Is the EU in Your Contracts (and You Don’t Know It)?For those firmly in the sights of the EU’s General Data Protection Regulation (GDPR), the enforcement date of May 25, 2018, is likely indelibly embedded in their minds. For others, this date may have come and gone without significance, other than perhaps an increased general buzz about GDPR as companies across the globe wrestled with its scope and requirements. Those that were unaffected by the May 25, 2018, deadline cannot necessarily rest easy.

Companies are learning that GDPR’s impact can be felt a number of ways and its reach is growing over time. Specifically, many are seeing provisions relating to representations and warranties involving GDPR compliance appearing in agreements they are being asked to sign. In some ways this situation can present more of a problem than implementing a compliance effort prior to May 25, 2018. That is because these contractual provisions can be very onerous, overbroad, possibly unnecessary, and are often part of a business negotiation with urgency as to the resolution of any disputes.

The reason companies are beginning to see GDPR provisions appear in agreements is because GDPR contains requirements that a company must impose on any other company that processes its data. In this scenario, the company is a “controller,” referring to its obligations to control its own data, and the other company is a “processor,” which the controller must ensure complies with GDPR provisions. A company deemed a controller would have been dealing with GDPR back before the May 25, 2018, deadline. To the contrary, while processors should have been involved in compliance discussion prior to that deadline, for a variety of reasons some are still being surprised by the inclusion of provisions in contracts. However, just because a provision shows up in an agreement for your company to sign, it does not necessarily mean your company is implicated by GDPR. This situation makes this area a minefield and requires companies to proceed very cautiously.

Assume Company A has either not considered GDPR compliance at all or decided it was inapplicable to them as a controller, but recently received a new agreement from Company B requiring Company A to make representations and warranties relating to its GDPR compliance. There are a number of possible scenarios. The first is that the representations and warranties are not appropriate to include in the agreement and should be stricken. Although this scenario requires specific factual analysis, at a high level, this would be the scenario if Company A is not performing any processing of EU citizen personal data for Company B. This scenario is fairly common for several reasons. One reason is that companies such as Company B may try to use uniform agreement provisions for simplicity, relying on the most favorable set of representations. Similarly, Company B may be trying to take the most conservative position, or simply not bothering to edit agreements to remove provisions that are favorable, even if inapplicable. If the inapplicability of the provision is pointed out, hopefully in this scenario Company B will be amenable to removing it because Company A should not be making representations and warranties for complying with a regulation such as GDPR if they are not complying or if they are unsure. In another scenario, there may be insistence in including the provision, but Company A does not believe GDPR is applicable to them. Here, a compromise may be to include language that limits the representation of compliance to applicable regulations. While this result is less ideal than the two parties agreeing GDPR does or does not apply, it can allow Company B to use a more standardized approach.

The final and worst scenario is if Company A realizes through the inclusion of this provision that they are considered processors pursuant to the GDPR and that Company B’s request is not only reasonable, but Company B must get that assurance for its own compliance with GDPR. This scenario can be downright dire if an agreement must be signed and Company A is not complying with GDPR. This last scenario must be avoided. If your company cannot say with certainty whether it is or is not considered a processor for another controller’s data, then the possibility of this last scenario should loom larger than the May 25, 2018, deadline until that question is answered.

DCMA to Audit Compliance With DFARS Cyber Flowdown RequirementsFor over a year now, federal defense contractors have been required to comply with Defense Federal Acquisition Regulation Supplement (DFARS) Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting (see our recent firm alert). Recently, however, the Department of Defense (DoD) announced in a memorandum to DoD officials that it has “asked” the Director of the Defense Contract Management Agency (DCMA) to begin auditing contractor compliance with the cybersecurity requirements described in DFARS Clause 252.204-7012.

More specifically, the memorandum states that “to effectively implement the cybersecurity requirements addressed in” DFARS Clause 252.204-7012 and National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, Protecting Controlled Unclassified Information (CUI) in Nonfederal Information Systems and Organizations, DoD has instructed DCMA to “leverage its review of a contractor’s purchasing system in accordance with DFARS Clause 252.244-7001, Contractor Purchasing System Administration,” in order to:

  • “Review Contractor procedures to ensure contractual DoD requirements for marking and distribution statements on DoD CUI flow down appropriately to their Tier 1 Level Suppliers;” and
  • “Review Contractor procedures to assess compliance with their Tier 1 Level Suppliers with DFARS Clause 252.204-72 and NIST SP 800-171.”

As the memorandum explains, DFARS Clause 252.204-7012 “requires contractors to implement” NIST SP 800-171 “as a means to safeguard the [DoD’s CUI] that is processed, stored or transmitted on the contractor’s internal unclassified information system or network.” Federal contractors, in turn, “are required to flow down this clause in subcontracts for which subcontract performance will involve DoD’s CUI.”

In light of this new development, federal contractors would be wise to review and document their compliance with the subject requirements set forth in DFARS Clause 252.204-7012 and NIST SP 800-171.

If you have any questions about the foregoing or about any other related issues, please feel free to contact Aron Beezley.

Tracking Government Enforcement: The False Claims Act in 2018The federal government continues to use the False Claims Act (FCA) as one of its prime enforcement tools against government contractors. To keep you informed on the status of the law, Bradley’s Government Enforcement and Investigations Practice Group is pleased to present the False Claims Act: 2018 Year in Review, our seventh annual review of significant FCA cases, developments and trends. This year’s publication maintains the magazine-like format we introduced last year, making it an easy-to-read, printed resource as well as a convenient and searchable digital tool.