Cybersecurity And The FCA â Yes, It Is A Thing
Portfolio Media. Inc. | 111 West 19th Street, 5th Floor | New York, NY 10011 | www.law360.com Phone: +1 646 783 7100 | Fax: +1 646 783 7161 | [email protected]
Cybersecurity And The FCA — Yes, It Is A Thing Law360, New York (November 9, 2016, 10:45 AM EST) -- The U.S. Department of Defense has issued rules mandating compliance with the cybersecurity requirements set forth in the National Institute of Standards and Technology Special Publication 800-171 no later than Dec. 31, 2017. See 32 C.F.R. Part 236; DFARS 252.204; (revised Oct. 21, 2016; see also 80 Fed, Reg. 51,739 (Aug. 26, 2015); 80 Fed. Reg. 81,472 (Dec. 30, 2015); NIST SP 800-171. These rules make no mention of the False Claims Act, 31 U.S.C. §§ 37293733. And no court has had an opportunity to address these rules within the context of the False Claims Act. However, a recent case discussing cybersecurity rules in the health care context may give guidance as to how a False Claims Act claim will play out in the context of the DOD’s cybersecurity rules.
Warrington S. Parker
The False Claims Act The False Claims Act allows the government or a whistleblower, called a relator, to bring suit for any false statement made in connection with a submission for payment to the government. There are two paradigmatic examples of such claims. One is where a claimant agrees to provide something to the government, provides something different, but submits a payment for the thing originally agreed on. The other is where a claimant submits a claim for services not rendered. See, e.g., United States v. Bornstein, 423 U.S. 303 (1976); United States v. Science Applications Int’l Corp., 626 F.3d 1257 (D.C. 2010); Mikes v. Straus, 274 F.3d 687 (2d Cir. 2001).
Tom McConville
However, liability under the False Claims Act is not limited to these examples. Rather, False Claims Act liability can also be found under theories of fraud in the inducement, express certification and implied certification. No court has held that these theories have application to the DOD rules, but they bear noting. Fraud in the Inducement A fraud-in-the-inducement False Claims Act claim requires a misrepresentation of a fact material to the making of a contract. See e.g., Hooper v. Lockheed Martin Corp., 688 F.3d 1037 (9th Cir. 2012); Harrison v. Westinghouse Savannah River Co., 176 F.3d 776 (4th Cir. 1999) (collecting cases). Under the DOD
cybersecurity rules, one can imagine the government or a relator claiming that there was fraud in the inducement when a government contractor fails disclose its lack of compliance or fails to request a variance knowing that it was not compliant. Some limitations on this theory may apply. First, no court has yet determined whether these rules are material. Materiality is defined by the False Claims Act as “having a natural tendency to influence of be capable of influencing the payment or receipt of money or property.” 31 U.S.C. § 3729(b)(4). One could imagine that the failure to comply with any aspect of the cybersecurity requirements would be material to the government given the government’s justification that these rules are necessary to national security. See 80 Fed, Reg. 51,739 (Aug. 26, 2015); 80 Fed. Reg. 81,472 (Dec. 30, 2015). Equally, though, there may be some specific requirements that arguably are not material. This remains to be seen. Moreover, failure to comply with the DOD rules may not present a prototypical fraud in the inducement claim. A typical claim turns on an affirmative misrepresentation such as the provision of false cost estimates or a false representation that bids were not collusive. See, e.g., United States ex rel. Marcus v. Hess, 317 U.S. 537 (1943); United States ex rel. Simpson v. Bayer Healthcare, 732 F.3d 869 (8th Cir. 2013); United States ex rel. Main v. Oakland City Univ., 426 F.3d 914 (7th Cir. 2005). Under the DOD’s scheme, a contractor’s submission of an offer is a representation that it is compliant with the cybersecurity rules; however, disclosure of any noncompliance with DOD rules is not required until 30 days after award of contract. DFARS 252.204-7008; DFARS 252.204-7012. Given that the rules contemplate a post-award disclosure of noncompliance, a claim that a contract was awarded based on the pre-award assumption of compliance may not be viable. At the same time, however, if a contractor is not compliant, the rules require the contractor to seek a variance. DFARS 252.204-7008; DFARS 252.204-7012. The fraud in the inducement claim might therefore turn on failure to seek a variance, which presumably the government would argue induced the contract based on the claimed belief of compliance with the rules. Sounds complicated — yes — which is why this theory may not work. Express Certification The express certification theory depends on an express statement of compliance typically made at the time claims are submitted to the government. In its broadest form, a claimant will submit a claim for payment which also certifies that the claimant has abided by the terms of a contract, statute and/or regulation. Such theories have found particular vogue in the health care context. See, e.g., United States ex rel. Schmidt v. Zimmer Inc., 386 F.3d 235 (3d Cir. 2004) (citing cases). Here too, there are limitations to such a theory. First, courts have found that False Claims Act express certification claims are not viable when the certification is broad, such as certifying compliance with all terms of a contract, and all applicable statutes and regulations. Courts have required that the certification of compliance must be as to more specific statutes, contract terms or regulations. See, e.g., Bishop v. Wells Fargo & Co., 825 F.3d 35 (2d Cir. 2016) (citing cases). Second, not every contractual, statutory or regulatory violation is actionable under the False Claims Act. This is true even when the government designates as a condition of payment compliance with a particular contractual term, statute or regulation. Universal Health Services Inc. v. United States ex rel. Escobar, 136 S. Ct. 1989, 2001 (2016). Instead, compliance with a contract term, statute or regulation must be material to the government decision to pay a claim. Id. Thus, it could be that not every conceivable violation of the DOD rules would give rise to an express certification claim. See, e.g., United States ex rel. Thomas v. Black & Veatch Special Projects Corp., 820 F.3d 1162 (10th Cir. 2016) (finding express certification claim was not viable due to lack of materiality). But this has not been resolved.
Implied Certification The implied certification theory, recently affirmed by the U.S. Supreme Court in Escobar, asks whether there is something that should have been disclosed, but was not. At bottom, it is a material omission theory. Thus, in Escobar, the court found that the defendant could be held liable for a False Claims Act claim where the defendant submitted claims for payment for services actually rendered and accurately described, but which services were rendered in violation of regulation. The defendant’s failure to disclose that the services were rendered in violation of regulation, according to the court, gave rise to the claim. The scope of this theory is currently uncertain in light of the Supreme Court’s opinion. First, the Supreme Court stated that this theory is viable at least when (1) a claimant makes a specific representations as to the services it provides, but (2) fails to disclose noncompliance with material statutory, regulatory or contractual requirements which makes the representation misleading half-truths. Whether a claimant must make a specific representation as to the services rendered though, is uncertain. At least one court has suggested that the claimant does not have to make a specific representation as to the services provided to trigger liability. Rose v. Stephens Inst., 2016 U.S. Dist. Lexis (C.D. Cal. Sept. 20, 2016). Second, the undisclosed fact must be material. As noted, what is material under the DOD rules remains to be developed. United States v. Kettering Health Network Now, as mentioned, none of these theories have been tested with respect to the DOD’s cybersecurity rules. And it does not appear that many courts have tangled with how cybersecurity rules play out in the False Claims Act context. But one case does start to point the way. In United States ex rel. Sheldon v. Kettering Health Network, 816 F.3d 399 (6th Cir. 2016), the court rejected a False Claims Act claim for alleged noncompliance with the Health Information Technology for Economic and Clinical Health Act, a law that incentivized health care providers to adopt electronic health record safeguards. Under the HITECH Act, the government makes incentive payments to health care providers when the health care provider conducts security risk analyses, implements cybersecurity measures and submits to the government attestations that it has done so. The defendant did all those things and received incentive payments. However, the relator claimed that those incentive payments were procured by false attestations. In support of this claim, the relator noted that her own protected health information had been compromised, that the defendant failed to run what relator alleged were the required security checks, id. at 409-11, and that the defendant “fail[ed] to implement policies and procedures that allow only authorized persons to access electronic protected heath information.” Id. at 410 n. 5. In affirming the defendant’s motion to dismiss, the court relied on the heightened pleading standards applicable to False Claims Act claim — standards that require allegations of specific facts. The court noted that the cybersecurity rules were not intended to prevent any and all security breaches. That there was one could not justify a conclusion that the requisite security measures had not been implemented. Moreover, the court noted that the HITECH Act did not require the type of security checks alleged by relator. Id. at 411-14. Finally, the court rejected the broadest of claims — that the defendant “fail[ed] to implement policies and procedures.” According to the court, beyond this simple assertion there were no facts alleged that would permit an inference that the challenged procedures were not implemented. Id. at 410 n. 5.
The Takeaway Sheldon is admittedly not perfect guidance. However, it at least indicates two things. First, notably, while rejecting the False Claim Act claim for failure to meet pleading requirements, the court does not once question that a failure to comply with cybersecurity requirements could give rise to a False Claims Act claim. Second, though, the opinion makes clear that the heightened pleading requirements serve as a defense to assertions of failure to comply. —By Warrington S. Parker and Tom McConville, Orrick Herrington & Sutcliffe LLP Warrington Parker is a partner in Orrick's San Francisco and Silicon Valley offices and a former assistant U.S. attorney in the Central District of California. Tom McConville is a partner in the firm's Los Angeles and Orange County, California, offices and a former assistant U.S. attorney in the Central District of California. The opinions expressed are those of the author(s) and do not necessarily reflect the views of the firm, its clients, or Portfolio Media Inc., or any of its or their respective affiliates. This article is for general information purposes and is not intended to be and should not be taken as legal advice.
All Content © 2003-2016, Portfolio Media, Inc.
Cybersecurity And The FCA — Yes, It Is A Thing Law360, New York (November 9, 2016, 10:45 AM EST) -- The U.S. Department of Defense has issued rules mandating compliance with the cybersecurity requirements set forth in the National Institute of Standards and Technology Special Publication 800-171 no later than Dec. 31, 2017. See 32 C.F.R. Part 236; DFARS 252.204; (revised Oct. 21, 2016; see also 80 Fed, Reg. 51,739 (Aug. 26, 2015); 80 Fed. Reg. 81,472 (Dec. 30, 2015); NIST SP 800-171. These rules make no mention of the False Claims Act, 31 U.S.C. §§ 37293733. And no court has had an opportunity to address these rules within the context of the False Claims Act. However, a recent case discussing cybersecurity rules in the health care context may give guidance as to how a False Claims Act claim will play out in the context of the DOD’s cybersecurity rules.
Warrington S. Parker
The False Claims Act The False Claims Act allows the government or a whistleblower, called a relator, to bring suit for any false statement made in connection with a submission for payment to the government. There are two paradigmatic examples of such claims. One is where a claimant agrees to provide something to the government, provides something different, but submits a payment for the thing originally agreed on. The other is where a claimant submits a claim for services not rendered. See, e.g., United States v. Bornstein, 423 U.S. 303 (1976); United States v. Science Applications Int’l Corp., 626 F.3d 1257 (D.C. 2010); Mikes v. Straus, 274 F.3d 687 (2d Cir. 2001).
Tom McConville
However, liability under the False Claims Act is not limited to these examples. Rather, False Claims Act liability can also be found under theories of fraud in the inducement, express certification and implied certification. No court has held that these theories have application to the DOD rules, but they bear noting. Fraud in the Inducement A fraud-in-the-inducement False Claims Act claim requires a misrepresentation of a fact material to the making of a contract. See e.g., Hooper v. Lockheed Martin Corp., 688 F.3d 1037 (9th Cir. 2012); Harrison v. Westinghouse Savannah River Co., 176 F.3d 776 (4th Cir. 1999) (collecting cases). Under the DOD
cybersecurity rules, one can imagine the government or a relator claiming that there was fraud in the inducement when a government contractor fails disclose its lack of compliance or fails to request a variance knowing that it was not compliant. Some limitations on this theory may apply. First, no court has yet determined whether these rules are material. Materiality is defined by the False Claims Act as “having a natural tendency to influence of be capable of influencing the payment or receipt of money or property.” 31 U.S.C. § 3729(b)(4). One could imagine that the failure to comply with any aspect of the cybersecurity requirements would be material to the government given the government’s justification that these rules are necessary to national security. See 80 Fed, Reg. 51,739 (Aug. 26, 2015); 80 Fed. Reg. 81,472 (Dec. 30, 2015). Equally, though, there may be some specific requirements that arguably are not material. This remains to be seen. Moreover, failure to comply with the DOD rules may not present a prototypical fraud in the inducement claim. A typical claim turns on an affirmative misrepresentation such as the provision of false cost estimates or a false representation that bids were not collusive. See, e.g., United States ex rel. Marcus v. Hess, 317 U.S. 537 (1943); United States ex rel. Simpson v. Bayer Healthcare, 732 F.3d 869 (8th Cir. 2013); United States ex rel. Main v. Oakland City Univ., 426 F.3d 914 (7th Cir. 2005). Under the DOD’s scheme, a contractor’s submission of an offer is a representation that it is compliant with the cybersecurity rules; however, disclosure of any noncompliance with DOD rules is not required until 30 days after award of contract. DFARS 252.204-7008; DFARS 252.204-7012. Given that the rules contemplate a post-award disclosure of noncompliance, a claim that a contract was awarded based on the pre-award assumption of compliance may not be viable. At the same time, however, if a contractor is not compliant, the rules require the contractor to seek a variance. DFARS 252.204-7008; DFARS 252.204-7012. The fraud in the inducement claim might therefore turn on failure to seek a variance, which presumably the government would argue induced the contract based on the claimed belief of compliance with the rules. Sounds complicated — yes — which is why this theory may not work. Express Certification The express certification theory depends on an express statement of compliance typically made at the time claims are submitted to the government. In its broadest form, a claimant will submit a claim for payment which also certifies that the claimant has abided by the terms of a contract, statute and/or regulation. Such theories have found particular vogue in the health care context. See, e.g., United States ex rel. Schmidt v. Zimmer Inc., 386 F.3d 235 (3d Cir. 2004) (citing cases). Here too, there are limitations to such a theory. First, courts have found that False Claims Act express certification claims are not viable when the certification is broad, such as certifying compliance with all terms of a contract, and all applicable statutes and regulations. Courts have required that the certification of compliance must be as to more specific statutes, contract terms or regulations. See, e.g., Bishop v. Wells Fargo & Co., 825 F.3d 35 (2d Cir. 2016) (citing cases). Second, not every contractual, statutory or regulatory violation is actionable under the False Claims Act. This is true even when the government designates as a condition of payment compliance with a particular contractual term, statute or regulation. Universal Health Services Inc. v. United States ex rel. Escobar, 136 S. Ct. 1989, 2001 (2016). Instead, compliance with a contract term, statute or regulation must be material to the government decision to pay a claim. Id. Thus, it could be that not every conceivable violation of the DOD rules would give rise to an express certification claim. See, e.g., United States ex rel. Thomas v. Black & Veatch Special Projects Corp., 820 F.3d 1162 (10th Cir. 2016) (finding express certification claim was not viable due to lack of materiality). But this has not been resolved.
Implied Certification The implied certification theory, recently affirmed by the U.S. Supreme Court in Escobar, asks whether there is something that should have been disclosed, but was not. At bottom, it is a material omission theory. Thus, in Escobar, the court found that the defendant could be held liable for a False Claims Act claim where the defendant submitted claims for payment for services actually rendered and accurately described, but which services were rendered in violation of regulation. The defendant’s failure to disclose that the services were rendered in violation of regulation, according to the court, gave rise to the claim. The scope of this theory is currently uncertain in light of the Supreme Court’s opinion. First, the Supreme Court stated that this theory is viable at least when (1) a claimant makes a specific representations as to the services it provides, but (2) fails to disclose noncompliance with material statutory, regulatory or contractual requirements which makes the representation misleading half-truths. Whether a claimant must make a specific representation as to the services rendered though, is uncertain. At least one court has suggested that the claimant does not have to make a specific representation as to the services provided to trigger liability. Rose v. Stephens Inst., 2016 U.S. Dist. Lexis (C.D. Cal. Sept. 20, 2016). Second, the undisclosed fact must be material. As noted, what is material under the DOD rules remains to be developed. United States v. Kettering Health Network Now, as mentioned, none of these theories have been tested with respect to the DOD’s cybersecurity rules. And it does not appear that many courts have tangled with how cybersecurity rules play out in the False Claims Act context. But one case does start to point the way. In United States ex rel. Sheldon v. Kettering Health Network, 816 F.3d 399 (6th Cir. 2016), the court rejected a False Claims Act claim for alleged noncompliance with the Health Information Technology for Economic and Clinical Health Act, a law that incentivized health care providers to adopt electronic health record safeguards. Under the HITECH Act, the government makes incentive payments to health care providers when the health care provider conducts security risk analyses, implements cybersecurity measures and submits to the government attestations that it has done so. The defendant did all those things and received incentive payments. However, the relator claimed that those incentive payments were procured by false attestations. In support of this claim, the relator noted that her own protected health information had been compromised, that the defendant failed to run what relator alleged were the required security checks, id. at 409-11, and that the defendant “fail[ed] to implement policies and procedures that allow only authorized persons to access electronic protected heath information.” Id. at 410 n. 5. In affirming the defendant’s motion to dismiss, the court relied on the heightened pleading standards applicable to False Claims Act claim — standards that require allegations of specific facts. The court noted that the cybersecurity rules were not intended to prevent any and all security breaches. That there was one could not justify a conclusion that the requisite security measures had not been implemented. Moreover, the court noted that the HITECH Act did not require the type of security checks alleged by relator. Id. at 411-14. Finally, the court rejected the broadest of claims — that the defendant “fail[ed] to implement policies and procedures.” According to the court, beyond this simple assertion there were no facts alleged that would permit an inference that the challenged procedures were not implemented. Id. at 410 n. 5.
The Takeaway Sheldon is admittedly not perfect guidance. However, it at least indicates two things. First, notably, while rejecting the False Claim Act claim for failure to meet pleading requirements, the court does not once question that a failure to comply with cybersecurity requirements could give rise to a False Claims Act claim. Second, though, the opinion makes clear that the heightened pleading requirements serve as a defense to assertions of failure to comply. —By Warrington S. Parker and Tom McConville, Orrick Herrington & Sutcliffe LLP Warrington Parker is a partner in Orrick's San Francisco and Silicon Valley offices and a former assistant U.S. attorney in the Central District of California. Tom McConville is a partner in the firm's Los Angeles and Orange County, California, offices and a former assistant U.S. attorney in the Central District of California. The opinions expressed are those of the author(s) and do not necessarily reflect the views of the firm, its clients, or Portfolio Media Inc., or any of its or their respective affiliates. This article is for general information purposes and is not intended to be and should not be taken as legal advice.
All Content © 2003-2016, Portfolio Media, Inc.
