Nothing is certain in life except death, taxes, and now, data breaches. Data breaches are almost an unavoidable cost of doing business in a globally connected world. As if being victimized by cybercriminals wasn’t enough, cybersecurity and data privacy increasingly have become the focus of private class action litigation and government enforcement actions.
But businesses that contract with the federal government face even more cyber-scrutiny, in the form of the False Claims Act (“the FCA”). As its name suggests, that Act has long outlawed knowingly making false claims when contracting with the federal government. Whistleblowers (called “relators”) may file suits under the FCA in the name of the federal government in exchange for a cut of the treble damages to which the government is entitled if a violation is found. Historically, the FCA was designed to stamp out corruption in government procurement, but today, the FCA has been given new life as a tool for enforcing cybersecurity standards against government contractors. Recent developments demonstrate how.
In one recent FCA case, a relator accused a defense contractor, Aerojet, of falsely stating that it was compliant with the various cybersecurity rules in the acquisition regulations of the National Aeronautics and Space Administration, 48 C.F.R. § 252.204–7012, and the Department of Defense, 48 C.F.R. § 1852.204-76. A federal judge refused to dismiss the suit in May 2019, see United States v. Aerojet Rocketdyne Holdings, Inc., 381 F. Supp. 3d 1240 (E.D. Cal. 2019), leading to a $9 million settlement in April 2022. Next, in October 2021, the Department of Justice ("DOJ") announced its Civil Cyber-Fraud Initiative, which targets contractors with cybersecurity practices that put federal information and networks at risk. Then, less than a year later, in March 2022, DOJ reached its first settlement under this Initiative, signaling that FCA cases in the cybersecurity space are likely to proliferate, especially as more federal agencies develop and issue cybersecurity rules that require contractors to implement security measures and establish policies and practices designed to safeguard sensitive data. Knowing failure to comply with such rules may lead to FCA liability.
But what if cybersecurity standards are non-specific, open-ended or broadly worded—how can a contractor “know” whether it is complying with those standards? Take the Interagency Guidelines Establishing Information Security Standards, for example, which provide data security standards for banks subject to the Gramm-Leach-Bliley Act. Those Standards simply state that a bank must “[d]esign its information security program to control the identified risks, commensurate with the sensitivity of the information as well as the complexity and scope of the [bank’s] activities.” 12 C.F.R. App’x B to Part 30, § 3(C)(1). The Standards then list certain “security measures”—like access controls, monitoring, and encryption—that a bank “must consider” and “adopt” if the bank itself concludes that those measures “are appropriate.” Id. Assessing precisely what cybersecurity measures a government contractor subject to standards like these must adopt is not clear.
Recent caselaw deciding issues under the FCA, however, should provide contractors facing a minefield of broad government cybersecurity rules some comfort. The United States Court of Appeals for the Seventh Circuit (which oversees federal courts in Illinois, Indiana, and Wisconsin) held in United States ex rel. Schutte v. SuperValu Inc., 9 F.4th 455 (2021), and United States ex rel. Proctor v. Safeway, Inc., 30 F.4th 649 (2022), that a contractor does not “knowingly” violate an unclear regulation if it follows an objectively reasonable interpretation of that regulation. While these cases did not involve government-issued cybersecurity requirements, the principle applies with equal force.
Both Schutte and Proctor involved claims that supermarkets’ pharmacies overcharged Medicare and Medicaid for prescription drug reimbursements. A federal regulation required the supermarkets to request reimbursement based on the “usual and customary price” that they charge the “general public” for their drugs. Schutte, 9 F.4th at 460; Proctor, 30 F.4th at 653. The supermarkets requested reimbursement based on the sticker price of their drugs, rather than the discounted price that they actually charged many customers for the drugs under the supermarkets’ discount and price-match programs. Schutte, 9 F.4th at 461; Proctor, 30 F.4th at 654. This allegedly allowed the supermarkets to compete with cheaper pharmacies like Wal-Mart, all while forcing the government to pick up the difference. Schutte, 9 F.4th at 461; Proctor, 30 F.4th at 654.
The Seventh Circuit held in each case that the supermarkets followed an objectively reasonable interpretation of the unclear phrase “usual and customary price” charged to the “general public.” Schutte, 9 F.4th at 472; Proctor, 30 F.4th at 660. Although any customer could have taken advantage of the supermarkets’ discounts, they had to participate in the discount program (by joining it for free, or by asking for a price-match with a cheaper pharmacy). Schutte, 9 F.4th at 469; Proctor, 30 F.4th at 659. The supermarkets, in the Seventh Circuit’s view, reasonably interpreted “usual and customary price” charged to the “general public” to exclude prices charged to those customers who participated in their discount programs. Schutte, 9 F.4th at 472; Proctor, 30 F.4th at 660. And there was no “authoritative guidance” at the time, either from a court or from a government agency, that contradicted the supermarkets’ interpretation. Schutte, 9 F.4th at 471–72; Proctor, 30 F.4th at 660. That meant that the supermarkets could not have “knowingly” violated the federal regulation in seeking higher Medicare and Medicaid reimbursements from the government and were therefore not subject to liability under the FCA. Schutte, 9 F.4th at 472; Proctor, 30 F.4th at 661–63.
The Supreme Court may review Schutte, which like Proctor applies Safeco Insurance Co. of America v. Burr, 551 U.S. 47, the Supreme Court’s 2007 decision interpreting a similar scienter provision in the Fair Credit Reporting Act. The relator’s petition for certiorari is pending and has attracted high-profile support—including Senator Chuck Grassley, who sponsored the Fraud Enforcement & Recovery Act of 2009 and argues that the Seventh Circuit got the FCA all wrong.
In light of the Seventh Circuit’s decisions, government contractors should review data privacy and cybersecurity requirements governing their government contracts, identify any ambiguities or missing agency guidance, and obtain the advice of cybersecurity and data privacy professionals and outside counsel. Broadly worded or unclear rules may seem daunting at first, but under the Seventh Circuit’s reasoning, they are less likely to lead to FCA liability—so long as the contractor follows an objectively reasonable interpretation of the rule or standard in question. Contractors should, of course, continue to follow industry best practices; however, regular consideration of applicable government data privacy and cybersecurity rules, agency guidance, and court decisions with the assistance of outside counsel may help limit contractors’ exposure under the FCA.