Truth or Cyber-Consequences: Government Contractor Suspended After Suffering Cyberattack and Data Breach
V&E Government Contracts Update, July 10, 2019
Government contractors that expose government information to cyberattacks may face suspension from doing business with the Federal Government. Perceptics, LLC suffered a highly publicized cyberattack that was revealed in June 2019, and the decision of U.S. Customs and Border Protection (“CBP”) to suspend the company demonstrates the severe consequences that government contractors face if they fail to protect against cyberattacks or to comply with contractual cybersecurity obligations.
Perceptics, a Tennessee-based technology company, has long produced and provided license-plate scanners and other surveillance equipment to the Federal Government for use along the U.S. border. At some point during performance of its contract, Perceptics transferred images of travelers’ license plates and faces to its own network. The company subsequently suffered a cyberattack at the hands of an unknown hacker. The cyberattack resulted in a data breach of the images of travelers’ license plates and faces, along with information pertaining to the surveillance equipment and copies of contracting documents. The surveillance equipment information and contracting documents later became available for download on the internet. In a June 2019 statement, CBP stated that it had notified Congress once it became aware of the cyberattack and subsequent data breach and was working with law enforcement and other experts to address the breach. At the time of its statement, CBP had removed the equipment associated with the breach from service but was still working with Perceptics.
After further investigation of the incident, on July 2, 2019, CBP suspended Perceptics from doing business with the Federal Government. In its announcement, CBP vaguely cited “evidence of conduct indicating a lack of business honesty or integrity.” Though the CBP announcement did not make it explicit, it is all but certain that the cyberattack prompted the suspension. After all, when it announced the cyberattack in June, CBP stated that the company’s transfer of images to its own network was in violation of CBP policies and without CBP’s authorization or knowledge, and that the company had violated mandatory security and privacy protocols outlined in its contract.
What it Means for You
The Government’s suspension of Perceptics should serve as a reminder to contractors to closely and routinely examine their cybersecurity practices to ensure compliance not only with the terms of their contracts but also with any policies of the contracting agencies. An enhanced commitment to compliance serves at least two purposes. First, strong cybersecurity practices can ward off hackers and prevent damaging cyberattacks. Second, in the event that existing cybersecurity practices fail and a breach of sensitive government information occurs, the Federal Government will closely examine the contractor’s cybersecurity practices. A contractor will be best served if it can demonstrate strict adherence to all Federal Government cybersecurity requirements.
Otherwise, the Federal Government can be unforgiving if a contractor is noncompliant with cybersecurity requirements. Like with Perceptics, the Federal Government could suspend the contractor from contracting opportunities, which could lead to the more serious sanction of debarment, which can last three years or more. Noncompliance could also support a False Claims Act lawsuit if the contractor is determined to have falsely certified compliance with applicable cybersecurity requirements. (Vinson & Elkins attorneys have recently written about a developing case on this topic.)
The Federal Government is increasingly serious about cybersecurity, thereby making cybersecurity compliance a more prominent concern for both contracting officers and contractors. This is particularly true for the Department of Defense (“DoD”), which has announced that it will develop new cybersecurity standards called the Cybersecurity Maturity Model Certification (“CMMC”) for implementation by 2020. DoD has also stated that it will treat cybersecurity as an allowable cost. As a result, contractors will be hard pressed to find a valid excuse for not maintaining compliant cybersecurity practices.
CBP’s suspension of Perceptics is one of many recent developments in the Federal Government’s response to the increasingly relevant issue of cybersecurity in government contracting. Vinson & Elkins continues to closely monitor this dynamic area.
Visit our website to learn more about V&E’s Government Contracts practice. For more information, please contact Vinson & Elkins lawyers Jamie Tabb, Elizabeth Krabill McIntyre, or John Satira.