Compliance

In an article published by BNA’s Federal Contracts Report, I discussed three of the most costly of President Obama’s 2016 Executive Orders impacting government contractors, orders that are likely to be overturned by President-elect Trump. In the article, I argue that, while the Executive Orders – Fair Pay and Safe Workplaces, Minimum Wage, and Sick

Civil Investigative Demands (CIDs) are powerful pre-litigation tools the government frequently utilizes to investigate potential allegations of FCA liability. CIDs can be broad and invasive, time-consuming and expensive. What’s a company to do upon receipt of a CID? Is there any recourse? Unfortunately, neither case law nor published guidance offers the recipient much in the way of a formal, timely mechanism to challenge the scope or appropriateness of a CID. Nevertheless, there are certain practical steps one can take to reduce a CID’s scope that, in turn, will reduce disruption and expenses associated with CID compliance.
Continue Reading The Civil Investigative Demand: An Increasingly Aggressive Investigative Tool and Common-Sense Scope-Reduction Strategies

On July 26, 2016, responding to rising cyber attacks and public criticism, the federal government issued a Presidential Policy Directive (PPD-41), to clarify the role of law enforcement agencies, to increase coordination across the government, and to divide cybersecurity efforts into three categories: asset response, threat response and intelligence support. PPD-41 outlines five key principles for the federal government and federal agencies in complying with the “whole-government” approach to cybersecurity. Although the initiative is directed at the federal government and sector-specific agencies, private entities are also likely to be affected and are instructed on the best practice for cyber incident reporting.

PPD-41 emphasizes unity in the government’s response to cybersecurity incidents, outlining five guiding principles of the directive. In structuring incident reporting and protection mechanisms, the government seeks to emphasize shared responsibility, increased awareness, risk-based responses, respect to entities affected by the incident, unity in governmental efforts in responding to an incident, and allowing effective restoration and recovery following a cybersecurity breach. In distributing the responsibilities of cybersecurity, the government delineates specific agencies to take charge of the three categories of protection. The Department of Homeland Security (DHS) will lead asset response activities and post-breach recovery needs, the Department of Justice (DOJ) in collaboration with the FBI will be in charge of threat response, and the Office of the Director of National Intelligence (ODNI) will head intelligence support.Continue Reading Federal Government Restructures Its Approach to Cybersecurity

I offered insights for an article outlining the May 11 proposed rule on recruitment fees and recent guidance on implementation of anti-trafficking compliance programs. The new guidance was issued to clarify a 2012 executive order on human trafficking, which “‘[u]ntil two weeks ago, there really wasn’t any guidance on how to navigate any of this.'”

On May 11, 2016, the Defense Security Service (DSS) released a new guide on mitigating and managing affiliate operations for entities bound by a Foreign Ownership, Control, or Influence (FOCI) mitigation agreement. The guide, titled Navigating the Affiliated Operations Plan: A Guide for Industry, outlines how companies can identify whether they are engaging in affiliated operations, submit an Affiliated Operations Plan (AOP), and ensure that they are properly mitigating potential risks. In compiling an AOP, a company is expected to describe all operations and services it intends to share with affiliates, as well as the potential risks of the collaboration and how those risks will be mitigated. The guide emphasizes that, unless there are special circumstances, an AOP must be provided before a company can start leveraging any affiliated operations.
Continue Reading DSS Releases New Guide to Help Cleared Contractors Meet Requirements of FOCI Mitigation Agreements

On February 19, 2016, the UK Serious Fraud Office (SFO) convicted Sweett Group plc (Sweett), a London-based construction and professional services company, under Section 7 of the UK Bribery Act. This is the first conviction under Section 7, which requires companies to prevent bribery in the course of business, and the penalty imposed against Sweett – the company had to pay a total of GBP 2.25 million – was minimal in the context of penalties paid under the U.S. Foreign Corrupt Practices Act (FCPA). Yet this action provides further evidence that the SFO may really be able to meaningfully enforce the Bribery Act.

Under Section 7 of the Bribery Act, a company can be found liable if it – or any associated person, subsidiary or entity, anywhere in the world – engages in bribery with the intention of obtaining or retaining business or some sort of commercial advantage. Liability can be established even if company management does not authorize or encourage, and is not even aware of, the illicit conduct. (While a company will have a full defense if it can show that it maintained adequate procedures to prevent bribery, as appears evident from the resolution in this matter, Sweett was unable to present such a defense.)

According to news reports, the SFO began investigating Sweett, which is listed on the Alternative Investment Market (or AIM) in London, in July 2014. Through its investigation, the SFO found that a Sweett subsidiary in the United Arab Emirates (UAE), Cyril Sweett International Limited (Cyril), had made corrupt payments to the Vice Chairman of Al Ain Ahlia Insurance Company (AAAI) to help secure a contract to build a hotel in Abu Dhabi. After pleading guilty in December 2015, Sweett was ordered to pay a GBP 1.4 million fine, a GBP 851,152 confiscation amount and GBP 95,000 in SFO prosecution costs.

The SFO reportedly is continuing its investigation of individuals involved in the scheme.

Lessons Learned. We derive several interesting lessons from this action.Continue Reading SFO Convicts UK Company for Middle East Bribery

On Thursday, February 25, 2016, the U.S. Department of Labor proposed new rules to implement Executive Order 13706, which requires certain federal contractors to provide qualifying employees with at least seven days of paid sick leave each year, including paid leave for family care. These new rules are scheduled to go into effect by September 30, 2016, and employers who contract with the federal government should prepare for their implementation now. Noncompliance could result in suspension of federal payments or even termination of a federal contract.

The new rules generally apply to any employer who contracts with the federal government, whether pursuant to a prime contract or a subcontract, provided that the contract is either: (1) covered by the Davis-Bacon Act (DBA); (2) covered by the Service Contract Act (SCA); or (3) a contract in connection with federal property or lands and related to offering services for federal employees, their dependents or the general public. A contract is covered by the DBA if the contract is in excess of $2,000 and the principal purpose of the contract is for the construction, alteration and/or repair of public buildings or public works. A contract is covered by the SCA if the contract is in excess of $2,500, and the principal purpose of the contract is to provide services in the United States through the use of service employees.Continue Reading New Mandatory Paid Sick Leave Rules Could Ensnare Unwary Federal Contractors

On September 9, 2015, U.S. Department of Justice (DOJ or the Department), Deputy Attorney General Sally Yates issued a memorandum to all U.S. Attorneys regarding individual accountability for corporate wrongdoing (Yates Memo).

The point of the Yates Memo is clear: while DOJ will continue to pursue companies for corporate wrongdoing, the Department will also simultaneously pursue charges against individual employees. According to the Yates Memo, “[b]ecause a corporation only acts through individuals, investigating the conduct of individuals is the most efficient and effective way to determine the facts and extent of any corporate misconduct.”

And the ultimate target of these efforts? Corporate executives. The DOJ understands that lower-level employees facing individual civil or criminal liability are likely to cooperate against their superiors, thereby facilitating DOJ’s ability to obtain information necessary to prosecute individuals further up the corporate ladder.Continue Reading DOJ Targets Corporate Executives

On August 26, 2015, the Department of Defense (“DoD”) issued an interim rule, effective immediately, that revises network security requirements applicable to DoD contractors and introduces new cloud computing provision that reflect current DoD policy. The interim rule, which implements sections of the FY13 and FY15 National Defense Authorization Acts, comes on the heels of the massive breach of Office of Personnel Management systems that compromised the personal data of more than 21 million federal employees. The new and revised requirements apply to cyber incidents on unclassified information systems – breaches of classified systems will continue to be reported in accordance with the National Industrial Security Program Operating Manual. The interim rule also implements DoD policies and procedures applicable to the procurement of contracting for cloud computing services.

The rule includes five contract clauses relevant to contractors and subcontractors providing cloud computing to DoD or who are handling controlled unclassified DoD information on their systems. All five apply to commercial item contracts.Continue Reading DoD Contractors Beware – New Network Penetration Reporting and Cloud Services Requirements Are Here

From the Bass, Berry & Sims Blog Network
From the Bass, Berry & Sims Blog Network

Thought Leadership by our Attorneys.