The Federal Circuit recently clarified when a CDA claim for payment of money accrues for purposes of determining whether the CDA’s 6-year statute of limitations has run. In Kellogg Brown & Root Servs., Inc. v. Murphy, KBR filed the claim with the Army on May 2, 2012 for work done by its subcontractor in Iraq; thus, the critical date of accrual for limitations purposes was May 2, 2006. The ASBCA dismissed the claim, holding that the claim had accrued prior to May 2, 2006 and, thus, the limitations period had run prior to the filing of the claim. The Federal Circuit reversed and remanded for determination of the merits of the claim. Continue Reading
Today, in Universal Health Services v United States ex rel. Escobar, the Supreme Court resolved a circuit split on a question of great importance for government contractors: whether a claim presented to the United States for payment can be false or fraudulent for purposes of the False Claims Act (“FCA”) under the so-called “implied certification” theory. The Court answered in the affirmative, unanimously holding that “the implied false certification theory can, at least in some circumstances, provide a basis for liability.” The Court sought to allay any “concerns about fair notice and open-ended liability” by emphasizing the strict application of the FCA’s materiality and scienter requirements, clarifying the meaning of these requirements, and rejecting the Government and Second Circuit’s interpretation of implied certification as “extraordinarily expansive.” It remains to be seen whether the Court’s descriptions of the manner in which the FCA’s materiality and scienter requirements should be “rigorous[ly]” applied will provide meaningful protections to government contractors, including healthcare and other companies participating in various government programs, that face potential FCA liability based on implied certification theories of liability. Continue Reading
The Second Circuit recently added to case law addressing the issue of whether a relator’s release of False Claims Act (FCA) claims prior to the relator’s qui tam action is enforceable. United States ex rel. Ladas v. Exelis, Inc. The circuit reversed the district court’s holding that the release was enforceable, disagreeing with the court’s conclusion that the Government had sufficient knowledge of the allegations of fraud prior to the release. The circuit, however, affirmed the Court’s dismissal of the amended complaint because the plaintiff did not plead fraud with sufficient particularity, and the district court did not abuse its discretion in denying leave to amend. Continue Reading
On May 31, 2016, the Supreme Court granted certiorari in State Farm Fire & Casualty Co. v. United States ex rel. Rigsby, No. 15-513. At issue is an important question for the government contract community: “What standard governs the decision whether to dismiss a relator’s claim for violation of the FCA’s seal requirement, 31 U.S.C. § 3730(b)(2)?” Continue Reading
In the February 8, 2016 Federal Register, DoD published an Advanced Notice of Proposed Rulemaking (“ANPR”) indicating that DoD is considering a proposed approach requiring offerors to describe in detail the nature and value of prospective independent research & development (“IR&D”) projects on which the offeror would rely to perform the resultant contract; DoD would then evaluate proposals in a manner that would take into account that reliance by adjusting the total evaluated price to the Government, for evaluation purposes, to include the value of related future IR&D projects. DoD held a public meeting on March 3, 2016 to discuss the ANPR, and several attendees raised numerous issues and concerns with the ANPR. Comments on the ANPR are due April 8, 2016. This article summarizes some of the more important issues and concerns expressed.
The civil False Claims Act’s (FCA) public disclosure bar prohibits FCA suits based on allegations that have been disclosed publicly through certain enumerated sources, unless the relator meets the FCA’s definition of “original source.” Congress amended the bar in 2010, including replacing the phrase “no court shall have jurisdiction” with the phrase “[t]he court shall dismiss.”
Two recent Circuit Court decisions, issued within days of each other, have focused and elaborated on the public disclosure bar. Continue Reading
In United States ex rel. Beuchamp v. Academi Training, the Fourth Circuit recently reversed the dismissal of a False Claims Act (FCA), explaining that the trial court had misapplied the public-disclosure bar when it dismissed the relators’ claims. The appellate court’s opinion explains recent (2010) statutory amendments, the manner in which an important pre-amendment Supreme Court precedent applies, and the proper application of the public-disclosure bar to the facts at issue. In short, when analyzing the timing of the public disclosure that purportedly bars FCA allegations, courts must focus on the pleading in which the relator(s) first alleged the relevant fraud—not on the most recent amendment to the complaint.
Back in August 2015, DoD issued an interim rule, which was effective immediately (and was previously discussed on this blog), imposing substantial new requirements on government contractors with respect to reporting information system network penetrations—and providing new cloud computing requirements. Six weeks later, DoD issued a class deviation giving contractors more time to comply with one of the technical requirements being applied by the new DFARS clauses included with the new rule. Last week, DoD again revised the rule to give contractors more time to comply with many of the new technical standards. Specifically, the revised DFARS provision makes clear that contractors have until December 31, 2017 to comply with the technical standards set forth in National Institute of Standards and Technology (NIST) Special Publication 800-171.
NIST 800-171 describes a series of procedures for “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.” These NIST requirements cover a wide array of security issues applicable to contractors’ information systems and are intended to ensure the security of government information that is provided to contractors so that the companies can provide goods and services to DoD.
Initially, DoD made the NIST 800-171 requirements immediately applicable to the large number of businesses that either have a “covered contractor information system” or have “covered defense information transiting their information systems” as part of their contract performance. DoD’s class deviation in October relaxed the standard slightly by amending the DFARS clauses to allow contractors up to nine months (from the date of a new contract award) to comply with section 3.5.3 of NIST 800-171. That section mandates “multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.” (Multifactor authentication requires two or more types of information, e.g., a password and a cryptographic device such as a token, to gain access to the government information.)
Many contractors were unhappy with the unrealistic implementation schedule imposed by the initial (and revised) DFARS provision, and they made their concerns clear to DoD in comments and during a December 14 meeting conducted by the Department to obtain additional feedback. Contractors expressed the need for additional time to analyze the scope of changes that were necessary for their systems—and to implement those changes.
To its credit, DoD modified the DFARS clauses to “provide offerors [contractors] additional time to implement the security requirements specified by NIST 800-171.” Each contractors will now be required to agree, by submitting an offer for a DoD procurement in which DoD information will be provided to contractors, that all of the contractor’s systems will be compliant with NIST 800-171 “not later than December 31, 2017.” Notably, the same requirements must be flowed down in all “subcontracts, or similar contractual instruments, for services that include support for” the goods or services being provided under a contract to which the DFARS clauses apply.
Although the additional time to achieve compliance with NIST 800-171’s requirements is helpful, the new DFARS clauses also impose an additional requirement that must be understood by contractors. “The second interim rule requires contractors, within 30 days of contract award, to notify the DoD Chief Information Officer of any NIST SP 800-171 security requirements that are not implemented at the time of contract award.” Accordingly, contractors will need to track where they are on the path to compliance with 800-171’s requirements so that accurate reports identifying gaps can be provided to the DoD each time contract performance begins under a new award.
The September 9, 2015 memorandum issued by Deputy Attorney General Yates makes clear that the Government intends to focus its investigative spotlight on possible False Claims Act violations by individuals, in addition to companies. “One of the most effective ways to combat corporate misconduct is by seeking accountability from the individuals who perpetrated the wrongdoing.” As the leverage for this new focus, corporations are advised that to be eligible for “any” cooperation credit, they must provide “all relevant facts” about individuals involved in the misconduct. As Ms. Yates said in her public remarks the day after the memo was released: “It’s all or nothing.”
The Yates Memo raises important questions concerning how the new approach will affect Government contractors’ actions under the Mandatory Disclosure Rule. Does DOJ’s focus on individuals mean that the practices and procedures companies have developed for compliance with the Mandatory Disclosure Rule must change? To what extent should individuals be the focus of internal investigations and disclosures in order for a contractor’s disclosure to be acceptable? Continue Reading
A few days ago, on August 26, DoD issued new interim rules amending the Defense Federal Acquisition Regulations (DFARS) with respect to “network penetration reporting and contracting for cloud services.” The new rules, which are now effective, revise several broadly applicable definitions applicable to numerous parts of the DFARS, expand the incident reporting requirements applicable to contractors, and impose security requirements applicable to cloud computing. DoD contractors need to understand these important new rules, which are summarized here, so that they can perform necessary compliance planning and make any necessary disclosures. Continue Reading