JONES DAY TALKS®: A False Sense of Security: Cyber Disclosure Obligations for Public Contractors
Cybersecurity threats remain a constant concern for every business and organization, regardless of size, location, or industry. The stakes relating to possible litigation, financial repercussions, and reputational risk, are high.
In this second episode of "A False Sense of Security", Jones Day Talks' series of programs focusing on legal issues that arise in connection with cybersecurity requirements and representations, Jeff Rabkin, Jamila Hall, and Grayson Yeargin discuss the special considerations confronting public sector contractors relative to cyber threats and data breaches. They talk about what can trigger a mandatory disclosure under a public sector contract, consequences and practical considerations regarding disclosures, and False Claims Act decisions concerning cybersecurity issues.
The conversation concludes with a look at President Biden's May 2021 Executive Order on Improving the Nation's Cybersecurity.
In the second installment of A False Sense of Security, our series of programs on the potential legal issues relating to cybersecurity requirements and representations, the focus turns to public sector contracts and disclosure obligations. Our panel will discuss what can trigger a mandatory disclosure, consequences and practical considerations regarding disclosures, and False Claims Act matters concerning cybersecurity issues. They'll also talk about President Biden's May 2021 executive order improving the nation's cybersecurity. I'm Dave Dalton. You're listening to Jones Day Talks.
Jones Day Partner Jamila Hall is a former federal prosecutor who serves as defense and investigative counsel to Fortune 500 companies and regularly conducts internal investigations throughout the US, Latin America, Europe, and Asia. She defends companies and individuals in often high-stakes civil and criminal investigations brought by the US Department of Justice and other government agencies. Partner Grayson Yeargin assists clients with complying with government requirements and guiding them through government investigations. He represents government contractors, companies in the private sector, and individuals involved in disputes with the government. Grayson advises national security and defense companies on legal and regulatory compliance requirements to the rise in those industries with a particular focus on information security.
And finally, Partner, Jeff Rabkin has tried 20 cases to verdict in federal and state courts. He represents businesses in all types of government investigations, regulatory proceedings, and private disputes. Jeff joined Jones Day from the Office of the Attorney General in the California Department of Justice, where he was a member of the AG's executive team and special assistant attorney general for law and technology. In that role, he was responsible for oversight of the California DOJ Cyber Crime and Privacy Enforcement units. In fact, Jeff will direct today's discussion. So we thank him in advance for his work in preparation. Panel, thanks for being here. Jeff, there's a lot to cover, so let's begin.
Thank you, David. And thank you, Jamila and Grayson, for your time today. This is the second in a series of podcasts that focuses on emerging legal risks arising from inconsistencies between what companies say they do and what they actually do with respect to the people, processes, and technology that make up their cybersecurity programs. As David mentioned, today, we'll be focusing on public sector risks. We thought a deeper dive into these issues was appropriate given that cybersecurity requirements are highly regulated in the public sector and the consequences of even inadvertent misrepresentations in this space are potentially severe. Grayson, let me start with you. What can trigger a mandatory disclosure, under a public sector contract, in connection with cybersecurity issues?
Sure. Thanks, Jeff. And it's good to be here today talking about this. A mandatory disclosure, under a public sector contract, is a concept that's been around for a while and it's not new with cybersecurity, but the requirements that the contracts that we're seeing now that have cybersecurity requirements built into them are causing this new disclosure obligation to come up in different ways. So there are disclosure obligations that are present in almost all public sector contracts. These are built into the regulations that are in existence for federal contracts, so in the federal acquisition regulations, specifically in the suspension and debarment portion of those regulations, and also built into some of the contract provisions that are required to be put into certain contracts under those regulations as well. There are also more specific requirements that are built into the defense supplement to the federal acquisition regulations as well. And we'll talk about that a little bit later. And it's important to say that, again, these are present in almost every federal contract out there, but you can also find them in state and local contracts as well.
And, Grayson, how are these disclosure requirements different from breach notification requirements?
Sure. It's an excellent question and something that isn't always apparent at first because these disclosure obligations can actually come up, even if there is no breach. So that's an important distinction to understand at first. But basically, what the situation is is that the mandatory disclosure reporting obligation under federal contracting arises when there is credible evidence of certain types of activities that are spelled out in the regulations or the contract. Most times these will point to either credible evidence of criminal fraud or specific types of criminal fraud or civil False Claims Act liability. It also can arise in certain situations if there are significant overpayments under these particular contracts. But if there's a situation where there is non-compliance with a material provision of one of these public sector contracts, that's when you need to look at, is there additional evidence there that could support a finding of either criminal fraud or the civil FCA?
Now, we're seeing this come up a lot these days in connection with security provisions of contracts. And this is especially true when some of these contracts reference other certifications, such as specific certifications that relate to cybersecurity requirements. Now, it's also important to mention that on the flip side, that when a company is looking at this particular issue and they're assessing whether they have a disclosure obligation or not, that they're able to look at the entire legal situation and all of the relevant facts. So they are entitled to look at whether there are any particular defenses that are available or other analysis in determining whether there's credible evidence that would require an obligation. So, as a result, if there are situations like mistakes or negligence or activity that wouldn't rise to the level of, say, a post-Escobar FCA-type of claim, that company may not find itself in a disclosure obligation, but that analysis needs to be done.
But with the DFARS flavor of this, and that's the defense supplement that I referenced just a second ago, there are really two ways you could have a disclosure arise. And one of them's obvious. Everybody's pretty familiar with the 72-hour rapid reporting requirement that is actually built into the 7,012 DFARS provision that goes into contract. The other half of that clause, which is also baked into the contracts, requires that a company put in place adequate safeguards for their cybersecurity measures and protecting any covered defense information they may have on their systems. So you could find yourself, and this is not that farfetched of a situation, where a company or an entity may be in a situation where it's made representations, that it's meeting these adequate safeguards, but that it doesn't have these measures in place, even if there's not a breach that could still be a disclosure obligation in that situation.
Yeah. Interesting, interesting, and particularly challenging, given the dynamic and evolving nature of IT security environments and cyber threats. This is not a static space in which these assessments need to be made. Let me just take you back before we move on too quickly tell, just tell us a little bit about the Escobar decision and how it's pertinent here.
Sure. And actually, it ties in very well to the comment that you just made because Escobar is a decision that came out not too long ago from the Supreme Court that analyzes False Claims Act exposure and what needs to be shown for there to be False Claims Act liability. And in the context of the ever-changing world of cybersecurity, as you just mentioned, this decision actually takes on a very important role. In the Escobar decision, it applied fault certification concept with the FCA, but it identified that there needs to be a high showing of materiality and knowledge or scienter, under the False Claims Act, in order for there to be liability under the FCA.
And why this is really important, in this mandatory disclosure scenario, is that these are legal interpretations' analysis and defenses that a company, a party should look at when it's making its decision as to whether there is a disclosure obligation or not. So, in other words, you may have facts in front of you that show, oh, maybe a company wasn't in strict compliance with this one provision. And that could be a very serious situation, but if you look at it and you're able to look at the different provisions of whether this would rise to the level of materiality and knowledge under Escobar and the precedent for False Claims Act analysis, it could lead to very different results, depending on the factual circumstances that are actually applicable in the specific situation.
Yeah. Well, then that takes me to wondering... And, Jamila, if I may, I'll direct this to you. I'm wondering about the consequences of these disclosures and, on a practical level, how general counsels, how CISOs should go about thinking about the pros and cons of making a disclosure, given the ambiguities that you just talked about. Jamila, do you have any thoughts there?
Yeah, it's a really interesting point that you've raised, Jeff. And I think one of the issues coming from looking at both parallel, civil, and criminal FCA matters and perspective is about the issue of the lack of disclosure. So we've been talking about what triggers disclosure, but one of the preeminent ways to find yourself in hot water, under the FCA, is by failing to disclose. And so not just whether you've disclosed and whether you've disclosed sufficiently, it's failing to disclose in such a way that the government does not know that their data, and the data of potentially many citizens and others, is a subject to some sort of threat. And that's where we see the discussion and the debate about the sufficiency of a disclosure and whether one is made. So, for example, when we talk about a post-Escobar analysis, one of the things that we look at in the cybersecurity realm is whether we're talking about a deficiency in a security protocol that doesn't really have a material effect on the contractor's ability to carry out their duties and, perhaps, even in some cases, the government is aware of this deficiency through certification audit or the like and continues forward, continues to pay on the contract. Given the cases that we've seen post-Escobar, we can say that not disclosing that or formalizing that is likely not to rise to the level of a dereality in an FCA analysis.
Now, on the other hand, even in recent last couple years, there have been more cybersecurity breaches than there have been disclosures made to the government. And that brings up this gray area that you've referenced about when does a company need to disclose. And recall that Grayson had mentioned that there are considerations that can be taken into account as to whether there was a mistake, negligence, and materiality, and the like, but if it does come to the fact that there has been a known breach, even if there isn't a loss of data, that's an area that we see several missteps, if there's a breach, but sensitive information has not been lost and that still might be a material enough for the government to say, "That would change our decision as to whether we would've paid you on this contract or continue to contract with you because what you're doing involves the handling of sensitive information."
And if that is, in fact, material for the government, then we're looking at substantial penalties and fines and trouble damages of what the statute calls for. And let's just think, for example, the Department of Defense and how significant, in dollar numbers, those contracts are. When you start to think of the potential penalties that could come from the failure to disclose a breach, even if there isn't sensitive data that's been lost, these are things that could be crippling for a contractor. And then there are subsequent investigations that could come, whether the decision to not disclose was a criminal one and not just a civil one, which could trigger inspector general investigations and the Department of Justice also looking at that, whether these disclosures were made in the financial disclosures of a company, such that the SEC might become interested.
And then, of course, there is the ultimate penalty, which is either suspension or debarment, which comes into play when you have a knowing decision to not disclose a material breach in a cybersecurity realm under these contracts. One of the things that Escobar does, and Grayson did a great job of giving us an over review of that, is it looks the difference between implied certifications... So every government contract has so many certifications that are included that the idea that if one of those is not accurate, you have an inherently false claim that you've submitted to the government, the Supreme court said, "That's too far. We're not going to go there, but where we are going to go is to the area where it would change the action of the government, their decision to pay, their decision to continue forward in the contract."
And because, right now, the government is contracting with private parties and having them handle significant sensitive information, there is a very high risk that these types of breaches could be deemed material. Jeff and I, being former prosecutors, I'm sure, Jeff, you're still getting free credit monitoring from the OPM breach that happened 15 some odd years ago. Imagine if that were to happen now, and you've seen breaches of that level of significance. Imagine if there was a failure to disclose. And I think Grayson's going to talk about some of the Biden administration's efforts to reduce the window even, in terms of notification, that I think will have implications for many of our clients and other contractors out there. So I'll turn it back to you all.
Yeah, no, thank you, Jamila. Let me put you both on the hot seat for a moment though. Based on what you've said, it's clear that businesses are between a rock and a hard place in the sense that if they disclose, then they face potential corrective actions or even termination. If they don't disclose, then as you just went through, Jamila, they potentially face 20/20 hindsight and really severe scrutiny for potentially failing to disclose. Given that cybersecurity is not a perfect science and almost all businesses will struggle at times to comply 100% with industry standards, which are themselves somewhat ambiguous, do you have a philosophy, one way or another, with respect to better to err on the side of caution and disclose, better to be maybe a little bit more rigorous about the disclosure analysis, or, I'll give you an out, do you really think it's a case by case assessment?
I'll jump in there first. I'll jump in and take the easy way out first, because I think it really really does depend on the different circumstances, but there are some guiding principles to look at to help you navigate the different circumstances. And there's certainly some situations where disclosure makes a heck of a lot more sense than others. I think at the top of the list is probably sensitivity of the data at issue. And what is it that you've got? What is it that you're handling? What is the potential danger that's present out there because there's a lot that could be at play with these particular cybersecurity breaches, incidents, and lack of safeguards? And that almost be above all, do no harm, principles should always come first.
But once you step beyond that, what I have seen as a guiding principle here... And let's just take as a given that the reason why you would make a disclosure in addition to it being legally required and avoiding an additional substantive violation, is to get a better result with the government, so to cap your exposure, cap the penalties, cap the negative consequences. So let's just take that for a given. What I see that really guides whether a company would want to go in there and talk with the government and make this disclosure really oftentimes folds on what the company had going on internally. Are there internal documents that show that the company was aware of these activities, was aware of these weaknesses while it was entering into these contracts, while it was making these representations? Were there conversations of internal audit? Were there conversations with the audit team that was presenting information to third-party certification agencies or assessors or auditors? Were there problems in the audit process? Because if you find yourself in that situation, you're really jumping over some of the elements and requirements that are there for the False Claims Act and even some of the criminal statutes we've been talking about. And that, to me, presents more of a compelling situation, where you should probably be leaning towards disclosure. Let me know if Jamila has a different take on it, but that's my take on it.
Yeah. Yeah, no, that's helpful.
So I absolutely agree, Grayson, and it's very rare that I don't agree with you, but I have a different take as well. And this comes from the experience that I'm seeing right now in the field with some of our clients. I like to err on the side of disclosure after the considerations that you've mentioned, but in considering one additional element, the potential risk of a whistleblower. Right now, because cybersecurity is a hot-button item, whistleblower counsel is out there making themselves known to IT professionals, and the like, in various industries such that we're talking about a 15 to 30% potential recovery based on the significant fines and penalties that I mentioned earlier.
And when there is a whistleblower threat, if you look at the FCA cases that are most related to cybersecurity breaches, most of them are Qui tam that are brought by whistleblowers. And the cost of the investigation and defense and going through the government rigamarole once it is a key Qui tam action, I have to say that if we're going to have one thing that takes us over the top to the disclose category, it's going to be the whistleblower risk. I think, Grayson, what you plan to discuss on the Biden administration's most recent efforts is also going to be helpful because there are some protections that are built in for those companies that choose to self-report and do what is called upon to make these disclosures so that there is some incentive to coming forward and not waiting for a third party to raise this and file suit on behalf of the government.
Yeah. I want to get to the executive order in a minute, but Jamila, you mentioned Qui tam actions. And I too have noticed, with interest, an uptick in essentially CISOs becoming whistleblowers on cybersecurity issues. Are there any notable, False Claims Act decisions out there that we can glean some knowledge from or that are worth discussing?
Well, without getting into the specific cases... Some of them do involve our firm and our clients. We see that they're coming down in that Escobar split, where you do Qui tam actions that are being filed based on an implied certification theory where, perhaps, there's something that's not compliant. And because the government is moving towards even some third-party certification audits on certain security protocols, you'll sometimes see a disconnect between what a contractor provides as the rundown of their security protocols and what the later third-party certification audit report says. And so there have been cases where, for example, an IT professional said, "That initial report, in and of itself, was a false claim because the third-party certification auditor came back and said that all the requirements were not met, even if it wouldn't otherwise have been material to the government." And the court has been pretty discerning on that and gone to the rigorous materiality standard that the Supreme Court laid out in Escobar. But again, Jeff, just like you're seeing in your practice, sometimes the cost of getting to that point is so substantial that want to find ways to cut it off at the path before you even get into the considerations as to how a court's going to consider it.
Right. Right. Certainly, we're seeing Qui tam actions brought by relaters, whistleblowers survive motions to dismiss, and that's quite telling. Grayson, why don't we turn it to you now to talk about the new executive order and how it may be relevant to future FCA cases?
I'll talk about the executive order and then maybe we can hit some pending legislation as well that has been recently introduced. This is obviously a fast-moving area, so there's a lot going on in the government in trying to resolve this. The forefront of everybody's mind is there's a May 12th, 2021 executive order that the Biden administration issued that really lays out a framework for how the US government is going to strengthen its ability to respond to cyber attacks and start to change the structure of the US government and how it is going to respond to these contracts. The focus of this executive order is really on the civilian contracting area. And that's partly because the DoD already is a few steps ahead, as I mentioned earlier, in how they particularly handle these types of issues.
Relevant to today's discussion, there's really two main issues that are brought up in this new executive order. And the first one is that it calls for a mandatory reporting obligation for cyber incidents in what are called information communication technology contractors. So ICT contractors, and sometimes you'll hear ICTS for adding systems to the end of that. But these would involve contracts that relate to hardware, software, cloud computing services, that are primarily intended to fulfill or enable the function of information or data storage processing, retrieval, communications, digital communications, or display. So that type of contract is really getting at the primary focus right now. The executive order itself doesn't provide the details of when a disclosure needs to be made or how it needs to be made, but we are expecting proposed language to come out and go through the federal procurement process around October of this year.
Second major one is that the executive order is calling for changes in government contracting language that will affect what contractors have to implement for cybersecurity and how they must share this data with government customers. They've divided this up into two main areas. The first is that the executive order has prioritized information technology and operational technology contracts. And for these types of contracts, this order is calling for establishing a requirement of a framework, where these contractors have to collect and preserve data relevant to cybersecurity and cybersecurity events. And they're really focusing on event prevention, detection, response, and investigation, and to put in specific requirements about how these contractors must share this data with the government customers and with other agencies involved in cyber securities, especially with DHS.
Similar to above, we're expecting some language on this in October of this year as well. And then it's also calling for a general change to the language that's going to be in all government contracts. So right now, there's a huge difference between what language goes into regular contracts, regular civilian contracts, and then what goes into the DoD contracts. This executive order calls for new language to be introduced into civilian contracts that will be, I anticipate, much more stringent than what is currently required. This should be coming out pretty soon. We're expecting to see some language and some movement here in September of this year. So I don't know if you want to talk about the legislation next.
Yeah. No, we should. I will just note, parenthetically, that I will be particularly interested in how, ultimately, incident is defined in connection with that executive order. And it is interesting to note that that executive order came out just days after the Colonial Pipeline ransomware attack. I'm sure it was long in the making, but it's clear, just simply from the preface of the executive order itself, that the United States government is starting to not just recognize but publicly message an awareness of, as it says, the persistent and increasingly sophisticated, malicious cyber campaigns that are targeting America's public and private sectors.
Yeah. No, I completely agree with you. And I think it has been accelerated, and I think this has been planned for a while, but there's no doubt, with the waves of attacks that we've been seeing, it has been accelerated. And it's really interesting the point you bring up about cyber incident, because I think it's fair to look at how the DoD done this, it's often a precursor for how the civilian agencies follow. And the definition of cyber incident there, for the DoD, is very different from what you see in a lot of commercial cyberattack instances. And this is because the DoD definition does not require confidential data to be accessed or taken. Rather, it has a very broad standard that calls into question whether there may have been an adverse effect on the information system, in which the data resides, whether or not it actually touched the data. So that's something, I think, to watch, but this legislation, I think, is also a... And there's several pieces of legislation.
There's one, in particular, that was just introduced in July this year that is bipartisan legislation that has support on both sides. And I think it's definitely in response to a lot of the attacks that we've been seeing here lately. But it would require, at the minimum, federal agencies and contractors and owners and operators of critical infrastructure, even if they're not government contractors, to report potential cybersecurity intrusions to the DHS CISA within a 24-hour period of confirmation of an intrusion. Again, like the executive order, it doesn't spell out all the details, but it falls on DHS, in this particular instance, to come up... And DHS has already done this with several of the pipeline situations that we've seen, but for DHS to come up with language about when a notification must be required, what has to be shared, and what is the definition of critical infrastructure.
And to hit on a point that Jamila made earlier today, in both the executive order and motion, and frankly, how we've seen the DoD play out, there are efforts to try and ensure that the information that is disclosed to the government, in these instances, is somewhat cordoned off so that it isn't automatically made available to whistleblowers or even to other enforcement agencies. And that's to try and prevent a chilling effect in this particular situation. As we always see in these situations, it certainly doesn't prevent government agencies from talking to each other and discussing different situations, but it will at least offer some protection. At least, they indicate they will offer some protection for the actual data that is disclosed.
Yeah. Interesting. Interesting. Well, so just to wrap this up, let me ask you both just a forward-looking question. What are your thoughts about what contractors need to do to look around the corner on the issues we've been talking about today?
One of the things that is really important, and I'm seeing be the differentiating factor when these issues arise, and because we know that, unfortunately, it's not an if, it's a win, is the tone that the companies have taken in advance, in terms of compliance, transparency, and robust security protocols. It's not a foolproof system. These things will happen. Things will go wrong. But companies that are responsive and reactive and have already been promoting a culture of making sure that they're taking all appropriate steps to protect data, put themselves in a far better position should something go wrong than companies that perhaps take a more laissez-faire approach like, "Well, we've done just enough." The bare minimum, I think, in this circumstance, is not enough. And we see the government, also the courts, looking at the levels of diligence that companies are using in terms of whether they are ascribing corporate criminal penalties, as opposed to civil fines. And that's also going to be the differentiating factor when we're looking at potential suspension and debarment for significant breach of violation. So it's really important that companies start looking inside themselves and figuring out what is it that we stand for on this issue, and what are the things we're going to do before something goes wrong so that we can react and respond appropriately and responsibly?
Yeah. And I'd add to that just, really, two main points. And the first one is these laws requiring almost these certifications upfront, in some instances, and this information reporting as well on the backend, it makes it much easier to bring enforcement actions in these particular situations. So companies really need to pay attention to what is coming across their screens internally. If they have an internal group that is raising a red flag, they need to take it seriously because that's a lot of stuff that's going to be used if they don't take it seriously. And they need to pay attention to what's coming through in these contracts, and I know there's a lot of language that goes in these public sector contracts, but take a fresh look at the new language that's coming out about cybersecurity and make sure that the company is in compliance with that.
And the second point that I want to just leave everybody with is that a lot of these are still in process right now. And it's really important for industry to be involved and to reach out and to talk to the government to make sure that the government knows their concerns and reacts to them. A perfect example of this recently was the floated proposal that the Biden administration was going to outlaw all ransomware payments out there, but the industry spoke up at that possibility and said, "That would not be necessarily a great idea because it's going to drive this whole process and this whole industry underground. And companies who are put between an awful rock and a hard place are going to just make these payments and then just not tell the government about it. And it's going to make it harder for the government to stop these things from happening." And the administration listened and backed off that proposal. But that's a good example of how the companies that are in the know, that are out there in the trenches, fighting the fight, need to make sure they work with the government on these proposals and make sure their priorities are being heard there.
Yeah. Yep. That totally makes sense. The business community is sometime in the best position to know the practical realities and the real-life challenges of complying with and living up to the applicable standards and regulations, again, in a real-world situation. Grayson, Jamila, thank you so much for today's discussion. There's so much to talk about here, and we could go on for much longer, but I think we've covered the critical issues. And again, thank you to you both. I look forward to having you back later on to discuss other cybersecurity-related issues in future iterations of this podcast series. So thanks again to you both.
Jeff, Jamila, Grayson, thanks. That was thorough, insightful, and very interesting. I'm sure you'll be back on Jones Day Talk soon with updates and new information. You can find complete biographies for Jamila and Grayson and Jeff at JonesDay.com. And while you're there, visit our insights page, where you'll find more podcasts, videos, newsletters, publication, blogs, and other interesting content. Subscribe to Jones Day Talks on Apple Podcast and wherever else you find your quality podcast. Jones Day Talks is produced by Tom Candales. As always, we appreciate your listening. I'm Dave Dalton. We'll talk to you next time.
Thank you for listening to Jones Day Talks. Comments heard on Jones Day Talks should not be construed as legal advice regarding any specific facts or circumstances. The opinions expressed on Jones Day Talks are those of lawyers appearing on the program and do not necessarily reflect those of the firm. For more information, please visit JonesDay.com.
Jones Day publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information purposes only and may not be quoted or referred to in any other publication or proceeding without the prior written consent of the Firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please use our “Contact Us” form, which can be found on our website at www.jonesday.com. The mailing of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship. The views set forth herein are the personal views of the authors and do not necessarily reflect those of the Firm.