Government Contracts ConneKTion

Archive for July 2017

Posted on Wednesday, July 12 2017 at 10:29 am by -

Russia Concerns Negatively Impact GSA Schedule Contractors

By: Gunjan Talati & Scott Davidson, GCO Consulting Group

There is no shortage of news these days involving Russia. You would think that U.S. government contracting would be immune from these considerations. You’d be wrong. That’s because yesterday, the Government removed Moscow-based Kaspersky Lab products from the General Services Administration’s Schedule Program. Kaspersky provided products through resellers which held GSA Schedule 67 and 70 contracts for photographic equipment and related services, and IT services. As a company based in Moscow, Kaspersky came under scrutiny from the Government and was removed from the schedules “to ensure the integrity and security of U.S. government systems and networks” according to a GSA statement cited by Reuters.

According to the Government’s System for Award Management (SAM), Kaspersky remains an active contractor and has not been suspended or proposed for debarment. Accordingly, agencies can still purchase Kaspersky products but not from Kaspersky’s previously held schedule contracts. Curiously, GSA Advantage still shows Kaspersky products available through GSA schedule contracts through resellers. Many of these resellers are small businesses with different socioeconomic statuses.

There are a few lessons from this developing situation:

  • This is a stark reminder that GSA schedule contracts are a privilege, not a right. GSA retains broad authority to remove contractors from its schedules. This authority is not absolute, however. Contractors that might find themselves in a situation like Kaspersky should evaluate whether the Government has acted according to its regulations and should assert and pursue claims if the Government has failed to provide the contractor with appropriate due process.
  • Contractors should evaluate how current events can impact their contracts. Kaspersky, according to Reuters, asserts that it is “caught in the middle of a geopolitical fight where each side is attempting to use the company as a pawn in their political game.” The Government’s action concerning Kaspersky should cause contractors with ties to Russia to evaluate their own situations. If that evaluation reveals any situations that might give an agency concern, they should consider engaging in a proactive dialogue with their agency customers to address those concerns.
  • Last, but certainly not least, is the reminder that GSA schedule contractors are required to abide by the Trade Agreements Act (TAA). The TAA requires contractors to provide either U.S.-made or designated country end products. Designated countries typically include those countries with which the United States has negotiated trade agreements. Russia is not a designated country for TAA purposes.
Posted on Thursday, July 6 2017 at 12:42 pm by -

Unintended Plaintiffs: United States District Court Allows Private Citizens to Sue a Government Contractor For Failing to Adequately Safeguard Personal Information

By: Gunjan Talati, Jon Neiditz, and Christian Henel

In a remarkable opinion with potentially wide-ranging implications, the United States District Court for the District of Columbia recently allowed a member of the public to sue a federal government contractor directly for privacy violations the plaintiff allegedly suffered during the contractor’s performance.

The Plaintiffs in McDowell v. CGI Federal Inc., CA No. 15-1157 (Slip Op. June 1, 2017) were passport applicants who gave her personal information to State Department contractor CGI Federal, Inc. (“CGI”). CGI is a federal contractor that processes passport applications for the State Department. While CGI had a contract to provide passport application processing for the State Department, it never entered into any express or implied contract with the Plaintiffs. According to the Complaint, CGI failed to adequately safeguard her data when several CGI employees stole Plaintiffs’ personal information and used it to counterfeit identify documents, obtain commercial lines of credit, and make fraudulent purchases. Plaintiffs sued CGI for (1) violations of the District of Columbia’s Consumer Protection Procedures Act (“CPPA”); (2) negligence; (3) breach of contract; (4) breach of bailment; and (5) unjust enrichment. CGI moved to dismiss the claims on several grounds.

The Court dismissed four out of the five counts but kept the case alive by sparing the breach of contract count. The Court first dismissed the CPPA count, finding Plaintiffs ineligible to bring the CPPA count because they were not “consumers” as defined by that statute. It dismissed the negligence count because Plaintiffs failed to allege a “special relationship” with CGI sufficient to avoid D.C.’s “economic loss” bar to negligence claims. It dismissed the unjust enrichment count because Plaintiffs conferred no benefit upon CGI, and it dismissed the bailment count because Plaintiffs had no express or implied agreement with CGI to protect their data.

Despite finding no contract between Plaintiffs and CGI, the Court allowed the breach of contract suit to go forward. The Court reasoned that Plaintiffs were third-party beneficiaries of the contract between CGI and the State Department. Under D.C. law, a plaintiff can sue a contractor as a third party beneficiary if the contracting parties “clearly intended that the contract would benefit the plaintiff or an identifiable class to which the plaintiff belongs.” (Slip Op. at 13). In McDowell, the District Court reasoned that CGI and the State Department clearly intended to protect Plaintiffs’ data when CGI agreed in its government contract to act reasonably and employ reasonable safeguards at all times to handle Plaintiffs’ personal information. The Court noted that neither party attached a complete version of the CGI-State Department contract and warned that further scrutiny could result in a finding that CGI did not breach any obligation toward Plaintiffs. The Plaintiffs’ allegations were sufficient, however, to survive CGI’s motion to dismiss under the liberal pleading standard applied by Federal Courts. Thus, CGI won four-fifths of its motion to dismiss, but the practical result is that CGI continues to defend the lawsuit in federal court.

McDowell should serve as a cautionary tale of how government contractors handling private citizens’ data and personal information could face direct liability to those citizens in the event of a data breach or privacy violation. The contractor in McDowell had no contract with the Plaintiffs, owed no duty in tort, and had no other bailment relationship or other special relationship with the Plaintiffs, but nonetheless found itself defending a lawsuit for failing to adequately safeguard their data. Our review of similar cases around the country indicates that private citizens are often willing to pursue contractors for data breach and privacy violations even in cases where the connection between the contractors and the citizens seems attenuated.

McDowell’s ruling adds to what appears to be ever-increasing risk to government contractors handling private and personal information. In 2016, the U.S. Supreme Court indicated in Spokeo v. Robins, 136 S.Ct. 1540 (2016) that a private citizen may have standing to sue a third party for statutory violations (in that case, the Fair Credit Reporting Act) even if it has not suffered actual harm, as long as the risk of real harm is the type of risk Congress intended to curb when it passed the statute. Federal courts applying Spokeo have been divided over what kind and degree of damage a plaintiff must allege to demonstrate standing to sue. Some courts have attempted to narrow this exposure by dismissing cases where the Plaintiffs fail to allege a “concrete injury” resulting from the breach, while other courts have opened their doors to suits alleging intangible and even theoretical damages. Although McDowell did not directly address these standing issues (the Court dismissed the plaintiffs’ CPPA count because they were not “consumers” under the statute), contractors should keep in mind that even the risk of harm could expose them to direct liability for data breaches and privacy violations.

Likewise, and regardless of their liability to private citizens, federal contractors remain liable to the Government directly for data breaches and privacy violations, where exposure may range from simple breach of contract damages and liquidated damages to more serious False Claims Act violations under the Supreme Court’s evolving interpretation of false claims liability. See Universal Health Services, Inc. ex rel. Escobar, 136 S.Ct. 1989 (2016).

Although the lessons contractors should take from McDowell are simple, the consequences of underestimating the risk of liability to private citizens can be dire. Contractors handling individuals’ personal information should consider the following points:

  • Consider whether their contracts with federal agencies clearly assign responsibility for safeguarding individuals’ data and information. If it’s unclear, assume that the contractor could be liable to individuals as third-party beneficiaries.
  • Consider the feasibility of disclaiming or limiting liability for data breaches and privacy act violations at the time they receive the information or data from individuals. While this approach may not completely insulate the contractor, it would, at a minimum, reinforce the fact that accepting the data does not create any special relationship in tort or bailment.
  • Ensure they are taking measures necessary to adequately safeguard the entrusted data. Refer to the safeguarding requirements in the applicable contract(s) and implement any other risk-based approaches reasonably necessary to limit exposure for data breaches or privacy violations. Consider what security controls the contractor actually has in place to safeguard the individual’s data and test to ensure that those controls are turned on and effective.