program? ; Who is responsible for day to day operations of the program? Does the company have or need to have a chief information officer? ; Has the target conducted a risk assessment and tailored the program to its particular business? ; Has the target had a third party firm analyze its security program? 3 Is the target a defense contractor? Failure to comply with defense regulations requiring that certain cybersecurity controls be in place can jeopardize the target company’s ability to bid on and perform work as a defense contractor. Due diligence inquiries and investigation must be conducted to ensure no violation of this additional layer of cybersecurity requirements for contractors performing work for the Department of Defense. 4 Evaluation of target’s program with respect to third parties upon which it is dependent. Cybersecurity of a target company also relies on whether there is an effective program to manage the security risks relating to its third party vendors, outsource providers, contractors, cloud service providers, and others that have access to the target’s digital assets. It is essential in a due diligence evaluation to identify vendors that are critical to a target’s operations as well as those that pose the greatest threat to the target if said vendor was the victim of a cyberattack. “Integration of the target’s data and computer systems with the acquirer’s may allow attackers to exploit vulnerabilities across the whole enterprise.” The Legal Advisor is a periodic newsletter designed to inform clients and other interested persons about recent developments and issues relevant to federal contractors and commercial businesses. Nothing in the Legal Advisor constitutes legal advice, which can only be obtained as a result of personal consultation with an attorney. The information published here is believed to be accurate at the time of publication but is subject to change and does not purport to be a complete statement of all relevant issues. M&A CYBERSECURITY..........Continued from page 2 Continued on page 4 © PILIEROMAZZA PLLC 2018 4 First Quarter 2018 Volume 19 Issue 1 5 Assessing past cybersecurity attacks and breaches. Since the effects of prior attacks can linger long after a breach has been addressed, it is critical to understand the scope of past breaches, the history of the target’s response to such breaches, and changes in its cybersecurity program to prevent/respond to future attacks. 6 Evaluation of compliance cybersecurity with regulatory obligations. Cybersecurity laws and other legal obligations are extensive and vary widely across jurisdictions at the federal and state levels as well as internationally. Even if a target company is not directly governed by the laws of a specific jurisdiction, relationships between the target and its business partners can result in the laws of other jurisdictions being imposed on a target company via contract. Additionally, a target company may have imposed cybersecurity related obligations upon itself through statements in privacy policies on its website or in advertising. Failure to comply with such obligations risks not only regulatory penalties, but such failure could also be used against a target company in future litigation with a concomitant increase in exposure. Once the cybersecurity due diligence assessment is completed, corporate attorneys must flag problem areas for the acquirer’s transaction team and assist the team in discussing such risks and implementing solutions to address them including, for example, additional representations and warranties, conditions to closing, covenants, purchase price adjustments, line‑item indemnification. About the Authors: Kimi Murakami is counsel with PilieroMazza and focuses her practice in the business and corporate and government contracts groups. She may be reached at firstname.lastname@example.org. Jonathan Bush is counsel with PilieroMazza and focuses his practice in the business and corporate group. He may be reached at email@example.com. Reading the Tea Leaves — NDAA 2018 By John Shoraka Some of the provisions in the latest NDAA are pretty clear to understand and the overall impact can be easily determined. Others are more like seeds planted today for a harvest to come in the future. What gives us heartburn though is that the seeds planted today generally will bear fruit for large contractors at the cost of small government contractors. To be sure, there are several provisions in the NDAA that will help dollars flowing to the smaller firms. Section 805 of the NDAA increases the simplified acquisition threshold to $250,000; since acquisitions within the threshold are supposed to be reserved exclusively for small businesses, this bodes well for firms playing in this sandbox. But clearly, this is only for the more nascent and less sophisticated small business contractor. In addition, Section 806 increases the micro‑purchase threshold to $10,000, again good for some small businesses, but clearly not where most of the government spend occurs. Having been in the trenches and having battled the likes of OMB, DoD, and OFPP as an advocate for small business spending and the establishment of robust small business goals, I am more than concerned about the numerous “seeds” planted throughout the latest NDAA. For one, Section 801 revises the DFARS statement of purpose to emphasize quality, timeliness, and reasonableness of price. To me, these are code words to de‑emphasize small business spending, as it is argued by some that small businesses add cost and increase acquisition timeframes. Now, when I was responsible for negotiating small business goals with the department of defense, I had no problem accepting that the DoD’s number one objective was to support the warfighter; but my counterparts at the DoD clearly “In the worst case scenario, margins will be driven down to such an extent that many will not see the benefit of doing business with the federal government.” M&A CYBERSECURITY..........Continued from page 3 Continued on page 5 For any questions or concerns about this issue, or to submit a guest article, please contact our editor, Jon Williams, at firstname.lastname@example.org or 202‑857‑1000. © PILIEROMAZZA PLLC 2018 5 First Quarter 2018 Volume 19 Issue 1 understood that engaging small business in that process not only benefited the warfighter, but it also benefitted the U.S. economy and the industrial base. In other words, we agreed that there was significant overlap in the three complementary objectives of supporting the warfighter, developing the U.S. economy, and developing the nation’s industrial base. Unfortunately, it seems that Section 801 emphasizes one objective at the cost of the latter two; and in the long run, the lack of a consistent effort to spend DoD funds in a manner that supports the industrial base and develops the economy will, in fact, negatively impact the one objective that is most critical (i.e., supporting the Warfighter). Another amendment that is of concern is the so-called “Amazon Amendment.” Section 846 of the NDAA directs the Administrator of the GSA to establish a program to procure commercial products through commercial e‑commerce portals. Implementation will occur in multiple phases and is scheduled to be completed within two years. How this will affect current resellers and small business manufacturers is hard to tell; furthermore, how this will not be a duplication of the GSA’s current schedules and category management “hallways” is hard to decipher as well. What is clear is that this does not bode well for current federal government resellers, at a minimum they will have to transition out of schedules on to a new platform. In the worst case scenario, margins will be driven down to such an extent that many will not see the benefit of doing business with the federal government. Finally, Section 827 of the NDAA directs the DoD to carry out a pilot program to determine the effectiveness of requiring contractors to reimburse the department for costs incurred in processing GAO protests. To be fair, this is only a pilot, it is only for the DoD and it only affects contractors with revenues in excess of $250M. However, if this provision is ever fully launched and the revenue thresholds are significantly reduced, it will adversely impact smaller businesses who do not have war chest reserves for protest purposes, and who would become reluctant to file protests even when a protest may be the best course of action. About the Author: John Shoraka is the Managing Director for PilieroMazza Advisory Services. He may be reached at email@example.com. How Many People Do We Employ? Critical Employment Law Considerations for Small Businesses By Cy Alba and Nichole Atallah You might be surprised to learn that it is not always easy to determine who a company employs, exposing any business, and particularly small businesses, to great risk. Not only do businesses have to be aware of the risk of classifying a worker incorrectly as an employee or independent contractor for tax and labor law purposes, but contractors need to pay special attention to these definitions to ensure compliance with limitations on subcontracting, to stay within NAICS code limitations, and to avoid joint employer liability. In the past year, our practice has seen a significant rise in the number of federal investigations that center on these questions, highlighting how confusing this topic can be for both businesses and government agencies. In this article we explain how different agencies define employment and why carefully structuring your workforce is critical in the event of a federal investigation. Employee Defined The definition of “employee” changes depending on the law, regulation, or court holding. Additionally, agencies like the Internal Revenue Service (IRS) and the Department of Labor (DOL) have moved away from tests that give employers specific direction and toward balancing tests centered on several different factors. The SBA takes a totality of the circumstances approach to determining whether a worker is employed by the small business, taking IRS and DOL factors into account. IRS DOL SBA Test Behavioral and Financial Control plus Relationship Economic Control Totality of the Circumstances Should a business be subject to a federal investigation, each of these agencies may even look at the rule imposed NDAA 2018.....................................Continued from page 4 Continued on page 6 © PILIEROMAZZA PLLC 2018 6 First Quarter 2018 Volume 19 Issue 1 in a slightly different way or not fully comprehend the issues. And this makes sense because we are asking SBA or the Department of Justice (DOJ) to interpret complex rules imposed by largely by the IRS and DOL. In fact, IRS and DOL audits often reveal disagreement internally and between agencies. All of the confusion surrounding who a business employs is unsettling when so much is at stake. Impact on Small Businesses The decision to use independent contractors or employees depends on a variety of factors. Sometimes workers demand to be classified as independent contractors or employers seek to reduce cost or risk to the company. Small business federal contractors additionally need to consider the impact the number of employees may have on their size or performance of work requirements. Regardless of the reasons, it is important to understand that the law favors employees over independent contractors. Thus, when a business decides to use independent contractors or to lease employees from another entity, the business needs to have sufficient justification for its actions. To make matters worse, SBA generally starts from whatever position is least advantageous to the contractor. If a business hires an independent contractor to reduce the firm’s number of employees to stay under an employee‑based NAICS code, SBA may presume the contractor is avoiding the rules and will count that person as your employee (thus making you a large business). If the firm is trying to classify the worker as an employee that counts toward performance of work requirements, SBA takes the opposite approach and tries to exclude the employee from your employee count. Likewise, some contractors lease employees from one business to another to meet performance of work requirements. In our experience, DOJ and SBA often presume that the leasing arrangement is a way to get around the rules. While there is generally no nefarious purpose behind the arrangement, it can lead to serious compliance issues, or, at least, lengthy and costly investigations. This is precisely what small business government contractors find so confusing and frustrating. Unfortunately, sometimes a contractor gets it wrong. All types of businesses are using independent contractors, which makes the choice tempting. Moreover, there is a prevalent misunderstanding in the small business community that independent contractors do not automatically count as employees for performance of work purposes. But SBA will treat the worker as a subcontractor, not as an employee, leading to a violation of the performance of work rules. Therefore, it is important to evaluate whether classifying such workers as independent contractors or entering into a leasing arrangement will actually help you achieve your goals. Strategic Considerations In the event of an investigation, your business must be prepared to demonstrate confidence in your classification decisions and employee count by vetting these decisions carefully in advance of placement. Here are some tips to help guide this process: 1 You cannot contract your way out of these legal obligations. In the event of a compliance audit, an employee leasing agreement or independent contractor agreement alone is not sufficient to demonstrate compliance. Each agency will look at the working relationship alongside the contractual arrangement. 2 Carefully review the SBA’s 11 factor test to determine who should be considered an employee of the small business. Critical among these factors is whether the small business engages and selects the employees, has the power to dismiss the employee and to control and supervise employee performance. Again, keep in mind that the company undergoing scrutiny will bear the burden of showing the personnel should be treated as employees. 3 For performance of work requirements, a leased worker needs to work and function much like an employee. However, the more the worker functions like an employee, the more likely it is that DOL and IRS will also treat them as employees subjecting you to potential liability. This delicate balancing act is extremely difficult to achieve and should be carefully vetted with counsel. “In fact, IRS and DOL audits often reveal disagreement internally and between agencies. All of the confusion surrounding who a business employs is unsettling when so much is at stake.” EMPLOYEES DEFINED..........Continued from page 5 Continued on page 7 © PILIEROMAZZA PLLC 2018 7 First Quarter 2018 Volume 19 Issue 1 4 Use the SBA’s new “similarly situated rule” to meet performance of work requirements. Since 2013, small businesses can rely upon “similarly situated” subcontractors to meet performance of work rules. If the independent contractor is a small business, you may be able to count that independent contractor’s work toward meeting your performance of work requirements on the prime contract. However, when you are performing as an 8(a), HUBZone, SDVOSB, or WOSB, the independent contractor will also have to be in the same certified classification for it to be considered “similarly situated.” 5 Do not forget about IRS and DOL regulations governing the use of independent contractors. Businesses cannot lose sight of the impact that violations of these laws could have, even if having independent contractors will help them on other fronts. However, you can overcome these challenges if you have the flexibility to change the amount of control your business has over work product, direction, and financial success of the worker. 6 When leasing employees from another contractor, you may be considered a joint employer who is liable for wage and hour violations and even discrimination claims. While the leasing agreement may not protect you from the investigating agency, consult with counsel to ensure that the agreement protects you if the other company is negligent or violates the law. 7 Keep good records of your rationale in making these critical decisions to demonstrate a good faith effort to comply with all applicable regulations. Thinking ahead about these issues will put you in an advantageous position should you be subject to an audit. Should investigators show up, regardless from which agency, demonstrating your knowledge of the issues and your efforts to comply will go a long way to resolving the issue as expeditiously as possible. About the Authors: Cy Alba is a partner with PilieroMazza and is a member of the government contracts and small business programs groups. He may be reached at firstname.lastname@example.org. Nichole Atallah is a partner and heads the labor & employment law group. She may be reached at email@example.com. EMPLOYEES DEFINED..........Continued from page 6 PILIEROMAZZA PUBLICATIONS Sign up for our newsletters and blog at www.pilieromazza.com. PM Legal Minute – our blog, written by all of PilieroMazza’s attorneys, provides trending insight to small and mid-sized businesses. Legal Advisor Newsletter – our quarterly publication which addresses current issues that are of concern to federal government contractors and commercial businesses nationwide. The Legal Advisor articles focus on recent legal trends, court decisions, legislative and regulatory rule-making, as well as other newsworthy events. If you would like to receive The Legal Advisor in hardcopy, email firstname.lastname@example.org. Weekly Update – an email sent every Friday to recap any relevant actions taken by Congress, the Administration, or the courts that are of interest to government contractors and the business community. Webinars on YouTube – all of our past webinars can be found on the PilieroMazza YouTube channel. PILIEROMAZZA SOCIAL MEDIA Follow us on: O TWITTER @pilieromazza O LINKEDIN O YOUTUBE – PilieroMazza Channel © PILIEROMAZZA PLLC 2018 8 First Quarter 2018 Volume 19 Issue 1 GUEST COLUMN Will 2018 Be A Good Time to Sell Your Company? By Sharon Heaton 2017 was a rewarding year for sellers of privately held businesses, including government contractors. 2018 is starting out just as strong. Deloitte, for example, just reported that about 68 percent of executives at US corporations and 76 percent of leaders at US private equity firms say deal flow will increase in the next 12 months. Moreover, 63 percent of PE executives believe deal size will increase in 2018. But let us focus on what is important—you. You own a company that you would like to sell at some point and lift off to a new goal in life. How can you determine when is the right time? 63 percent of PE executives believe deal size will increase in 2018 To lift off successfully, it is important to make strategic decisions with great clarity and take into account both the macro economic environment and your own personal situation. In terms of the macro environment, consumer confidence is high, interest rates are low, and both corporate buyers and private equity firms are sitting on a lot of capital. The problem is a lack of inventory. The fact is, there are not enough good, profitable, well‑managed lower mid‑market companies for sale right now. As a result, and this is important for you to know, prices for companies seen as attractive targets have been increasing. At the same time, the macro picture in 2018 is not without its challenges. The Federal Reserve will raise interest rates during 2018. Higher borrowing costs may have a negative effect on the number of deals and even the pricing of deals that get done. There is uncertainty about both the international (North Korea, Brexit, China, Europe) and the national situation (the Mueller investigation, the impact of the tax bill, instability in the health care market). I am not smart enough to know what is going to happen in these circumstances, but any one of them could have a major impact on the markets and hence your M&A environment. While 2018 may be a good time to sell a company, you must look at your own situation to assess timing. The crucial issues are whether your company is sellable (its strength and stability) and whether you want to sell it and spend your time some other way. Many owners hold onto their companies longer than they should, and later regret it. Surveys report that 75 percent of owners of privately held companies today want to sell in the next ten years; 50 percent want to sell in the next five years. However, a majority of these same owners would sell their company in less than 18 months if offered an attractive price. In order to determine whether you should sell now or in the next few years you need to know what your company could transfer for. If it is more than you thought it was worth, that may impact your thinking on how long you operate it. Many sellers are finding, in this market, that their companies can attract healthy offers. However, your company might be worth less than you thought. In that case, you need ideas on how to fine tune your business to get the price up. A good professional valuation should be able to identify actionable steps that will increase the transferrable value of your company. For example, we had a client who wanted to sell immediately for several million dollars. sb LiftOff informed her that the company was worth only a small fraction of her desired price. With our help, the client became a buyer, not a seller, executing a roll‑up strategy to increase the size of the business and improve the efficiencies of her firm. She was willing to put in the time to get the value she wanted from the sale. 2018 is a good time to get a professional determination of your company’s value and develop your own lift off strategy. About the Author: Sharon Heaton is CEO of sb LiftOff, a lower mid market transition advisory firm. She helps business owners grow successful businesses and transfer them when the time is right. She may be reached at Sharon@sbliftoff.com or 202-494-9942. In order to know how you would really feel about a potential sale in 2018 you need to know what your company is worth.