As we previously wrote on the blog, the Department of Justice has recently expanded its enforcement of the False Claims Act, 31 U.S.C. § 3730, into the arena of data security requirements in contracts with the federal government. The Act permits both the government and whistleblowers (called relators) to bring suit against companies that knowingly defraud the government by making false claims in connection with the contract. Because a company must know that it has made false claims to be liable under the Act (a standard known as scienter), ambiguous data security requirements may be less likely to result in liability under the Act. That is, how can a government contractor know, for example, that it has falsely affirmed compliance with a government cybersecurity contractual provision or regulation if it is vague or ambiguous?
On June 1, 2023, the U.S. Supreme Court issued its much-anticipated decision in United States ex rel. Schutte v. SuperValu Inc., 143 S. Ct. 1391, 1393 (2023), a case addressing the meaning of scienter under the Act in the context of ambiguous regulations. In short, the Supreme Court unanimously concluded that a company that subjectively believes that it is defrauding the government can be liable under the Act, even if the regulation upon which the fraud is premised is objectively ambiguous. See id. at 1404. In other words, an after-the-fact claim that a regulation is ambiguous cannot convert claims believed to be false (and therefore actionable) into...
A deadline buried in a March 26 executive order, which aims to curb federal contractors' purported discrimination related to diversity, equity and inclusion practices, is drawing attention from fed...