McDowell v. CGI Federal, Inc. – A Lesson for Government Contractors
As government contractors, it is imperative to handle protected health information and personal identifiable information because cyber threats are constantly increasing!
Things just got a whole lot trickier for companies that handle Protected Health Information and Personal Identifiable Information (PII). Over the last 18 months, the Government has been cracking down and handing out stiff fines for those who breach government protocols, but a recent court decision solidified the severity of things.
According to the court ruling, if there’s a data breach, not only does your company stand to see a fine from the Government, but now individuals whom the information concerns can also sue. Individuals can sue if it is determined that the contracting parties intended that the contract would benefit the plaintiff or an identifiable class to which the plaintiff belongs.
The decision was handed down by the District Court of Washington D.C., as a consequence of the ongoing McDowell v. CGI Federal, Inc. case. The class action lawsuit claimed that CGI Federal, Inc., failed to secure the personal information of members of the public that it received, as part of its contract to process passport applications for the State Department.
The DC District Court’s decision allowed the plaintiff to continue suing on the theory that she and others in the class were third party beneficiaries of the contract between the contractor and the State Department, because the contract required CGI Federal, Inc. to take certain data security measures for the protection of personal information it received from members of the public.
Of particular interest, the District Court held that the plaintiff's allegations for the government contract required CGI Federal, Inc. to do two things:
- To protect the personal information it received; and
- To do so for the benefit of an identifiable class of individuals and passport applicants, to which she belongs.
These two allegations made it plausible that the plaintiff was a third-party beneficiary of the contract, allowing the case to continue. Even given both of these conditions, the bar is still relatively high for contractors to be held responsible for third-party breaches. Based on prior case law with similar circumstances, contractors should not conclude that the fact that their government contract requires them to handle PII with reasonable safeguards automatically, or even necessarily confers third-party beneficiary status on individuals whose personal information is released.
There are marked difficulties involved with proving that one is an intended third-party beneficiary, especially when the government is a party to the contract. Having said that, it does open the door to a whole raft of potential litigation, which certainly complicates matters, no matter how the case is ultimately decided.
The Supreme Court has ruled that where a government contract simply incorporate(s) statutory obligations and record(s) the (contractor's) agreement to abide by them, then the plaintiff cannot be a third-party beneficiary. During the Astra USA, Inc. v. Santa Clara County, Cal., 563 U.S. 110, 118 (2011).
Since the McDowell v. CGI Federal, Inc. case can determine if data security obligations result in contract liability, it is an important case for government contractors to follow up and see the final ruling. However, until the case ultimately shakes out, there are several key points for government contractors who handle PII to bear in mind:
- Ensure proper handling of PII and sensitive information to understand the legal regulations that apply to contracts.
- Contractors should determine if the contract contains language that allows the victim of a data breach to argue for third party liability.
- Process matters. If your company doesn’t yet have a firm handle on proper data classification, data auditing, credential monitoring, and the handling of stolen credentials, you’re setting yourself up for failure.
Federal cyber regulations and privacy requirements will continue to evolve. If you have any questions, contact Winvale to help protect your organization under this new ruling!