On June 1, 2017, the United States District Court for the District of Columbia issued a decision in a class action lawsuit, McDowell v. CGI Federal Inc., Civ. Action No. 15-1157 (GK) (D.D.C. 2017)1, which could have significant repercussions for government contractors operating information systems that house government information. The case arose after employees of CGI Federal Inc. (“CGI”) allegedly stole personally identifiable information (“PII”) CGI obtained pursuant to a contract with the U.S. Department of State. Under this contract, CGI processed passport applications, which contained a significant amount of PII. The plaintiffs allege that, as part of its activities under the contract, CGI processed information on CGI-owned systems and assisted with maintaining Department of State systems. According to the filings, the contract provided that all information submitted through passport applications was U.S. Government property and required CGI to safeguard all such information.
In the complaint, the plaintiffs alleged (1) violations of the District of Columbia Consumer Protection Procedures Act; (2) negligence; (3) breach of contract, including a third-party beneficiary claim; (4) breach of bailment; and (5) unjust enrichment. CGI filed a motion to dismiss each of the claims. The court granted CGI’s motion to dismiss each ground except the third-party beneficiary breach of contract theory. The plaintiffs claimed that because the information was PII, CGI was charged with securing it for their benefit.
Although decided on a motion to dismiss rather than on the merits, this decision should serve as a reminder to all government contractors of their cybersecurity obligations. The Federal Information Security Management Act (“FISMA”) of 2002, 44 U.S.C. § 3541 et seq., as amended by FISMA 2014, and OMB Circular A-130 require agencies to create and implement agency-wide information security programs and have served as the statutory authority and catalyst for many information security requirements facing government contractors. Although FISMA technically applies only where a contractor operates a system on behalf of an agency, internal contractor systems that process government data in performance of a contract can still be subject to various requirements as implemented by the Federal Acquisition Regulation (“FAR”) and applicable FAR supplements, such as the Defense FAR Supplement (“DFARS”). For example, FAR 52.204-21 establishes a baseline of information security requirements that contractors must follow when operating contractor information systems that process, store, or transmit non-public information that the U.S. Government provides to a contractor pursuant to a contract. DFARS 252.204-7012 applies to contracts with the Department of Defense (“DoD”) and requires contractors to protect “covered defense information” and establishes cyber incident reporting requirements. DFARS 252.239-7010 imposes various information security requirements on cloud service providers. Some of these clauses require contractors to comply with Federal Information Processing Standards and National Institute of Standards and Technology (“NIST”) special publications (“SPs”), including NIST SP 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.
A new FAR case, Case No. 2017-013, is particularly relevant to government contractors, such as CGI, that process PII. The FAR Council is considering issuing a proposed rule to implement OMB Memorandum M-17-12, which establishes federal policies for responding to breaches that compromise PII. The goal of this FAR Case is to create contract clauses that will apply where “a contractor has access to, creates, collects, or maintains [PII] on behalf of the agency or operates an information system on behalf of the agency that may have [PII] residing in or transiting through the information system.” A Notice of Proposed Rulemaking is expected in December 2017.
While McDowell is a significant case, contractors should not interpret this decision as establishing a rule that contractors are liable to the public for failing to comply with information security requirements. First, it is important to remember that this decision was issued on a motion to dismiss and is not a decision on the merits. Consequently, it has no precedential effect. Second, as the court correctly noted, members of the public are generally considered to be only “incidental beneficiaries” who “have no right to sue for breach of contract.” McDowell at 13; see also Orff v. United States, 358 F.3d 1137, 1145 (9th Circ. 2004) (“Parties that benefit from a government contract are generally assumed to be incidental beneficiaries” and thus “may not enforce the contract absent a clear intent to the contrary.”) (emphasis added). However, this decision may, at a minimum, embolden prospective plaintiffs to litigate these issues. As a result, it is important that contractors ensure they are complying with their cybersecurity obligations.
1 The parties settled the case, and the plaintiffs stipulated to dismissal of all claims on September 20, 2017. The terms of the settlement are presumably confidential and thus unknown.