Federal Agencies Take Aim At Businesses, Benefit Plan Fiduciaries & Service Providers & Others With Lax CyberSecurity & CyberBreach Compliance; Build Defenses By Strengthening Internal & External Controls & Risk Managment

October 19, 2021

Businesses, their employee benefit plan fiduciaries, their employer and other sponsors, their record keepers, financial advisors and other service providers and other business partners face growing pressure to shore up cyber security and cyber breach compliance and other safeguards to defend against a slew of  new and ongoing federal cyber security and breach regulatory and enforcement the Biden-Harris Administration is rolling out in its effort to stem the rising tide of  cybersecurity incidents.

Agencies Targeting Businesses, US Entities & Their Leaders For CyberSecurity & CyberBreach Regulation & Enforcement

On October 6, 2021, Deputy Attorney General Lisa O. Monaco announced plans to civilly prosecute federal government contractors that fail to follow required cyber security standards under the False Claims Act under a new Civil Cyber-Fraud Initiative to be led by DOJ’s Civil Division’s Commercial Litigation Branch, Fraud Section.  While adding new exposures to the already substantial exposures  federal government contractors and grant recipients already face for failing to comply with applicable cybersecurity and cyberbreach notifications under federal and state laws, the Civil Cyber-Fraud Initiative also provides more evidence that the Biden-Harris Administration is serious about moving forward on its broader strategy to stem the recurrent waves of disruptive cyber breaches and other security incidents buffeting U.S. public and private institutions and citizens by ramping up cybersecurity regulations, oversight and enforcement against all U.S. organizations.   See e.g., New DOJ Civil Cyber-Fraud Initiative Pressures Federal Contractors & Grant Recipients To Tighten Cybersecurity Controls, Training & Other Safeguards. May 12, 2021 Executive Order on Improving the Nation’s Cybersecurity; July 28, 2021 National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems.

The DOJ Civil Cyber-Fraud Initiative is the latest in a growing list of new regulatory and enforcement programs placing pressure on U.S. businesses and their leaders to get serious about cybersecurity.  Examples of some of the more far reaching of these new or continuing programs include:

  • Government Contractors. 

Under the Civil Cyber-Fraud Initiative, DOJ plans to use the False Claims Act to prosecute pursue cyber security related fraud by government contractors and grant recipients.  According to DOJ, the initiative will hold accountable entities or individuals that put U.S. information or systems at risk by knowingly providing deficient cyber security products or services, knowingly misrepresenting their cyber security practices or protocols, or knowingly violating obligations to monitor and report cyber security incidents and breaches. Federal contractors and grant recipients submitting claims for federal funds will be considered to have filed a false claim in violation of the False Claims Act if their cyber security and cyber breach practices are not compliant with applicable federal requirements when the payment is requested.

  • Federal Health Program Participating Health Care Providers And Plans. 

The DOJ Cyber-Fraud Initiative follows a similar interpretation of the Department of Health & Human Services (“HHS”) Office Inspector General (“OIG”) about the cybersecurity and cyberbreach compliance requirements health care providers and health plan issuers participating in Medicare and certain other federally funded health care programs (“Medicare Participating Providers”) are accountable to meet under the Conditions of Participation for those programs.  HHS OIG’s construction of these Conditions of Participation as including cybersecurity and cyberbreach compliance signs that Medical Participating Providers with deficient cybersecurity practices now may risk program disqualification and False Claims Act liability along with their already well-known exposure to civil monetary penalties under the Health Insurance Portability & Accountability Act (“HIPAA”) protected health information privacy, security and data breach rules.

  • Health & Other Employee Benefit Plans. 

Health plans and other employee benefit plans, their fiduciaries, record keepers and service providers also face growing cybersecurity responsibilities and risks.  While HHS Office of Civil Rights (“OCR”) continues to clarify and expand its interpretation, investigation and enforcement of HIPAA privacy, security and data breach rules against health plans, health care providers, health care clearinghouses and their business associates, the Department of Labor Employee Benefit Security Administration is turning up the heat on employee benefit plan fiduciaries to prudently protect their employee benefit plan assets and participants against cyberthreats.

On April 14, 2021, the Department of Labor Employee Benefit Security Administration (“EBSA”) made official its interpretation of the duty of prudence applicable to employee benefit plan fiduciaries under Section 404 of the Employee Retirement Income Security Act (“ERISA”) includes a duty for ERISA-covered employee benefit plan fiduciaries to take “appropriate precautions” to mitigate risks to plan participants and assets from both internal and external cybersecurity threats. The April 14 announcement makes official EBSA’s interpretation of the duty of prudence applicable to fiduciaries of ERISA-covered employee benefit plans as extending to a duty to act prudently to safeguard plan assets and plan participants against cybersecurity threats.

Concern about cyberthreats to private employee benefit plans covered by ERISA, their participants and beneficiaries has soared as massive data breaches  Federal Thrift Savings Plan, Anthem, Capital Onethe Public Employees Retirement Association of New Mexico and other employee benefit plans, their vendors and service providers increasingly have impacted millions of employee benefit plans, their accounts and participants.

While Congress chose to subject health plans to the detailed health privacy, security and breach rules of HIPAA and financial and certain other employee benefit plan service providers to consumer financial disclosure and data information security requirements of laws like Gramm-Leach-Bliley Act and the Fair and Accurate Credit Transactions Act, and even employers and others conducting background and other credit checks to the  Fair Credit Reporting Act, growing awareness of the cyberthreat to employee benefits has not prompted Congress to date to extend those laws or otherwise to enact express statutory requirements for employee benefit plans and their fiduciaries.  However, private litigants and others increasingly have speculated that a fiduciary duty to safeguard plan asset against cyberthreats might be subsumed in the obligation of fiduciaries under Section 404 of ERISA at all times to act with “the care, skill, prudence, and diligence under the circumstances then prevailing that a prudent man acting in a like capacity and familiar with such matters would use in the conduct of an enterprise of a like character and with like aims.” See, e.g., See Record $16M Anthem HIPAA Settlement Signals Need to Tighten Your Health Plan HIPAA Compliance & Risk Management.

While EBSA has worked to formulate its recently announced positions, private litigants increasingly have begun debating the applicability and effect of ERISA on cyberbreaches involving ERISA regulated plans.  See e.g., In re Anthem, Inc. Data Breach Litig., No. 15-CV-04739-LHK, 2015 WL 7443779, at *1 (N.D. Cal. Nov. 24, 2015)(holding Anthem entitled under ERISA to remove claims to federal court and refusing employee benefit plan participants’ motion to remand to state court state claims arising from data breach); In re Anthem, Inc. Data Breach Litig., No. 15-MD-02617-LHK, 2016 WL 3029783 (N.D. Cal. May 27, 2016)(refusing to dismiss participant claims against non-Anthem defendants for lack of standing), motion reconsideration denied In re Anthem, Inc. Data Breach Litig., No. 15-CV-04739-LHK, 2016 WL 324386 (N.D. Cal. Jan. 27, 2016); Bartnett v. Abbott Lab’ys, No. 20-CV-02127, 2021 WL 428820, at *5 (N.D. Ill. Feb. 8, 2021) (dismissing breach of fiduciary duty claim based on inadequate evidence); In re: Premera Blue Cross Customer Data Sec. Breach Litig., No. 3:15-MD-2633-SI, 2017 WL 539578, at *21 (D. Or. Feb. 9, 2017). While mostly unsuccessful to date for procedural or factual sufficiency reasons, the preemption issues argued in many of these cases support concerns that under the proper circumstances ERISA could apply to breaches involving plans or their participants.  As these and other actions continue to wind their way through the courts, EBSA also has begun to acknowledge that ERISA plan fiduciaries duties of prudence include cybersecurity responsibilities.

EBSA’s first official recognition of a cybersecurity responsibility by plan fiduciaries appears in the Default Electronic Disclosure by Employee Pension Benefit Plans Under ERISA Final Rule (the “Electronic Disclosure Rule”), which took effect July 27, 2020 . In the discussion of its requirements regarding website-based electronic disclosures in Subpart (e)(3), the Electronic Disclosure Rule requires that “[T]he administrator must take measures reasonably calculated to ensure that the website protects the confidentiality of personal information relating to any covered individual.”  Similarly, the requirements for using e-mail to provide electronic disclosures in Subsection (k)(4) of the Electronic Disclosure Rule require the plan administrator to take “measures reasonably calculated to protect the confidentiality of personal information relating to the covered individual.”  While recognizing these cyber security responsibilities in the Electronic Disclosure Rule, however,  EBSA explained in the Preamble to the Electronic Disclosure Rule that it decided not to include more cumbersome cybersecurity requirements in the Electronic Disclosure Rule out of concern over the cost and other burdens of such requirements.  Nevertheless, the Electronic Disclosure Rule imposed a responsibility by plan fiduciaries of employee benefit plans making electronic disclosures to ensure that electronic recordkeeping systems have in place reasonable controls, adequate records management practice, and other measures calculated to protect Personally Identifiable Information.

EBSA’s April 14, 2021 reflects EBSA now views the fiduciary responsibilities of ERISA-covered employee benefit plan fiduciaries generally as including the responsibility to take “appropriate precautions” to mitigate risks to plan participants and assets from both internal and external cybersecurity threats. Beyond acknowledging a duty to take prudent steps to protect plans assets and participants against internal and external cybersecurity threats, EBSA also shared the following three resources to help plan sponsors, fiduciaries and participants to safeguard benefit plans and personal information against emerging cyber threats:

  • Tips for Hiring a Service Provider: Helps plan sponsors and fiduciaries prudently select a service provider with strong cybersecurity practices and monitor their activities, as ERISA requires.
  • Cybersecurity Program Best Practices: Assists plan fiduciaries and record-keepers in their responsibilities to manage cybersecurity risks.
  • Online Security Tips: Offers plan participants and beneficiaries who check their retirement accounts online basic rules to reduce the risk of fraud and loss.
  • Participants in Securities Markets, Market Infrastructure Providers & Vendors. 

Meanwhile the Securities and Exchange Commission (“SEC”) also has made clear its expectation that all firms participating in the securities markets, market infrastructure providers and vendors will appropriately monitor, assess and manage their cybersecurity risk profiles, including their operational resiliency. Consistent with the shared understanding of best cybersecurity practices shared with the agencies, the SEC guidance makes clear its market involved and impacting regulated entities are accountable for maintaining and enforcing appropriate internal and external controls to prevent, detect and redress cybersecurity threats, including appropriate board governance and risk management, access rights and controls, data loss prevention,mobile security, incident response and resiliency, vendor management, training and awareness and other practices.  See  SEC Office of Compliance Inspections and Examinations Cybersecurity and Resiliency Observations.  Recently announced enforcement actions demonstrate that the SEC is acting on its promise to go after SEC regulated entities that breach these expectations.  See, e.g., SEC Announces Three Actions Charging Deficient Cybersecurity Procedures.

These and other recently announced federal regulatory and enforcement developments send a clear message to businesses and their leadership, employee benefit plan sponsors, fiduciaries, record keepers and other vendors, SEC securities market involved organizations and others to clean up their cybersecurity compliance and risk management.  Beyond the governmental enforcement risks these developments signal, these and other emerging regulatory developments provide added fuel for the already substantial private litigant and government complaints, investigations and prosecutions against businesses, their leaders, their employee benefit plan fiduciaries, record keepers and other service providers,and others.   and their leaders unable to defend the adequacy of their cybersecurity related practices.

Raise Cybersecurity Compliance & Defenses To Mitigate Risks & Liabilities

In the face of these developments, all businesses, employee benefit plan fiduciaries, their employer and other sponsors, record keepers and other vendors and their leaders should prioritize cybersecurity compliance, risk management, oversight and controls.  As part of these efforts, organizations and their leaders should move quickly to position themselves to defend against potential investigation and enforcement risks created by these emerging policies. These efforts should seek to ensure compliance with all applicable statutory, regulatory and contractual requirements as well as institutionalize the necessary operational controls to protect systems, data and operations from cyber breaches and other threats, to detect and redress cyber events promptly, and to ensure that the organization otherwise can demonstrate both their compliance efforts, as well as their timely prudent detection, investigation, reporting, mitigation and remediation in response to actual or suspected cyber threats or other compliance breaches.

Efforts should begin by taking carefully crafted, well-documented documented steps to prudently evaluate and strengthen  cybersecurity and breach safeguards and compliance, as well as prudently to assess and verify those of their vendors and others involved with their employee benefit plans or their administration within the scope of attorney-client privilege.

Assessments should take into account all existing required statutory, regulatory, and contractual controls and practices, documentation and other procedures.  In addition, organizations should consider the advisability of adopting other “best practice” safeguards or actions taking into account relevant agency guidance and resources,  government or other contracts, other industry or related standards, known and suspected breaches, “red flags” and threats, their own, their vendor and business partner and other risk profiles and experience, and other factors likely to be viewed as prudent under the circumstances.

In assessing, designing and administering the cybersecurity processes, organizations and their leaders should give due attention to assessing and addressing the adequacy of their internal and external controls to ensure the adequacy of their systems, processes, oversight and response practices and capabilities as of the time of the assessment and on an ongoing basis.  Beyond establishing required policies and formal controls, organization should ensure that their organizations have in place the necessary policies and practices to monitor and control cyberthreats arising from conduct and risks created by employees and other internal workforce, vendors and other parties interacting with the business and its operations.  As part of these efforts, most organizations will need to evaluate their contractual obligations and requirements for vendors, suppliers and others interacting with their businesses. Beyond general contractual compliance obligations, organizations should weigh requiring contractors, suppliers and other business partners to make specific commitments to maintain and monitor compliance and other risks, to provide timely notice and reports, to cooperate with audits and investigations necessary or advisable to respond to private or government complaints, government or other investigation, reporting or other requirements, their own compliance and risk assessments, audits and investigations and other compliance and risk management efforts.  Organizations also should give careful attention and review the adequacy of protections and responsibilities arising from contractual cybersecurity and breach notice, investigation, cooperation, indemnification,  insurance and other associated protections and cooperation.

Organizations also should consider establishing and administering processes for independent monitoring of regulatory, news, and other reports that could provide early warning of potential cybersecurity weaknesses, threats and breaches.

All processes should include appropriate governance, oversight and reporting to provide for ongoing monitoring and oversight necessary to identify and respond to evolving risks arising in the course of their operations as well as consistent practices for carefully documenting their compliance and risk management compliance efforts.

Because of the frequently high cost of breach investigation, response and mitigation, most organizations will want to consider securing cyber liability or other coverage, require vendors and other business partners to provide cyber liability indemnifications backed up with insurance or other adequate assurance of their ability to fulfill these financial responsibilities.

 More Information

We hope this update is helpful. For more information about or assistance with these or other workforce, internal controls and compliance or other legal, management or public policy developments, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297.

Solutions Law Press, Inc. invites you receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations GroupHR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 30+ years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications.

Scribe for the ABA JCEB Annual Agency Meeting with HHS-OCR, and author of the “Medical Privacy” Chapter in the BNA/ERISA Litigation Treatise, the “Other Torts Chapter” in the BNA/ABA E-Heath & Other Torts Treatise, “Privacy and the Pandemic Workshop” for the Association of State and Territorial Health Plans, as well as a multitude of other highly regarded data privacy and security, workforce and health care change and crisis management and other highly regarded publications and presentations, Ms. Stamer is widely recognized for her decades of pragmatic, leading edge work, scholarship and thought leadership on health and other privacy and data security and other health industry legal, public policy and operational concerns.

A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer’s work throughout her 30 plus year career has focused heavily on working with private and public employer, health care and managed care, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns.  In the course of this work, she has had extensive involvement in the design, administration and defense of payroll, employee benefit, insurance, securities, trade secret and other confidential information and other internal and external record and data systems and processes as well as investigation, reporting, redress and mitigation of cyber and other incidents.

As a part of this work, she has continuously and extensively worked with domestic and international health and other employee benefit plans, their sponsors, fiduciaries, administrators, and insurers; managed care and insurance organizations; hospitals, health care systems, clinics, skilled nursing, long term care, rehabilitation and other health care providers and facilities; medical staff, accreditation, peer review and quality committees and organizations; billing, utilization management, management services organizations, group purchasing organizations; pharmaceutical, pharmacy, and prescription benefit management and organizations; consultants; investors; EHR, claims, payroll and other technology, billing and reimbursement and other services and product vendors; products and solutions consultants and developers; investors; managed care organizations, self-insured health and other employee benefit plans, their sponsors, fiduciaries, administrators and service providers, insurers and other payers, health industry advocacy and other service providers and groups and other health and managed care industry clients as well as federal and state legislative, regulatory, investigatory and enforcement bodies and agencies.  She also has extensive experience dealing with OCR Privacy and Civil Rights, Department of Labor, IRS, HHS, DOD, FTC, SEC, CDC and other public health, Department of Justice and state attorneys’ general and other federal and state agencies; JCHO and other accreditation and quality organizations; private litigation and other federal and state health care industry actions: regulatory and public policy advocacy; training and discipline; enforcement;  and other strategic and operational concerns.

American Bar Association (ABA) International Section Life Sciences Committee Vice Chair, a Scribe for the ABA Joint Committee on Employee Benefits (JCEB) Annual OCR Agency Meeting, current RPTE Welfare Benefit Committee Co-Chair and former Chair of its Fiduciary Responsibility, Plan Terminations and Distributions and Defined Contribution Plan Committees, a former JCEB Council Representative, Past Chair of the ABA Managed Care & Insurance Interest Group, former SHRM Consultants Board and Region IV Chair, former Texas Association of Business Board, BACPAC Board and Dallas Chapter Chair, former Vice President and Executive Director of the North Texas Health Care Compliance Professionals Association, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, and past Board Member and Compliance Chair of the National Kidney Foundation of North Texas.

Ms. Stamer also shares her extensive publications and thought leadership as well as leadership involvement in a broad range of other professional and civic organizations. For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources available here.

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE:   These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstance at any time. No comment or statement in this publication is to be construed as legal advice or an admission. The author and Solutions Law Press, Inc.™ reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any situation and does not necessarily address all relevant issues. Because developments could impact the currency and completeness of this discussion, the author and Solutions Law Press, Inc.™ disclaim, and have no responsibility to provide any update or otherwise notify anyone any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.  Readers acknowledge and agree to the conditions of this Notice as a condition of their access of this publication.  Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein. ©2021 Cynthia Marcotte Stamer. Limited non-exclusive right to republish granted to Solutions Law Press, Inc.™.


New DOJ Civil Cyber-Fraud Initiative Pressures Federal Contractors & Grant Recipients To Tighten Cybersecurity Controls, Training & Other Safeguards

October 11, 2021

Federal government contractors and grant recipients should tighten cyber security policies, practices and internal controls to mitigate their exposure to civil False Claims Act claims by the Department of Justice (“DOJ”) under a new DOJ Civil Cyber-Fraud Initiative announced by DOJ last week.  The new initiative adds False Claims Act civil liability to the already substantial civil liability that government contractors and other businesses already face for failing to comply with applicable cyber security and cyber breach notifications under federal and state laws.  In the face of these added liabilities, federal contractors and grant recipients should act quickly to audit their cyber security and cyber breach practices, tighten cyber security and breach detection;  oversight, credentialing and controls over employees, contractors and others with access to facilities and systems and take other appropriate action to prevent and remediate compliance deficiencies and risks.

Federal Government Contractors Bear Cybersecurity Responsibilities 

Federal government contractors can face cyber security and breach responsibilities under a myriad of federal laws, regulations and contracting standards which are incorporated into their government contracts as part of conditions for participation in the applicable contract or program. For example,  businesses that sell products to the U.S. government generally are required to comply with 15 basic safeguarding requirements and procedures to protect systems used to collect, process, maintain, use, share, disseminate, or dispose of Federal Contract Information (FCI) set forth in FAR 52.202.21.  Companies that produce products used by the Department of Defense (DoD) may be required to comply with the minimum cybersecurity standards set by DFARS if those products aren’t commercially available off-the-shelf (COTS)DFARS 252.204-7012 requires contractors with CUI to follow NIST SP 800-171, report cyber incidents, report cybersecurity gaps.  DFARS 252.204-7019 (interim) requires primes and subcontractors to submit self-assessment of NIST 800-171 controls through the Supplier Performance Risk System (SPRS)DFARS 252.204-7020 (interim) requires primes and subcontractors give the DoD access to their infrastructure to verify the self-assessment (via DMCA) and requires contractors roll requirements down to subcontractors.  Meanwhile, DFARS 252.204-7021 (interim) governs the rollout of the Cybersecurity Maturity Model Certification program over 5 years.  These requirements are in addition to any cyber security or cyber breach requirements otherwise applicable to government contractors or grant recipients under laws such as the Fair & Accurate Credit Transactions Act (“FACTA”) that also might apply to other businesses that do not do business with the federal government.

New DOJ Civil Cyber-Fraud Initiative Against Government Contractors Heightens Enforcement & Liability Risks

On October 6, 2021, Deputy Attorney General Lisa O. Monaco announced plans to civilly prosecute federal government contractors that fail to follow required cyber security standards under the False Claims Act under a new Civil Cyber-Fraud Initiative to be led by DOJ’s Civil Division’s Commercial Litigation Branch, Fraud Section.

According to the DOJ announcement, DOJ expects the initiative to:

  • Build broad resiliency against cyber security intrusions across the government, the public sector and key industry partners.
  • Hold contractors and grantees to their commitments to protect government information and infrastructure.
  • Support government experts’ efforts to timely identify, create and publicize patches for vulnerabilities in commonly used information technology products and services.
  • Ensure that companies that follow the rules and invest in meeting cyber security requirements are not at a competitive disadvantage.
  • Reimburse the government and the taxpayers for the losses incurred when companies fail to satisfy their cyber security obligations.
  • Improve overall cyber security practices that will benefit the government, private users and the American public.

Under the Civil Cyber-Fraud Initiative, DOJ plans to use the False Claims Act to prosecute pursue cyber security related fraud by government contractors and grant recipients.  According to DOJ, the initiative will hold accountable entities or individuals that put U.S. information or systems at risk by knowingly providing deficient cyber security products or services, knowingly misrepresenting their cyber security practices or protocols, or knowingly violating obligations to monitor and report cyber security incidents and breaches.

The False Claims Act is the government’s primary civil tool to redress false claims for federal funds and property involving government programs and operations.   The DOJ’s Civil Cyber-Fraud Initiative does not create new cyber security and cyber breach obligations to promote these goals.  Rather, it piggybacks on already existing federal mandates by adding False Claims Act civil liability to the already substantial civil liability that government contractors and grant recipients already risk for failing to maintain and administer their data security and data breach practices in accordance with applicable federal laws. Under the new Civil Cyber-Fraud Initiative, DOJ has signaled it intends to include compliance with applicable cyber security and cyber breach reporting requirements applicable to contractors as part of the obligations of government contractors and grant recipients to comply with applicable law as a condition of eligibility to participate in federal programs and receive federal funds.  Federal contractors and grant recipients submitting claims for federal funds will be considered to have filed a false claim in violation of the False Claims Act if their cyber security and cyber breach practices are not compliant with applicable federal requirements when the payment is requested.

Companies and individuals found to have violated the False Claims Act generally are liable for treble damages plus a penalty that is linked to inflation. In addition to allowing the United States to pursue perpetrators of fraud on its own, the FCA allows private citizens to file suits on behalf of the government (called “qui tam” suits) against those who have defrauded the government.  Private citizens who successfully bring qui tam actions may receive a portion of the government’s recovery.  Many DOJ Fraud Section investigations and lawsuits arise from such qui tam actions and result in often large recoveries by DOJ and the reporting whistleblowers.  As a result of availability of whistleblower recoveries, government contractors should anticipate that disgruntled employees, contractors, or others with whom they do business with knowledge of data breaches or other cybersecurity weaknesses may be incentivized to act as whistleblowers.

Cyber Risks Already Substantial Cyber Risks

The False Claims Act exposure under the new DOJ Civil Cyber-Security initiative adds to the already substantial and mounting risks that government contractors already face under an ever-expanding tapestry of federal, state and in some instances, international statutes, regulations and rulings.

Along with any exposures specifically applicable to it as a government contractor, depending on the nature of the business and the data it collects, the business also likely falls subject to duties to safeguard the confidentiality and security of wide range of electronic or other personal financial, tax and other data under various federal and state laws such as FACTA, the Internal Revenue Code, the Health Insurance Portability & Accountability Act (HIPAA), state identity theft, and a host of other statutes and regulations, contractual agreements, or both.

Due to the nature of their activities and involvements, some of the most significant of these obligations may arise from electronic crime related provisions of the Criminal Code of the United States, which by virtue of their criminal nature trigger potential organizational compliance program responsibilities under the U.S. Sentencing Commission Organizational Guidelines for government contractors and other covered entities such as 18 U.S. Code § 1028 – Fraud and related activity in connection with identification documents, authentication features, and information; 18 U.S.C. § 1029.  Fraud and Related Activity in Connection with Access Devices; and 18 U.S.C. § 1030.  Fraud and Related Activity in Connection with Computers.

However, government contractors also can face cybersecurity responsibilities, breach notification and other obligations and liabilities under a wide range of other civil laws and regulations.  For instance, FACTA generally requires covered entities that collect or use certain personal financial information to conduct due diligence, monitor the security of records and adopt disposal practices that are reasonable and appropriate to prevent the unauthorized access to – or use of – information in a consumer report.  As implemented by the Federal Trade Commission regulations, entities with covered accounts must develop and implement written identity theft prevention programs designed to help identify, detect, and respond to patterns, practices, or specific activities – known as “red flags” – that could indicate identity theft.

Beyond these federal obligations, government contractors, like other businesses, also typically are exposed to liability under a wide variety of cyber security, cyber breach notification and other obligations and liabilities under state laws, regulations and common law. See, e.g. here.  While the particulars vary based on the state, the nature of the business, where and how the business collects and maintains its data and other factors, the applicable state electronic confidentiality and data security requirements in most states and under some federal laws increasingly include express duties to take steps to protect data, to monitor from breaches and other threats, and/or to notify subjects of the breached data and in some cases, regulators and the public within a short period after a breach happens. Businesses operating in multiple states typically faces exposure under the laws of each jurisdiction where it operates with data impacted by the breach.

Because cyber security events increasingly create business and financial losses, investigation and defense costs, penalties and other liabilities and costs, cyber security breaches and other events also increasingly that fuel shareholder disclosure obligations and shareholder lawsuits.  Indeed, former Securities and Exchange Commission  Chair Mary Jo White in May, 2016 characterized cyber security as the biggest risk facing the financial system   See here.  In response to investor risks from cyber security events, the SEC has required regulated entities to make disclosures about these risks to investors since 2011.      See  CF Disclosure Guidance: Topic No. 2 – Cybersecurity.   Given this guidance, it should come as no surprise that the SEC has imposed substantial fines against entities following a breach.  See  e.g. R.T. Jones reaches settlement with SEC in data breach case;  Morgan Stanley Fined $1 Million for Client Data Breach.

Act To Manage Compliance & Risks

In the face of these added liabilities, federal contractors and grant recipients should act quickly to work with qualified legal counsel within the scope of attorney-client privilege to audit the adequacy of their existing cyber security and cyber breach practices under applicable federal statutes and contracts and other relevant laws and regulations as well as to confirm that adequate breach notification has been made for any existing or past breaches. To the extent that the audit uncovers any potential deficiencies in prior breach notification or other compliance, the federal contractor or grant recipient general will want to seek guidance from legal counsel regarding the advisable steps, if any, to take to mitigate and resolve outstanding liabilities, particularly in light of whistleblower liabilities.  In addition to examining past and current compliance risks, government contractors and grant recipients also will want to explore advisable steps and documentation that will position their organizations to demonstrate their appropriate monitoring and maintenance of ongoing compliance or otherwise strengthen their defenses against potential cyber breaches as well as whistleblower and retaliation claims arising from employees or others seeking to use these exposures as leverage for settlements or claims.  Given the potential magnitude of the liability, businesses generally not only need to take well documented steps properly  to safeguard sensitive electronic sensitive  personal information and systems holding or using it as well as be prepared to promptly provide notice in the event of any breach with the short time contemplated by law.

As part of these efforts, businesses and their leaders will want to ensure their compliance efforts include both adoption of all required formal policies, appropriate credentialing of employees, contractors and others accessing systems or facilities, well documented operational compliance and risk audits, documented risk assessment and response, compliance hotline reporting and investigation, suitable up-the-ladder reporting, and other appropriate procedures to facilitate rapid identification of potential concerns and other operational compliance. 

Effective internal and external workforce credentialing, training, management and oversight are key to the success of these efforts, particularly because cyber breaches and other data threats often leverage internal access created by workforce infiltration, susceptibilities created by social engineering or other opportunities created from lax workforce or contractor compliance with security controls or both.  See, e.g., Insider threat: The human element of cyberrisk.

Effective internal monitoring and reporting protocols also are essential to ensure rapid breach identification, investigation and notification.  These protocols also should be developed and implemented to ensure timely disclosure and management of any breaches within required time frames. 

In recognition of the typically high financial and operational costs of breach investigation, notification and defense, organizations also should weigh the advisability of securing and requiring business partners to secure cyber insurance or other protection to help mitigate these costs in the event of a cyber event.

While the conduct of these assessments inevitably will require the involvement of outside consulting services, business leaders also are cautioned to use care to take appropriate steps to protect these interactions by arranging to engage these services pursuant to attorney-client privilege to help shield sensitive information likely to be uncovered through compliance, risk management or investigation activities.  Likewise, given the short time allowed for breach mitigation and notification, businesses should weigh carefully whether to engage regulatory counsel  to assist with the initial breach notification and mitigation, separate and apart from cyber litigation defense counsel that might be available under applicable cyber insurance policies unless the proposed litigation defense counsel has proven cyber and other regulatory knowledge, experience and qualifications handling breach mitigation and notification events.

More Information

We hope this update is helpful. For more information about or assistance with these or other workforce, internal controls and compliance or other legal, management or public policy developments, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297.  

Solutions Law Press, Inc. invites you receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations GroupHR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.  

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 30+ years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications. As a significant part of her work, Ms. Stamer has worked extensively on pandemic, business and other crisis planning, preparedness and response for more than 30 years.

Scribe for the ABA JCEB Annual Agency Meeting with HHS-OCR, Vice Chair of the ABA International Section Life Sciences Committee, past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group and the ABA RPTE Employee Benefits & Other Compensation Group, Ms. Stamer is most widely recognized for her decades of pragmatic, leading edge work, scholarship and thought leadership on health and other privacy and data security and other health industry legal, public policy and operational concerns.  Ms. Stamer’s work throughout her 30 plus year career has focused heavily on working with health care and managed care, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns.  As a part of this work, she has continuously and extensively worked with domestic and international health plans, their sponsors, fiduciaries, administrators, and insurers; managed care and insurance organizations; hospitals, health care systems, clinics, skilled nursing, long term care, rehabilitation and other health care providers and facilities; medical staff, accreditation, peer review and quality committees and organizations; billing, utilization management, management services organizations, group purchasing organizations; pharmaceutical, pharmacy, and prescription benefit management and organizations; consultants; investors; EHR, claims, payroll and other technology, billing and reimbursement and other services and product vendors; products and solutions consultants and developers; investors; managed care organizations, self-insured health and other employee benefit plans, their sponsors, fiduciaries, administrators and service providers, insurers and other payers, health industry advocacy and other service providers and groups and other health and managed care industry clients as well as federal and state legislative, regulatory, investigatory and enforcement bodies and agencies.  

This  involvement encompasses helping health care systems and organizations, group and individual health care providers, health plans and insurers, health IT, life sciences and other health industry clients prevent, investigate, manage and resolve  sexual assault, abuse, harassment and other organizational, provider and employee misconduct and other performance and behavior; manage Section 1557, Civil Rights Act and other discrimination and accommodation, and other regulatory, contractual and other compliance; vendors and suppliers; contracting and other terms of participation, medical billing, reimbursement, claims administration and coordination, Medicare, Medicaid, CHIP, Medicare/Medicaid Advantage, ERISA and other payers and other provider-payer relations, contracting, compliance and enforcement; Form 990 and other nonprofit and tax-exemption; fundraising, investors, joint venture, and other business partners; quality and other performance measurement, management, discipline and reporting; physician and other workforce recruiting, performance management, peer review and other investigations and discipline, wage and hour, payroll, gain-sharing and other pay-for performance and other compensation, training, outsourcing and other human resources and workforce matters; board, medical staff and other governance; strategic planning, process and quality improvement; meaningful use, EHR, HIPAA and other technology,  data security and breach and other health IT and data; STARK, ant kickback, insurance, and other fraud prevention, investigation, defense and enforcement; audits, investigations, and enforcement actions; trade secrets and other intellectual property; crisis preparedness and response; internal, government and third-party licensure, credentialing, accreditation, HCQIA and other peer review and quality reporting, audits, investigations, enforcement and defense; patient relations and care;  internal controls and regulatory compliance; payer-provider, provider-provider, vendor, patient, governmental and community relations; facilities, practice, products and other sales, mergers, acquisitions and other business and commercial transactions; government procurement and contracting; grants; tax-exemption and not-for-profit; privacy and data security; training; risk and change management; regulatory affairs and public policy; process, product and service improvement, development and innovation, and other legal and operational compliance and risk management, government and regulatory affairs and operations concerns. to establish, administer and defend workforce and staffing, quality, and other compliance, risk management and operational practices, policies and actions; comply with requirements; investigate and respond to Board of Medicine, Health, Nursing, Pharmacy, Chiropractic, and other licensing agencies, Department of Aging & Disability, FDA, Drug Enforcement Agency, OCR Privacy and Civil Rights, Department of Labor, IRS, HHS, DOD, FTC, SEC, CDC and other public health, Department of Justice and state attorneys’ general and other federal and state agencies; JCHO and other accreditation and quality organizations; private litigation and other federal and state health care industry actions: regulatory and public policy advocacy; training and discipline; enforcement;  and other strategic and operational concerns.  

Author of “Privacy and the Pandemic Workshop” for the Association of State and Territorial Health Plans, as well as a multitude of other health industry matters, workforce and health care change and crisis management and other highly regarded publications and presentations, the American Bar Association (ABA) International Section Life Sciences Committee Vice Chair, a Scribe for the ABA Joint Committee on Employee Benefits (JCEB) Annual OCR Agency Meeting and a former Council Representative, Past Chair of the ABA Managed Care & Insurance Interest Group, former Vice President and Executive Director of the North Texas Health Care Compliance Professionals Association, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, and past Board Member and Compliance Chair of the National Kidney Foundation of North Texas, and a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares her extensive publications and thought leadership as well as leadership involvement in a broad range of other professional and civic organizations. For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.  

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources available here.  

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE:   These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author and Solutions Law Press, Inc.™ reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The author and Solutions Law Press, Inc.™ disclaim, and have no responsibility to provide any update or otherwise notify anyone any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.  Readers acknowledge and agree to the conditions of this Notice as a condition of their access of this publication.  Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein. ©2020 Cynthia Marcotte Stamer. Limited non-exclusive right to republish granted to Solutions Law Press, Inc.™.


ADEA Age Discrimination Ban Applies To All State & Local Government Employers

November 6, 2018

State and local political subdivisions employing fewer than 20 employees should reconfirm the defensibility of their employment policies and practices under the Age Discrimination and Employment Act (ADEA) and the Fair Labor Standards Act (FLSA) and various other laws in light of the unanimous[1] ruling issued this morning by the United State Supreme Court holding that the ADEA applies to all state and local political subdivisions regardless of size.

In its ruling in Mount Lemmon Fire District v. Guido, – U.S. -, 2018 WL 5794639 (November 6, 2018) released this morning, the United States Supreme Court unanimously ruled that the ADEA applies to all state and local subdivisions regardless of the number of employees the political subdivision employs.

The Supreme Court’s ruling arose from an ADEA lawsuit brought by John Guido and Dennis Rankin against a small Arizona fire department, the Mount Lemmon Fire District (District) challenging their layoff by the District. Faced with a budget shortfall, the District laid off Guido and Rankin, who at the time were the District’s two oldest full-time firefighters. Guido and Rankin sued the Fire District, alleging that their termination violated the Age Discrimination in Employment Act of 1967 (ADEA), 81 Stat. 602, as amended, 29 U. S. C. §621 et seq. The Fire District sought dismissal of the suit on the ground that the District was too small to qualify as an “employer” within the ADEA’s compass.

In response to Guido and Rankin’s lawsuit, the District asserted that was not covered by the ADEA  because its employment of fewer than 20 employees rendered it “too small” to qualify as an “employer” as defined by 29  U. S. C. §630(b).  In its ruling against the Fire District this morning, the Supreme Court rejected this numerosity defense, holding instead that the ADEA applies to all political subdivisions regardless of the size of their workforce.

In the unanimous opinion authored by Justice Ginsburg, the Supreme Court pointed out that the ADEA definition of “employer” distinguishes between private sector employers and State and local political subdivisions.  The Supreme Court noted that before 1974, State and local political subdivisions were exempt from the ADEA.  In 1974, however, Congress added a special definition of “employer” for States and political subdivisions to the ADEA and FLSA when it amended the ADEA and FLSA to apply to all State and local government employers regardless of their size.    Thus, since 1974, the ADEA and FLSA definitions of “employer” have read as follows:

“The term ‘employer’ means a person engaged in an industry affecting commerce who has twenty or more employees . . . . The term also means (1) any agent of such a person, and (2) a State or political subdivision of a State . . . .” 29 U. S. C. §630(b); 29 U. S. C. §203(d), (x).

In construing this definition, the Supreme Court weighed whether the phrase “also means” added new categories to the definition of “employer” or merely clarified that States and their political subdivisions are a type of “person” included in §630(b)’s first sentence. While acknowledging that various Courts of Appeals previously have reached differing conclusions concerning the appropriate interpretation, the Supreme Court ruled that the phase “also means” added a new category to the definition of “employer” for purposes of the ADEA.  Accordingly, the Supreme Court rejected the District’s claim that the ADEA definition of “employer” includes the requirement of employment of at least 20 employees applicable to the ADEA’s private sector definition of “employer.  Accordingly, the Supreme Court unanimously ruled that the ADEA applies to all State and local political subdivisions.

In light of the Supreme Court’s ruling, any State or local subdivision that has operated in reliance upon the now discredited interpretations of the ADEA or FLSA definitions of “employer” as applicable only to State or local governmental entities employing at least 20 employees immediately should take all necessary corrective action to bring their policies into compliance with the ADEA and FLSA.  These governmental entities also should seek the advice of qualified legal counsel about the advisability of taking any retrospective action to self-correct any potential past deficiencies in compliance, if any, for which the entity might bear potential liability to the extent that the applicable state of limitations has not run on those claims.

[1] Justice Kavanaugh did not join in the opinion as he took no part in the consideration or decision of the case.

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 30+ years of management focused employment, employee benefit and insurance, workforce and other management work, public policy leadership and advocacy, coaching, teachings, and publications.

Highly valued for her rare ability to find pragmatic client-centric solutions by combining her detailed legal and operational knowledge and experience with her talent for creative problem-solving, Ms. Stamer’s clients include employers and other workforce management organizations; employer, union, association, government and other insured and self-insured health and other employee benefit plan sponsors, benefit plans, fiduciaries, administrators, and other plan vendors;   domestic and international public and private health care, education and other community service and care organizations; managed care organizations; insurers, third-party administrative services organizations and other payer organizations;  and other private and government organizations and their management leaders.

Throughout her 30 plus year career, Ms. Stamer has continuously worked with these and other management clients to design, implement, document, administer and defend hiring, performance management, compensation, promotion, demotion, discipline, reduction in force and other workforce, employee benefit, insurance and risk management, health and safety, and other programs, products and solutions, and practices; establish and administer compliance and risk management policies; comply with requirements, investigate and respond to government, accreditation and quality organizations, regulatory and contractual audits, private litigation and other federal and state reviews, investigations and enforcement actions; evaluate and influence legislative and regulatory reforms and other regulatory and public policy advocacy; prepare and present training and discipline;  handle workforce and related change management associated with mergers, acquisitions, reductions in force, re-engineering, and other change management; and a host of other workforce related concerns. Ms. Stamer’s experience in these matters includes supporting these organizations and their leaders on both a real-time, “on demand” basis with crisis preparedness, intervention and response as well as consulting and representing clients on ongoing compliance and risk management; plan and program design; vendor and employee credentialing, selection, contracting, performance management and other dealings; strategic planning; policy, program, product and services development and innovation; mergers, acquisitions, bankruptcy and other crisis and change management; management, and other opportunities and challenges arising in the course of workforce and other operations management to improve performance while managing workforce, compensation and benefits and other legal and operational liability and performance.

Past Chair of the ABA Managed Care & Insurance Interest Group and, a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, heavily involved in health benefit, health care, health, financial and other information technology, data and related process and systems development, policy and operations throughout her career, and scribe of the ABA JCEB annual Office of Civil Rights agency meeting, Ms. Stamer also is widely recognized for her extensive work and leadership on leading edge health care and benefit policy and operational issues. She regularly helps employer and other health benefit plan sponsors and vendors, health industry, insurers, health IT, life sciences and other health and insurance industry clients design, document and enforce plans, practices, policies, systems and solutions; manage regulatory, contractual and other legal and operational compliance; vendors and suppliers; deal with Medicare, Medicaid, CHIP, Medicare/Medicaid Advantage, ERISA, state insurance law and other private payer rules and requirements; contracting; licensing; terms of participation; medical billing, reimbursement, claims administration and coordination, and other provider-payer relations; reporting and disclosure, government investigations and enforcement, privacy and data security; and other compliance and enforcement; Form 990 and other nonprofit and tax-exemption; fundraising, investors, joint venture, and other business partners; quality and other performance measurement, management, discipline and reporting; physician and other workforce recruiting, performance management, peer review and other investigations and discipline, wage and hour, payroll, gain-sharing and other pay-for performance and other compensation, training, outsourcing and other human resources and workforce matters; board, medical staff and other governance; strategic planning, process and quality improvement; HIPAA administrative simplification, meaningful use, EMR, HIPAA and other technology, data security and breach and other health IT and data; STARK, antikickback, insurance, and other fraud prevention, investigation, defense and enforcement; audits, investigations, and enforcement actions; trade secrets and other intellectual property; crisis preparedness and response; internal, government and third-party licensure, credentialing, accreditation, HCQIA, HEDIS and other peer review and quality reporting, audits, investigations, enforcement and defense; patient relations and care; internal controls and regulatory compliance; payer-provider, provider-provider, vendor, patient, governmental and community relations; facilities, practice, products and other sales, mergers, acquisitions and other business and commercial transactions; government procurement and contracting; grants; tax-exemption and not-for-profit; 1557 and other Civil Rights; privacy and data security; training; risk and change management; regulatory affairs and public policy; process, product and service improvement, development and innovation, and other legal and operational compliance and risk management, government and regulatory affairs and operations concerns.

A former lead consultant to the Government of Bolivia on its Pension Privatization Project with extensive domestic and international public policy concerns in pensions, healthcare, workforce, immigration, tax, education and other areas, Ms. Stamer has been extensively involved in U.S. federal, state and local health care and other legislative and regulatory reform impacting these concerns throughout her career. Her public policy and regulatory affairs experience encompasses advising and representing domestic and multinational private sector health, insurance, employee benefit, employer, staffing and other outsourced service providers, and other clients in dealings with Congress, state legislatures, and federal, state and local regulators and government entities, as well as providing advice and input to U.S. and foreign government leaders on these and other policy concerns.

Author of leading works on a multitude of labor and employment, compensation and benefits, internal controls and compliance, and risk management matters and a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares her thought leadership, experience and advocacy on these and other related concerns by her service in the leadership of the Solutions Law Press, Inc. Coalition for Responsible Health Policy, its PROJECT COPE: Coalition on Patient Empowerment, and a broad range of other professional and civic organizations including North Texas Healthcare Compliance Association, a founding Board Member and past President of the Alliance for Healthcare Excellence, past Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; former Board President of the early childhood development intervention agency, The Richardson Development Center for Children (now Warren Center For Children); current Vice Chair of the ABA Tort & Insurance Practice Section Employee Benefits Committee, current Vice Chair of Policy for the Life Sciences Committee of the ABA International Section, Past Chair of the ABA Health Law Section Managed Care & Insurance Section, a current Defined Contribution Plan Committee Co-Chair, former Group Chair and Co-Chair of the ABA RPTE Section Employee Benefits Group, past Representative and chair of various committees of ABA Joint Committee on Employee Benefits; an ABA Health Law Coordinating Council representative, former Coordinator and a Vice-Chair of the Gulf Coast TEGE Council TE Division, past Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee, a former member of the Board of Directors of the Southwest Benefits Association and others.

For more information about Ms. Stamer or her health industry and other experience and involvements, see here or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources here such as the following:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as legal advise or an admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The presenter and the program sponsor disclaim, and have no responsibility to provide any update or otherwise notify any participant of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2018 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc.™ For information about republication or the topic of this article, please contact the author directly. All other rights reserved.


DOL Spending Reports Required As Taxpayer Tool Need Improvement

January 24, 2018

Department of Labor (DOL) and other agencies’ spending reports posted at USASpending.gov to comply withthe Digital Accountability and Transparency Act of 2014 (DATA Act) are intended to help taxpayers, government leaders and others monitor and evaluate agency spending. However a new report from the DOL Office of Inspector General (OIG) found data reporting and other issues have compromised the reliability of the data reported in DOL reports posed on USASpending.gov.

The Data Act requires federal agencies to report spending data in accordance with new government-wide data standards developed by the Office of Management and Budget (OMB) and the Department of Treasury (Treasury).  The data reports are posted on  so taxpayers and policy makers understand how the Department is spending its funds. The Act requires federal agencies to report spending data in accordance with new government-wide data standards developed by the Office of Management and Budget (OMB) and the Department of Treasury (Treasury). The Act also requires the Inspectors General of each federal agency to conduct a review of the agency’s DATA Act compliance every two years and report on the completeness, timeliness, accuracy, and quality of the agency’s data.

The new report reports OIG’s findings from a performance audit OIG performed to assess: (1) the completeness, timeliness, accuracy, and quality of data submitted by the Department; and (2) the Department’s implementation and use of the Government-wide data standards established by OMB and Treasury for the Fiscal Year 2017 second quarter. While OIG found DOL effectively implemented and used the Government-wide data standards established by OMB and Treasury to prepare the reports and timely submitted the DATA Act required reports, it found numerous issues with the overall quality of the spending data it submitted for publication on USAspending.gov. Among other things, OIG reports that DOL:

  • Did not report all the required data elements for 19 percent of the transactions sampled. OIG found 77% of these errors occurred because the Department did not include Unique Record Identifiers for transactions when it was required to. This could cause issues when linking financial data with grant data on USAspending.gov.
  • 74% of the transactions sampled contained an error in one or more data elements. OIG reports many of these errors resulted from issues in the Treasury’s DATA Act broker data extraction process.
  • Excluding those errors, 52% of the transactions sampled contained inaccurate information.
  • In addition to errors uncovered from OIG’s sampling audit, DOL also reported inaccurate program activity and object class codes for 5 and 7 percent of transactions, respectively, in its File B submission.

OIG attributes these errors in accuracy and completeness occurred because of data entry mistakes, data extraction issues, and weak data validation processes and concluded that these control deficiencies will have a negative impact on the quality of the data DOL reports until corrected.

Based on these findings, OIG  has made eight recommendations to DOL’s Principal Deputy Chief Financial Officer to improve the quality of the data the DOL reports to USAspending.gov in the future and to strengthen internal controls over its data management processes.

While OIG reports DOL has concurred with these recommendations and has stated it has implemented additional controls, resulting in fewer errors with each submission, taxpayers and others using past reports need to consider the reported deficiencies in their evaluation and use of the data as well as assess the validity of future reported data for possible issues for future assessments.  Even considering these issues, however, taxpayers and government leaders should consider  consulting the data when investigating or evaluating DOL or other program activities or expenditures for policy, enforcement priority or other purposes.

About The Author

A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation; Former Chair of the RPTE Employee Benefits and Compensation Committee, a current Co-Chair of the Committee, and the former Chair of its Welfare Benefit and its Defined Compensation Plan Committees and former RPTE Joint Committee on Employee Benefits Council (JCEB) Representative, Cynthia Marcotte Stamer is a Martindale-Hubble “AV-Preeminent” practicing attorney and management consultant, author, public policy advocate, author and lecturer repeatedly recognized for her 30 plus years’ of work and pragmatic thought leadership, publications and training on health, pension and other employee benefit,  insurance, labor and employment, and health care  fiduciary responsibility, payment, investment, contracting  and other design, administration and compliance concerns as among the “Top Rated Labor & Employment Lawyers in Texas,” a “Legal Leader,” a “Top Woman Lawyer” and with other awards by LexisNexis® Martindale-Hubbell®; as among the “Best Lawyers In Dallas” for her work in the field of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, in International Who’s Who of Professionals and with numerous other awards and distinctions.

Highly valued for her ability to meld her extensive legal and industry knowledge and experience with her talents as an insightful innovator and pragmatic problem solver, Ms. Stamer advises, represents and defends employer, union, multi-employer, association and other employee benefit plan sponsors, insurers and managed care organizations, fiduciaries, plan administrators, technology and other service providers, government and community leaders and others about health and other employee benefit and insurance program and policy design and innovation, funding, documentation, administration, communication, data security and use, contracting, plan, public and regulatory reforms and enforcement, and other risk management, compliance and operations matters. Her experience encompasses leading and supporting the development and defense of innovative new policies, programs, practices and solutions; advising and representing clients on routine plan establishment, plan documentation and contract drafting and review, administration, change and other compliance and operations; crisis prevention and response, compliance and risk management audits and investigations, enforcement actions and other dealings with the US Congress, Departments of Labor, Treasury, Health & Human Services, Federal Trade Commission, Justice, Securities and Exchange Commission, Education and other federal agencies, state legislatures, attorneys general, insurance, labor, worker’s compensation, and other agencies and regulators, and various other foreign and domestic governmental bodies and agencies. She also provides strategic and other supports clients in defending litigation as lead strategy counsel, special counsel and as an expert witness. Alongside her extensive legal and operational experience, Ms. Stamer also is recognized for her work as a public and regulatory policy advocate and community leader with a gift for finding pragmatic solutions and helping to forge the common ground necessary to build consensus. Best known for her domestic public policy and community leadership on health care and insurance reform, Ms. Stamer’s lifelong public policy and community service involvement includes service as a lead consultant to the Government of Bolivia on its pension privatization project, as well as extensive legislative and regulatory reform, advocacy and input workforce, worker classification, employee benefit, public health and healthcare, social security and other disability and aging in place, education, migration reforms domestically and internationally throughout her adult life. In addition to her public and regulatory policy involvement, Ms. Stamer also contributes her service and leadership to a professional and civic organizations and efforts including her involvement as the Founder and Executive Director of the Coalition on Responsible Health Policy and its PROJECT COPE; Coalition on Patient Empowerment, a founding Board Member and past President of the Alliance for Healthcare Excellence; Vice Chair of the ABA Tort & Insurance Practice Section Employee Benefits Committee; Vice Chair, Policy for the Life Sciences Committee of the ABA International Section, Past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group; current Fiduciary Responsibility Committee Co-Chair and Membership Committee member of the ABA RPTE Section; former RPTE Employee Benefits and Other Compensation Group Chair, former Chair and Co-Chair of its Welfare Plans Committee, and Defined Contribution Plans Committee; former RPTE Representative to ABA Joint Committee on Employee Benefits Council; former RPTE Representative to the ABA Health Law Coordinating Counsel; former Coordinator and a Vice-Chair of the Gulf Coast TEGE Council TE Division, past Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee, former Board Member, Continuing Education Chair and Treasurer of the Southwest Benefits Association; Vice President of the North Texas Healthcare Compliance Professionals Association; past Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; former Board President of the early childhood development intervention agency, The Richardson Development Center for Children; past Dallas World Affairs Council Board Member, and in leadership of many other professional, civic and community organizations. Ms. Stamer also is a highly popular lecturer, symposia chair and author, who publishes and speaks extensively on health and managed care industry, human resources, employment and other privacy, data security and other technology, regulatory and operational risk management for the American Bar Association, ALI-ABA, American Health Lawyers, Society of Human Resources Professionals, the Southwest Benefits Association, the Society of Employee Benefits Administrators, the American Law Institute, Lexis-Nexis, Atlantic Information Services, The Bureau of National Affairs (BNA), InsuranceThoughtLeaders.com, the Society of Professional Benefits Administrators, Benefits Magazine, Employee Benefit News, Texas CEO Magazine, HealthLeaders, the HCCA, ISSA, HIMSS, Modern Healthcare, Managed Healthcare, Institute of Internal Auditors, Society of CPAs, Business Insurance, Employee Benefits News, World At Work, Benefits Magazine, the Wall Street Journal, the Dallas Morning News, the Dallas Business Journal, the Houston Business Journal, and many other symposia and publications. She also has served as an Editorial Advisory Board Member for human resources, employee benefit and other management focused publications of BNA, HR.com, Employee Benefit News, InsuranceThoughtLeadership.com and many other prominent publications and speaks and conducts training for a broad range of professional organizations and for clients, serves on the faculty and planning committee of many workshops, seminars, and symposia, and on the Advisory Boards of InsuranceThoughtLeadership.com, HR.com, Employee Benefit News, and many other publications.

Beyond these involvements, Ms. Stamer also is active in the leadership of a broad range of other public policy advocacy and other professional and civic organizations and involvements. Through these and other involvements, she helps develop and build solutions, build consensus, garner funding and other resources, manage compliance and other operations, and take other actions to identify promote tangible improvements in health care and other policy and operational areas.

Before founding her current law firm, Cynthia Marcotte Stamer, P.C., Ms. Stamer practiced law as a partner with several prominent national and international law firms for more than 10 years before founding Cynthia Marcotte Stamer, P.C. to practice her unique brand of “Solutions law™” and to devote more time to the pragmatic policy and system reform, community education and innovation, and other health system improvement efforts of her PROJECT COPE: the Coalition on Patient Empowerment initiative.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources at SolutionsLawPress.com such as the following:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please provide your current contact information and preferences including your preferred e-mail by creating or updating your profile here.

NOTICE: These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as an admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The presenter and the program sponsor disclaim, and have no responsibility to provide any update or otherwise notify any participant of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2018 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions  Law Press, Inc.™   For information about republication, please contact the author directly.  All other rights reserved.