The United States District Court for the District of Columbia recently endorsed private citizens bringing data breach claims directly against a government contractor where the contractor failed adequately to safeguard the citizens’ personal information. In McDowell v. CGI Federal Inc., No. 15-1157, 2017 WL 2392423 (D.D.C. June 1, 2017), the district court ruled a private party can survive a contractor’s motion to dismiss by claiming to be an “intended beneficiary” of terms commonly found in government contracts involving the storage or transmission of sensitive consumer information. This ruling potentially expands class action liability exposure for government contractors who receive consumers’ personal information during the course of performing government contracts.
The plaintiff in McDowell submitted a passport application containing her personal information to the United States Passport Agency, which is part of the U.S. State Department. CGI Federal, Inc. (“CGI”), a federal contractor, processes passport applications for the State Department. While CGI had entered into a contract to provide passport application processing to the State Department, it never entered into any express or implied contract with Ms. McDowell.
The McDowell complaint alleged employees of CGI stole the plaintiff’s personal information, along with the personal information of other passport applicants, and used the information to commit identity theft. The named plaintiff’s alleged injuries included paying for enhanced credit monitoring services and expending time to deal with several fraudulent charges and protect her accounts with banks, credit card companies, and credit reporting agencies. Based on these allegations, the plaintiff alleged contract, tort, and consumer protection act claims against CGI.
The district court dismissed all but the breach of contract claim. Despite finding no contract between Ms. McDowell and CGI, the district court nevertheless allowed the breach of contract claim to survive, finding the named plaintiff an intended third party beneficiary of CGI’s contract with the State Department. Normally, in the context of government contracts, “there is a presumption that members of the public are not intended beneficiaries, but merely incidental beneficiaries of the contract.” McDowell, 2017 WL 2392423, at *6. Under the common law of the District of Columbia (which the district court ruled was the governing law), this presumption may be overcome if the contracting parties “clearly intended that the contract would benefit the plaintiff, or an identifiable class to which the plaintiff belongs.” Id. at *7 (internal quotation omitted).
Neither party provided the court with a copy of the contract between CGI and the State Department. Rather, the McDowell party merely alleged, on information and belief, that the State Department’s contract with CGI required CGI to “‘act reasonably and employ reasonable safeguards at all times with respect to handling the Personal Information of Plaintiffs, including requiring a background security investigation for all CGI employees with authorized access to the Personal Information.’” Id. (quoting amended complaint) (emphasis added by court). Accepting this allegation as true for purposes of CGI’s motion to dismiss, the court held “it is at least plausible that [plaintiff] can establish that she is an intended beneficiary.” Id. The court warned, however, that whether plaintiff can do so will depend on a review of “the language of the alleged contract provision, as well as the contract as a whole.” Id. Because the actual contract was not yet before the court, an analysis of the contract’s language was a merits question the court declined to reach at the motion to dismiss stage.
Government contracts frequently require contractors to employ reasonable safeguards to protect consumer personal information. The McDowell ruling allows consumer victims of data breaches to assert breach-related claims directly against the government contractor as intended beneficiaries of such provisions. Given the roadblocks consumers face in asserting damages claims against government agencies, breach claims against private government contractors may become attractive options for victims of disclosure of information submitted to the government.
In the wake of McDowell, contractors handling sensitive consumer information should review their government contracts to determine the extent to which they have accepted responsibility for safeguarding consumer information. A contractor potentially facing an intended third-party beneficiary claim based on any such contractual provision should re-evaluate its data breach safeguards, including ensuring all security controls remain state-of-the-art and have been subject to regular testing. And contractors should remain current on developments in data breach law, given that they now could face direct liability on such claims rather than merely facing a risk of indemnification liability if and to the extent a governmental entity might be found liable.