Posted on Thursday, January 18 2018 at 10:14 am by

VA looks to SBA for Future Veteran-Owned Small Business Certification

By Lawrence M. Prosen

January 10 & 11, 2018 – The Department of Veterans Affairs (VA) has published two Notices of Proposed Rulemaking which, in effect, (1) would shift the duties of certifying Veteran-Owned Small Businesses (VOSBs) as relates to Ownership and Control (O&C) from the VA to the U.S. Small Business Administration (SBA) (see,; and (2) revises the regulations dealing with set-asides and sole source awards under the Veterans First Contracting Program ( While subject to comment periods and final rulemakings, the big picture story line is that this revised regulatory scheme, if passed, will shift much of the oversight on VOSBs from the VA to the SBA.


A.  Background:

While the SBA oversees almost all small business concerns related to federal procurements, including the SDVOSB program, the VA has had its own veteran-owned business certification program, called the Vets First Verification Program. Arising out of the Veterans Benefits, Health Care and Information Technology Act of 2006 (PL 109-461), this program granted the VA with unique authorization to certify businesses as VOSBs and SDVOSBs as well as set-aside and issues sole source contracts to these entities for VA-specific procurements. This was a program wholly independent of the SBA’s SDVOSB set-aside program, which covers agencies outside the VA for procurements.

Traditionally, in contrast to the organized, detailed certification program that the VA has, in which it affirmatively certifies entities as VOSBs, the SBA’s SDVOSB program is a self-certifying program. Businesses would self-certify as being Service Disabled Veteran Owned (and Small) for reasons of pursuing contracts outside the VA. This remains, but now the VA is “transferring” some of its oversight to the SBA.

B.  So What Does This Mean?

As a result of the National Defense Authorization Act (PL 114-840) designating the SBA as the Federal Agency responsible for overseeing and regulating issues relating to “ownership and control” (O&C) of small businesses, the VA is proposing to remove all references in its regulations to O&C issues. O&C are some of the key factors that SBA (and currently the VA) use to verify a business is in fact Veteran-owned. It is not enough that there is mere ownership in the entity by a veteran or service-disabled veteran, but that the service disabled veteran individual(s) own, control and manage on a day-to-day and long term basis the entity.

VA’s proposed rulemaking will still keep with the VA the internal certification program and some procedures, but seeks to now utilize SBA to decide O&C-realted issues. Rebranding its internal certification operations, the VA proposes that its Center for Verification and Evaluation (CVE) assist VA Contracting Officers in identifying VOSBs and to communicate with the SBA on small business status of entities.

Allowing Joint Ventures, the proposed regulations require that at least one JV partner be veteran-owned and that the JV must be in the form of a separate legal entity. This is similar to the SBA’s SDVOSB program, which allows JVs so long as one of the members is an SDVOSB and all members are “small” (the one expectation is the SBA’s mentor-protégé program, which allows large businesses to partner with small businesses). The “separate legal entity”, is not as clear in definition as one might like. Typically one might expect the JV to be a limited partnership or limited lability company given this language, something we, as legal counsel, generally recommend regardless, but it is open to a general partnership or some other form of limited liability entity. How this language is defined will need to be determined or clarified by the VA in the future. These proposed regulations would also require that any JV Agreement comply with the SBA’s regulations at 13 CFR Part 125 and extends those SBA regulations to the VOSBs (not just the SDVOSBCs that SBA oversees).

Looking to the O&C issues, VA’s new proposed regulations point to Title 13 of the Code of Federal Regulations, which are the SBA’s regulations governing small business programs (see, Part 125). While Part 125 is limited to SDVOSBs, these regulations now incorporate the same ownership criteria for VOSBs by reference.

Likewise, the new proposed regulations point to 13 CFR Part 125 for purposes of defining “Control,” which also is limited to SDVOSBs under SBA’s regulations, but again, the VA regulations state that the same will also apply to VOSBs.

A major issue over the years in our experience relating to small business concerns is the issue of “affiliation”. Without getting overly technical, affiliation relates to how potentially related businesses are looked at by the SBA and whether they are in reality related and as a result looked at in combination to determine size status. Affiliation is found to exist between multiple businesses where, for example, there is a relationship, whether though family relations, former employee relationships, over use or reliance on one or more businesses for performing contractors or other bases, such that the other businesses are seen as “affiliates” of the proposed small business. Under this circumstance, where there is a finding of affiliation, the combined revenues (or number of employees) are counted together to determine size status. Often, this results in the business claiming that it is small to be found to be other than small. The VA’s proposed rulemaking now points to the SBA’s affiliation regulations under 13 CFR Part 121 and states that the SBA, not the VA, will make affiliation determinations.

In effect, the VA has now agreed to subject its procurements and its certified VOSBs to the SBA’s jurisdiction and oversight.

II. Kingdomware & Veterans First Remains Relevant:

Recall from our prior posts that the Supreme Court in Kingdomware finally settled a long, drawn out “fight” or dispute between the VA and Government Accountability Office (GAO) over whether VA could avoid the requirement to set aside certain contracts for VOSBs. See, Posts of September 6, 2017 and June 8, 2017.

Tied to this discussion, is a line of cases dealing with the VA’s “decertification” of VOSBs, finding that there inconsistences in VA’s application of the regulations that resulted in the VA’s summary removal of contractors from the VIP database/decertification as improper. See generally, Veterans Contracting Group, Inc., v. United States, COFC No. 17-1015C (Dec. 15, 2017) (

While not explicitly stated, it appears that the VA has now started to listen to the courts. In a Rulemaking issued on January 11, the VA seeks to make some degree of clarification on the priority for the VA’s making contract awards to VOSBs. Interestingly, this Rulemaking would create a new regulatory scheme clarifying when a contracting officer must solicit competition under the Veterans First Contracting Program. While the Courts have read the existing law in conformance with the GAO, the VA traditionally, allowing other than competitive procedures under certain circumstances to allows contracting officers to award to VOSBs and SDVOSBs.

Posted on Thursday, December 7 2017 at 11:37 am by

5 Key Takeaways: Fighting Back Against Negative Contractor Performance Assessment Report (CPARS) Reviews

Negative Contractor Performance 5 Takeaways

Posted on Wednesday, November 15 2017 at 3:45 pm by

Dateline Washington – Some things appear to still be working, albeit not well for government contractors.

By, Lawrence M. Prosen

As required by the Competition in Contracting Act of 1984, 31 U.S.C. §§3554 et al. (CICA), the U.S. Government Accountability Office (GAO) has certain bid protest-related jurisdiction over executive agencies. As part of its duties, the GAO is obligated to annually report to Congress on its prior fiscal year (FY[1]) bid protest statistics relating to, among other things, number of filings, sustain rates, cases resolved though alternative dispute resolution and corrective action. GAO is also obligated to report any outliers or situations where an agency refused to follow GAO’s recommendation (see, our prior posts on the Kingdomware Technology case where the Department of Veterans Affairs refused to follow GAO’s recommendations and GAO reported it to Congress. That case ultimately went to the U.S. Supreme Court and we discussed the Supreme Court’s decision in detail here.

The following summary table comes from GAO’s November 13, 2017 Report to Congress (No. GAO-18-237SP) and organizes the statistics in a comparative manner to the prior four fiscal years:

[1] A Federal fiscal year runs from October 1 of one year to September 20 of the following year



A few numbers jump out:

  • Over the past three years the number of bid protest filings were actually up between 3% and 6%, but in FY 2017 they were down 7% as compared to FY 2016;
  • Likewise, the number of cases closed were down;
  • Importantly, the number of cases that went to a merit decision (e.g., a final decision) were down significantly compared to last year and the number of “Sustains” — where the GAO upheld and granted the protest is similarly down as compared to the prior year — but up as compared to the preceding three fiscal years; and
  • ADR was relatively successful in the 81 cases that used it, but overall the 17% sustain rate appears to be returning to the trend we have seen (excepting FY2016) of GAO denying more and more protests.


Protests to the GAO are usually more cost effective and reach resolution faster than protests filed at the Court of Federal Claims. (This is because of CICA’s mandate that GAO must decide protests within 100 days of their filing). That being said, GAO bid protests do have a relatively low likelihood of success if adjudicated on the merits.

Of those protests that are sustained, here are most common reasons:

  • Unreasonable Technical Evaluation;
  • Unreasonable Past Performance and/or Unreasonable Cost/Price Evaluation; and
  • Inadequate Record and Flawed Selection Decision.

While these grounds will sound familiar to most government contracting professionals, simply making these allegations will not typically result in a sustained protest. Rather, because each protest is different, it is important to understand how the facts of that given case might fall into these (or other) grounds.

Another important percentage is the effectiveness rate. This is the rate where a protester gets relief either through having a protest sustained or through the agency taking corrective action. This rate has consistently been in the 40+-percentage range for the last five years. Indeed, this number is why so many companies continue to protest even in the face of such a low sustain rate. Put differently, a protester may get some relief without having to fight a protest all the way through.

While the numbers will change from year-to-year, one thing is certain: having competent counsel who understands how GAO works and how to best use facts to develop bases of protest is critical to increasing the likelihood of a successful protest.

Posted on Monday, November 6 2017 at 11:05 am by

Want to Learn More About Fighting Negative CPARS Ratings, Privacy in Government Contracting, the Mandatory Disclosure Rule or Just Network with Government Contractors? Kilpatrick’s Got a Webinar or Meeting For That.

By: Gunjan Talati

The fall brings many nice things: cooler weather, beautiful leaves, and of course, the Government’s fiscal year end. To those wondering where in the world Kilpatrick’s government contracts attorneys have been (because they sure haven’t been putting up blog posts), we’ve had our heads down plugging away at bid protests, contract funding issues, and debarment proceedings. Not to worry though, we’ve got many upcoming webinars and events to make sure you stay up to date with what’s going in the world of government contracts:

(Please note that Federal Publications Seminars charges for this event.)

  • On Tuesday, November 14, 2017, from 12-1 p.m. EST Gunjan Talati & Chris Henel are presenting a Federal Publications webinar on fighting back against negative CPARS reviews. This webinar will cover the basics surrounding CPARS procedures and review the current case law on fighting negative CPARS reviews and provide alternative strategies for dealing with negative CPARS review. You can read the full webinar description and register at (This webinar is FREE.)
  • On Tuesday, November 21, 2017, from 12-1 p.m. EST, Kilpatrick’s Government Contracts and Data Privacy teams are going to team up to present Privacy in Government Contracts Involving Healthcare. The webinar will cover the basics of what laws like HIPAA and HITECH are intended to cover as well as best practices for internal compliance controls, subcontracting, and what to do in the event of a breach. You can read the full webinar description and register at (This webinar is FREE.)
  • On Thursday, December 7, 2017, from 11:30-1 p.m. EST, Gunjan Talati and CPT Scott Davidson USA (Ret.) from The GCO Consulting Group are teaming up to provide a webinar on the Mandatory Disclosure Rule. The focus of this webinar is for government contractors to understand the obligations regarding potential disclosures and how to develop compliance mitigation plans to help reduce risk in government contracting:
    • The Mandatory Disclosure Rule and Its Applications
    • The Mandatory Disclosure Rule Case Study (Unqualified Labor and Price Reductions Violation)
    • Internal audits and reviews (e.g. GSA Schedule compliance program audits)
    • Civil and Criminal Considerations in GOVCON
    • Suspension and Debarment: Best Practices and Protection You can read more about the webinar and register here: GCO Consulting Group is charging a nominal fee for this webinar.)
  • On December 14, 2017, from 5-7 p.m. EST, Bourbiz, organized by The GCO Consulting Group, is back at Kilpatrick’s Washington, D.C. office. This event is going to be a fun night of networking with celebrity meet and greets, auctions to support veteran charities, and good food and drink. Read more about the event and register at:


Posted on Thursday, September 21 2017 at 3:20 pm by


 BY: John Bergin & Gunjan Talati

On September 13, 2017, President Trump issued an Executive Order blocking the $1.3 billion acquisition by Canyon Bridge Capital Partners, a Chinese government-backed private equity fund (“Canyon Bridge”) of Lattice Semiconductor Corporation (“Lattice”).   The Order came after the Committee on Foreign Investment in the United States (“CFIUS”) concluded that the transaction posed a risk to national security. Significantly, President Trump’s Order is the second blocked Chinese acquisition of a U.S. chipmaker within the last year and only the fourth time that a President has ordered a transaction blocked or unwound because of national-security concerns. The Order shows that the U.S. Government’s will continue to closely scrutinize Chinese investment in U.S. businesses, especially in the semiconductor and high-tech industries. The Order also reminds foreign investors that they face serious regulatory risks on certain transactions in this era of foreign-investment policy uncertainty under the Trump Administration.

Canyon/Lattice Acquisition

In November 2016, the parties announced Canyon Bridge’s acquisition of Lattice. In late December 2016, the parties filed with CFIUS but then withdrew their filing twice to allow for review and discussion. Ultimately, CFIUS investigated the transaction three times before informing the parties that it would recommend that President Trump block the transaction. Despite the fact that most parties voluntarily withdrew their notices/abandoned their transactions under such circumstances, Lattice did not do so. Rather, Lattice presumably decided to forge ahead because it believed Canyon Bridge’s commitment to double the number of U.S. employees would be well received by the Trump Administration. President Trump nevertheless blocked the transaction, highlighting 4 national-security concerns: (1) the potential transfer of intellectual property; (2) the Chinese Government’s role in the transaction; (3) the importance of the semiconductors to the U.S. Government; and (4) the U.S. Government’s use of Lattice’s products.

China’s Attempted Investment in Semiconductors

Recently, Chinese entities have attempted to acquire semiconductor companies in the U.S. and other Western countries seemingly as part of the Chinese Government’s attempts to acquire such companies rather than develop them. CFIUS has responded by closely scrutinizing transactions involving the transfer of strategically-important technologies with potential military applications to China. This is especially true for semiconductors and their supply chain heavily utilized by the U.S. Government and Military. President Trump’s Order certainly shows that CFIUS has become more hostile to foreign acquisitions of U.S. tech companies, especially those involving China. It also indicates the likelihood that CFIUS will block China’s attempts to acquire U.S. tech companies for the foreseeable future and should cause parties to exercise appropriate due diligence when considering such transactions.


As expected under the Trump Administration, CFIUS continues to heavily scrutinize Chinese acquisitions of tech companies, especially those in the semiconductor industry. Either way, CFIUS will continue to present significant regulatory risks to certain foreign buyers of U.S. technology companies as evidenced by the fact that last week the U.S. Senate Committee on Banking, Housing and Urban Affairs conducted a full-committee hearing examining CFIUS for the first time in almost a decade.

Posted on Wednesday, September 6 2017 at 2:45 pm by

Challenging the Reign of Kingdomware – Federal Circuit May Decide Whether Veterans or AbilityOne Participants Receive Priority in VA Procurements.

By Gunjan R. Talati, Christian F. Henel, & Scott M. Davidson, Mike Phipps, The GCO Consulting Group

On Friday of last week, while most of the country was getting ready for the Labor Day Holiday, the U.S. Court of Federal Claims in PDS Consultants, Inc. v. United States, Case No. 16-1603C, Slip. Op. (September 1, 2017) stayed its own judgment that arguably would have protected and potentially expanded veteran-owned businesses’ ability to win government contracts. The Court’s order essentially defers to the U.S. Court of Appeals for the Federal Circuit on whether to limit the impact of a landmark U.S. Supreme Court ruling veteran-owned businesses celebrated just a year ago.

Last June, we reported on the U.S. Supreme Court decision, Kingdomware Technologies, Inc. v. United States, 136 S.Ct. 1969 (June 16, 2016). Overturning the U.S. Court of Federal Claims, the Supreme Court in Kingdomware held that the Veterans Benefits, Health Care, and Information Technology Act of 2006 (“VBA”) required the VA to employ the “rule-of-two” analysis to determine whether it must set aside task orders for SDVOSBs before opening them up to unrestricted competition. Kingdomware was generally considered a victory by the SDVOSB community, who expected the decision would require the VA to set-aside more SDVOSB task orders. Unfortunately, the PDS case demonstrates that Kingdomware’s application is far from straightforward.

PDS ultimately asks the Court of Federal Claims – and now the Federal Circuit – to answer the question: how can the VA comply with Kingdomware’s directive to perform a rule-of-two analysis when another conflicting statute requires it to direct-award to an organization on the   AbilityOne Procurement List created under the Javits-Wagner-O’Day Act (“JWOD”), 41 U.S.C. §8127. In PDS, the VA awarded to a JWOD AbilityOne contractor without first employing the rule-of-two and considering SDVOSBs as Kingdomware required. Initially, the VA and awardee intervenor, IFB Solutions, argued that the VA could not have violated the VBA because it had complied with JWOD (JWOD generally requires federal agencies to purchase products and services from designated nonprofits that employ blind and otherwise severely disabled people, listed on the AbilityOne Procurement List). Put differently, the VA and IFB argued that the VA could not be penalized for violating one law by virtue of having complied with another.

Later in the protest, the VA changed its position to apply the rule-of-two in favor of SDVOSBs for items added to the AbilityOne Procurement List after the VBA’s January 7, 2010 effective date, essentially taking the position that going forward, the VA would prioritize SDVOSBs over AbilityOne listees. Disagreeing, IFB maintained that JWOD required the VA to procure from AbilityOne list recipients without regard to SDVOSB or the rule-of-two. It was up to the Court of Federal Claims to decide whether the VA’s revised position to prioritize SDVOSBs appropriately reconciled the VBA with JWOD.

The Court ruled in favor of veterans citing the VBA’s plain language and the reasoning in Kingdomware to rule that Congress required the VA to give priority to SDVOSBs and VOSBs when procuring goods and services. IFB appealed the Court’s order.

Pending appeal, IFB moved for an injunction staying the Court’s judgment until the Federal Circuit could weigh in on the issue. Last Friday, the Court granted the requested stay. Notably, in applying the traditional elements for injunctive relief, the Court’s order expressed some disbelief in its own prior opinion, observing that “while the Court rejected IFB’s arguments, it is not possible to determine the likelihood of success on appeal.” Using language that we might describe as tentative, the Court remarked that “[t]his case involves two statutes designed to give preferences to different well-deserving groups” and that “[w]hether the VA has made the right call and properly reconciled its obligations under VBA and JWOD after Kingdomware will now be decided by the Federal Circuit.”

The ruling granting IFB’s request for a stay suggests that the Court of Federal Claims is not convinced that the VBA requires the VA to consider setting aside contracts for SDVOSBs in cases where there is a qualified AbilityOne awardee. SDVOSBs and other veterans groups will want to stay closely tuned to this case as it comes before the Federal Circuit and invites potential reconsideration of the scope and meaning of Kingdomware and the VBA’s rule-of-two requirement.

Posted on Monday, August 21 2017 at 11:11 am by

5 Key Takeaways: Protecting Your IP When Government Contracts Are Involved.

Please click here to read.

Posted on Thursday, August 3 2017 at 1:10 pm by

Kilpatrick Townsend partner Gunjan Talati was recently quoted in the BNA Federal Contracts Report article – “Missing Data Hinders Contractor Disclosure Rule Nine Years In.”

Please click here to read.


Posted on Wednesday, July 12 2017 at 10:29 am by

Russia Concerns Negatively Impact GSA Schedule Contractors

By: Gunjan Talati & Scott Davidson, GCO Consulting Group

There is no shortage of news these days involving Russia. You would think that U.S. government contracting would be immune from these considerations. You’d be wrong. That’s because yesterday, the Government removed Moscow-based Kaspersky Lab products from the General Services Administration’s Schedule Program. Kaspersky provided products through resellers which held GSA Schedule 67 and 70 contracts for photographic equipment and related services, and IT services. As a company based in Moscow, Kaspersky came under scrutiny from the Government and was removed from the schedules “to ensure the integrity and security of U.S. government systems and networks” according to a GSA statement cited by Reuters.

According to the Government’s System for Award Management (SAM), Kaspersky remains an active contractor and has not been suspended or proposed for debarment. Accordingly, agencies can still purchase Kaspersky products but not from Kaspersky’s previously held schedule contracts. Curiously, GSA Advantage still shows Kaspersky products available through GSA schedule contracts through resellers. Many of these resellers are small businesses with different socioeconomic statuses.

There are a few lessons from this developing situation:

  • This is a stark reminder that GSA schedule contracts are a privilege, not a right. GSA retains broad authority to remove contractors from its schedules. This authority is not absolute, however. Contractors that might find themselves in a situation like Kaspersky should evaluate whether the Government has acted according to its regulations and should assert and pursue claims if the Government has failed to provide the contractor with appropriate due process.
  • Contractors should evaluate how current events can impact their contracts. Kaspersky, according to Reuters, asserts that it is “caught in the middle of a geopolitical fight where each side is attempting to use the company as a pawn in their political game.” The Government’s action concerning Kaspersky should cause contractors with ties to Russia to evaluate their own situations. If that evaluation reveals any situations that might give an agency concern, they should consider engaging in a proactive dialogue with their agency customers to address those concerns.
  • Last, but certainly not least, is the reminder that GSA schedule contractors are required to abide by the Trade Agreements Act (TAA). The TAA requires contractors to provide either U.S.-made or designated country end products. Designated countries typically include those countries with which the United States has negotiated trade agreements. Russia is not a designated country for TAA purposes.
Posted on Thursday, July 6 2017 at 12:42 pm by

Unintended Plaintiffs: United States District Court Allows Private Citizens to Sue a Government Contractor For Failing to Adequately Safeguard Personal Information

By: Gunjan Talati, Jon Neiditz, and Christian Henel

In a remarkable opinion with potentially wide-ranging implications, the United States District Court for the District of Columbia recently allowed a member of the public to sue a federal government contractor directly for privacy violations the plaintiff allegedly suffered during the contractor’s performance.

The Plaintiffs in McDowell v. CGI Federal Inc., CA No. 15-1157 (Slip Op. June 1, 2017) were passport applicants who gave her personal information to State Department contractor CGI Federal, Inc. (“CGI”). CGI is a federal contractor that processes passport applications for the State Department. While CGI had a contract to provide passport application processing for the State Department, it never entered into any express or implied contract with the Plaintiffs. According to the Complaint, CGI failed to adequately safeguard her data when several CGI employees stole Plaintiffs’ personal information and used it to counterfeit identify documents, obtain commercial lines of credit, and make fraudulent purchases. Plaintiffs sued CGI for (1) violations of the District of Columbia’s Consumer Protection Procedures Act (“CPPA”); (2) negligence; (3) breach of contract; (4) breach of bailment; and (5) unjust enrichment. CGI moved to dismiss the claims on several grounds.

The Court dismissed four out of the five counts but kept the case alive by sparing the breach of contract count. The Court first dismissed the CPPA count, finding Plaintiffs ineligible to bring the CPPA count because they were not “consumers” as defined by that statute. It dismissed the negligence count because Plaintiffs failed to allege a “special relationship” with CGI sufficient to avoid D.C.’s “economic loss” bar to negligence claims. It dismissed the unjust enrichment count because Plaintiffs conferred no benefit upon CGI, and it dismissed the bailment count because Plaintiffs had no express or implied agreement with CGI to protect their data.

Despite finding no contract between Plaintiffs and CGI, the Court allowed the breach of contract suit to go forward. The Court reasoned that Plaintiffs were third-party beneficiaries of the contract between CGI and the State Department. Under D.C. law, a plaintiff can sue a contractor as a third party beneficiary if the contracting parties “clearly intended that the contract would benefit the plaintiff or an identifiable class to which the plaintiff belongs.” (Slip Op. at 13). In McDowell, the District Court reasoned that CGI and the State Department clearly intended to protect Plaintiffs’ data when CGI agreed in its government contract to act reasonably and employ reasonable safeguards at all times to handle Plaintiffs’ personal information. The Court noted that neither party attached a complete version of the CGI-State Department contract and warned that further scrutiny could result in a finding that CGI did not breach any obligation toward Plaintiffs. The Plaintiffs’ allegations were sufficient, however, to survive CGI’s motion to dismiss under the liberal pleading standard applied by Federal Courts. Thus, CGI won four-fifths of its motion to dismiss, but the practical result is that CGI continues to defend the lawsuit in federal court.

McDowell should serve as a cautionary tale of how government contractors handling private citizens’ data and personal information could face direct liability to those citizens in the event of a data breach or privacy violation. The contractor in McDowell had no contract with the Plaintiffs, owed no duty in tort, and had no other bailment relationship or other special relationship with the Plaintiffs, but nonetheless found itself defending a lawsuit for failing to adequately safeguard their data. Our review of similar cases around the country indicates that private citizens are often willing to pursue contractors for data breach and privacy violations even in cases where the connection between the contractors and the citizens seems attenuated.

McDowell’s ruling adds to what appears to be ever-increasing risk to government contractors handling private and personal information. In 2016, the U.S. Supreme Court indicated in Spokeo v. Robins, 136 S.Ct. 1540 (2016) that a private citizen may have standing to sue a third party for statutory violations (in that case, the Fair Credit Reporting Act) even if it has not suffered actual harm, as long as the risk of real harm is the type of risk Congress intended to curb when it passed the statute. Federal courts applying Spokeo have been divided over what kind and degree of damage a plaintiff must allege to demonstrate standing to sue. Some courts have attempted to narrow this exposure by dismissing cases where the Plaintiffs fail to allege a “concrete injury” resulting from the breach, while other courts have opened their doors to suits alleging intangible and even theoretical damages. Although McDowell did not directly address these standing issues (the Court dismissed the plaintiffs’ CPPA count because they were not “consumers” under the statute), contractors should keep in mind that even the risk of harm could expose them to direct liability for data breaches and privacy violations.

Likewise, and regardless of their liability to private citizens, federal contractors remain liable to the Government directly for data breaches and privacy violations, where exposure may range from simple breach of contract damages and liquidated damages to more serious False Claims Act violations under the Supreme Court’s evolving interpretation of false claims liability. See Universal Health Services, Inc. ex rel. Escobar, 136 S.Ct. 1989 (2016).

Although the lessons contractors should take from McDowell are simple, the consequences of underestimating the risk of liability to private citizens can be dire. Contractors handling individuals’ personal information should consider the following points:

  • Consider whether their contracts with federal agencies clearly assign responsibility for safeguarding individuals’ data and information. If it’s unclear, assume that the contractor could be liable to individuals as third-party beneficiaries.
  • Consider the feasibility of disclaiming or limiting liability for data breaches and privacy act violations at the time they receive the information or data from individuals. While this approach may not completely insulate the contractor, it would, at a minimum, reinforce the fact that accepting the data does not create any special relationship in tort or bailment.
  • Ensure they are taking measures necessary to adequately safeguard the entrusted data. Refer to the safeguarding requirements in the applicable contract(s) and implement any other risk-based approaches reasonably necessary to limit exposure for data breaches or privacy violations. Consider what security controls the contractor actually has in place to safeguard the individual’s data and test to ensure that those controls are turned on and effective.