A recent decision from the United States District Court for the District of Columbia (D.D.C.) highlights a new potential basis for liability that any contractor handling personally identifiable information (PII) or other sensitive information for the government should keep in mind. A data beach resulting in the disclosure of such information may result in not just a breach of contract claim by the government, but by the individual whom the information concerns where the contract demonstrates "that the contracting parties 'clearly intended' that the contract would benefit the plaintiff, or an identifiable class to which the plaintiff belongs." McDowell v. CGI Federal, Inc., Civ. Action No. 15-1157 (GK), at 13 (D.D.C. filed June 1, 2017).
In McDowell, the D.D.C. denied a U.S. State Department contractor's motion to dismiss a class action lawsuit filed by the plaintiff for a breach of contract that allegedly resulted in the theft of the plaintiff's PII by employees of the Defendant contractor. The lawsuit argues that the contractor, CGI Federal, Inc., failed to secure the personal information of members of the public that it received as part of its contract to process passport applications for the State Department. The D.D.C held that the plaintiff can continue with her claim even though she and CGI Federal, Inc. never entered into a contract.
The plaintiff is proceeding on the theory that she and others in the class were third party beneficiaries of the contract between the contractor and the State Department because the contract required CGI Federal, Inc. to take certain data security measures for the protection of personal information it received from members of the public. Specifically, the D.D.C held that the plaintiff’s allegations that the government contract required CGI Federal, Inc. "(1) to protect the Personal Information it receives; and (2) to do so for the benefit of an identifiable class of individuals, passport applicants, to which she belongs," made it "plausible" that the plaintiff was a third party beneficiary of the government contract, allowing the case to continue.
Government contracts that require the handling of PII or interface with government information systems may contain legal obligations relating to the security of PII and other information, ranging from requirements to conduct privacy trainings on the control of PII (Federal Acquisition Regulation [FAR] 24.3), to basic safeguarding of covered contractor information systems (for example, FAR 52.204-21, or DFARS 252.204-7012), to rules regarding controlled unclassified information (32 C.F.R. Part 2002).
Contractors may well read the McDowell opinion and ask: will the incorporation of data security policy into my contract with the government expose me to liability for breach of contract to members of the public? Based on prior case law in analogous circumstances, contractors should not conclude that the fact that their government contract requires them to handle PII with reasonable safeguards necessarily confers third party beneficiary status on individuals whose personally information is released. It is difficult to show that one is an intended third party beneficiary, especially when the government is a party to the contract. As the D.D.C. acknowledged in McDowell, "there is a presumption that members of the public" are "merely incidental beneficiaries" of government contracts and so "have no right to sue for breach of contract." McDowell, supra, at 13.
In the analogous circumstances where a third party seeks to sue under contract for a federal contractor's failure to comply with regulations such as the Federal Acquisition Regulation, the courts have been reluctant to allow injured parties to sue as third party beneficiaries. The McDowell court recognized that the "'clear intent' hurdle is a high one." Id. at 14 (quoting GECCMC 2005-C1 Plummer St. Office Ltd. P'ship v. JPMorgan Chase Bank, Nat'l Ass'n, 671 F.3d 1027, 1033 (9th Cir. 2012)). The Supreme Court has ruled that where a government contract "simply incorporate[s] statutory obligations and record[s] the [contractor's] agreement to abide by them," then the plaintiff cannot be a third party beneficiary. Astra USA, Inc. v. Santa Clara County, Cal., 563 U.S. 110, 118 (2011). As the U.S. Court of Appeals for the Federal Circuit has stated, "extensive regulatory schemes often govern government contracts…rarely will standard compliance with these regulatory schemes impart liability to a third party." G4S Tech. LLC v. United States, 779 F.3d 1337, 1340-41 (2015).
Ultimately, whether a plaintiff is a third party beneficiary of a government contract turns on whether the contract demonstrates that the parties intended to benefit the plaintiff or the plaintiff’s class, which is a fact specific determination. For example, government contracts may include clauses that expressly convey that the parties intended there be no third party beneficiaries. See, e.g., Doyle v. United States, 129 Fed. Cl. 147, 155 (2016) (plaintiffs were not third party beneficiaries of contract with clause stating, "No persons who are not parties ... are intended to be deemed third party beneficiaries under this Agreement.").
The D.D.C. has decided to let the plaintiff in McDowell proceed to determine whether the parties to the specific government contract at issue intended passport applicants to be third party beneficiaries. Because McDowell may clarify when data security obligations can result in contract liability, government contractors should consider this a case to watch.
Practitioner's Tips
- Cybersecurity is a critical consideration for many government contractors today, especially those handling personally identifiable or other sensitive information. Contractors should understand which legal obligations apply to them, and ensure they build compliance with those obligations and cybersecurity risk management into their organizational governance, their technology tools, and their compliance programs.
- Offerors seeking to bid on government solicitations that require them to handle personally identifiable information should determine whether the resulting contract might contain elements that would allow the victim of a data breach to argue third party liability. Through the question and answer process, potential offerors may wish to confirm that the government agency does not intend to create third party liability.
- If a victim seeks remediation as a result of a data breach, contractors may wish to consider the viability of third party liability given the particular contract at issue.