Background on the Supreme Court’s SuperValu Decision
The FCA is the federal government’s primary vehicle for enforcing fraud claims related to government contracts and penalizing false or fraudulent claims for payment to the government. The scope of potential liability is sweeping, encompassing any entity that does business, directly or indirectly, with the government. Moreover, the statute provides for treble damages and includes a qui tam provision that allows private whistleblower plaintiffs (called “relators”) to sue on behalf of the government and share in any recovery, providing a significant financial incentive for private parties to allege FCA violations.
The government or a relator can establish an FCA violation by proving, among other things, that the defendant submitted or caused the submission of a false or fraudulent claim for payment to the government, or made a false certification of compliance with a material legal requirement. They must also prove that the defendant did so knowingly—which the statute defines as actual knowledge, reckless disregard, or deliberate ignorance. 31 U.S.C. § 3729(b)(1). False certification theories of FCA liability are arguably the most perilous for government contractors because they create FCA risk where an entity doing business with the government certifies—expressly or impliedly—that it has complied with some material legal, regulatory, or contractual requirement while allegedly violating that requirement. As any entity doing business with the government understands, those requirements are myriad, and many are ambiguous and lack concrete guidance from the government about their meaning.
Until the recent SuperValu decision, FCA defendants had a potentially powerful legal defense to FCA claims related to ambiguous legal obligations. In recent years, courts have increasingly relied on Safeco Insurance Co. of America v. Burr, 551 U.S. 47 (2007), to grant summary judgment in favor of defendants or otherwise reject FCA claims in false certification cases under the following three-prong test: 1) the regulatory or legal requirement at issue was ambiguous; 2) the defendant’s interpretation of that requirement was objectively reasonable; and 3) there was no authoritative guidance warning the defendant away from that interpretation. Safeco interpreted the scienter requirement under the Fair Credit Reporting Act, not the FCA, but numerous federal district courts and several circuit courts of appeal applied Safeco in the FCA context, including the Seventh Circuit in United States ex rel. Schutte v. SuperValu Inc., 9 F.4th 455 (7th Cir. 2021) and United States ex rel. Proctor v. Safeway, Inc., 30 F.4th 649 (7th Cir. 2022), consolidated and vacated No. 21-1326 (2023).
On appeal, the Supreme Court rejected the application of Safeco to the FCA, holding that “[t]he FCA’s scienter element refers to [the defendant’s] knowledge and subjective beliefs—not to what an objectively reasonable person may have known or believed.” No. 21-1326, slip op. at 8 (emphasis added). The Court described the FCA’s scienter standard as focusing on what a defendant “thought and believed” at the time it submitted the claims or certifications at issue. Id. at 10. Ambiguous terms “do[] not preclude [FCA defendants] from having learned their correct meaning,” which would give the defendant knowledge that the “objectively reasonable” interpretation was wrong. Id. at 12. The Court also distinguished Safeco by emphasizing the textual differences between the FCA and the FCRA. Id. at 13.
As discussed in detail below, this decision will have significant adverse consequences for government contractors and subcontractors who are subject to ambiguous legal requirements, many of which the Court failed to grapple with or even expressly ignored. For one thing, the Court focused on the fact that ambiguity “by itself” does not preclude scienter, effectively ignoring the third prong of the Safeco test, which requires an analysis into whether the defendant was “warned away” from its proposed interpretation of the requirement at issue. The example the Court gave to support its decision illustrates why its focus on ambiguity alone is not faithful to the actual holding in Safeco: the opinion describes “a hypothetical driver who sees a road sign that says ‘Drive Only Reasonable Speeds,’” and who “was informed earlier in the day by a police officer that speeds over 50 mph are unreasonable.” Id. at 12. The opinion insists that this driver should not escape liability for driving well above that speed limit because some other driver may have interpreted that ambiguous road sign differently. Id. But under Safeco, the driver in the Court’s hypothetical would have failed the third prong of the Safeco test, having been warned against that “objectively reasonable” but incorrect interpretation of the sign. The Court in fact offered no examples of hypothetical situations where the “warned away” standard would be insufficient to hold accountable a defendant who ignored definitive guidance for how to interpret an ambiguous standard.
The opinion also expressly ignores policy arguments about the practical ramifications of its holding for regulated entities and government programs, as raised in briefings by the parties and various amici, such as regulators’ introduction of purposeful ambiguity to maximize enforcement flexibility and government refusal to respond to requests for clarity from regulated entities. For instance, in an amicus brief that O’Melveny authored, two major health care member organizations offered a slew of real-world examples of their members asking regulators for clarity about ambiguous regulations and being ignored or told that the regulator could not provide advice on that topic. See Brief of the American Hospital Association and America’s Health Insurance Plans as Amici Curiae, No. 21-1326, p. 15-16. The Court refused to engage with those arguments at all in its opinion. No. 21-1326, slip op. at 17 (“Nor do we need to address any of the parties’ policy arguments, which cannot supersede the clear statutory text.”) (internal quotation and citation omitted). The Court’s insistence that the statutory text is so clear that it need not even address the other implications of its decision is perplexing because the opinion conflicts with a decade of lower court precedent: prior to this decision, Safeco had been almost uniformly considered a viable summary judgment defense to FCA liability, including by every federal circuit court of appeals to address this question. See Resp’t’s Br. in Opp’n, No. 21-1326, at 15-17.
FCA Risks of Ambiguous Cybersecurity Requirements in Government Contracts
The SuperValu decision is particularly consequential for contractors subject to cybersecurity requirements given increased focus on that area by DOJ and the relators’ bar in light of high-profile cybersecurity breaches in recent years. Indeed, DOJ’s Civil Cyber-Fraud Initiative, announced in October 2021, highlights a new priority for FCA enforcement: holding accountable under the FCA organizations that put U.S. information or systems at risk by “knowingly providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cybersecurity incidents and breaches.” Some of the relevant cybersecurity standards, however, are unclear or lack significant implementing guidance, and therefore confer ambiguous obligations on federal contractors—yielding potential FCA risk that Safeco can no longer be used to combat.
To illustrate the complexity of this landscape for entities subject to cybersecurity requirements: the National Institute of Standards and Technology (NIST) standards are cited by most federal contracts and agencies as the governing standards. Although NIST standards provide guidelines for cybersecurity policies, those standards can be both vague and broad—sometimes purposefully so. The cybersecurity landscape is dynamic, with new threats and vulnerabilities emerging regularly, and NIST standards are therefore written broadly to adapt to these new threats. But this ambiguity that is meant to provide flexibility also offers opportunity for FCA relators or the government to assert that a contractor has misinterpreted the standards and therefore falsely certified compliance with those standards in violation of the FCA. For example, take the guidelines for patching and updating a security system to address security vulnerabilities within a program. NIST SP 800-171, 3.11.2 Risk Assessment states that a company should scan for vulnerabilities in organizational systems and applications “periodically” and when new vulnerabilities affecting those systems and applications are identified. This requirement emphasizes the importance of conducting vulnerability scans, but does not provide explicit instructions on how organizations should implement vulnerability scans or what “periodically” means. As a result, organizations are left to interpret what best practices and procedures are for scanning their systems. One organization could prioritize and deploy patches immediately upon release, while another organization may have a more phased approach that considers the compatibility of the patch with their existing systems. If the organization that took a more phased approach was hit with a security breach based on the delay of implementing a patch, could that organization be subject to FCA claims that it falsely certified compliance with this NIST standard?
That sort of false certification theory, which seizes on differing interpretations of contracting requirements to subject a federal contractor to expensive FCA litigation and legal risk, is already a common feature of FCA cases—and we expect the deployment of such theories against contractors in the cybersecurity space to increase in light of both the Civil Cyber-Fraud Initiative and the SuperValu decision. There is already precedent for this: in March of 2023, DOJ settled a case against Jelly Bean Communications Design LLC (Jelly Bean) addressing a similar issue. According to the settlement Jelly Bean knowingly failed to properly maintain, patch, and update the software systems to websites that were used to enroll children in Florida’s Medicaid program. After a system hack that apparently affected half a million applications to the program, DOJ investigated Jelly Bean’s administration of the websites and concluded that the company violated the FCA by failing to apply proper security protocols to its applications to safeguard applicants’ personal information. The DOJ press release announcing the settlement concluded with a reference to the Civil Cyber-Fraud Initiative and a public link for information about “how to report cyber fraud.”
Potential Consequences of SuperValu for Contractors Faced with Ambiguous Federal Requirements
It is difficult to overstate the ramifications of the SuperValu decision for government contractors and sub-contractors who are obligated to comply with ambiguous regulatory or contractual requirements, including cybersecurity requirements. Most importantly, the decision guts a valuable summary judgment defense for companies facing FCA suits based on alleged false certifications of compliance with ambiguous regulations. Because the Safeco defense turned largely on questions of law (the ambiguity of a requirement and whether the defendant’s interpretation was objectively reasonable) and a relatively narrow question of fact (whether the defendant was warned away from that interpretation), it offered FCA defendants an opportunity to prevail at summary judgement and avoid the risk inherent in trying an FCA case to verdict with treble damages on the table. But in light of SuperValu’s holding that subjective intent is always relevant, it will be relatively easier for relators or the government to show a dispute of material fact over whether a defendant subjectively believed its interpretation of the requirement, and thus defeat a summary judgment defense on knowledge. For instance, a small number of internal emails questioning the propriety of a defendant’s interpretation of an unclear regulation could be enough for an FCA suit to survive summary judgment, even if there is ample other evidence of the defendant’s belief in its interpretation, because the court may hold that those emails create a dispute of material fact that a jury should decide. As the SuperValu respondents and amici pointed out, this result creates a serious practical conundrum for contractors: interpreting ambiguous requirements often requires analysis and debate, but the very process that leads to good-faith interpretation of an ambiguous requirement for compliance purposes may also create unfavorable evidence for an FCA knowledge defense. Moreover, where an FCA defendant’s lawyers had previously weighed in on an interpretive question, the defendant may feel pressure to waive privilege in order to defend against allegations that it did not honestly believe the regulatory interpretation it implemented. In the wake of SuperValu, companies who do business with the government will need to give careful thought to how they memorialize and justify their interpretations of ambiguous legal or regulatory obligations through non-privileged records. They will also have to consider carefully the relative risk and reward of seeking clarifying guidance of the ambiguous requirement from the relevant regulatory agency.
The SuperValu holding will likely also embolden the relators’ bar because it creates every incentive for relators to bring FCA suits based on novel legal theories about ambiguous requirements, knowing that defendants no longer have Safeco at their disposal for summary judgment. Private relators and their counsel are not subject to the same concerns that may constrain the government from pursuing untested or unworkable regulatory interpretations, such as program integrity or enforcement priorities, and thus can pursue these cases without concern for how an outcome in their favor will affect the proper operation of the underlying government programs. With the increasing FCA focus on cybersecurity actions, we predict future FCA litigation that requires interpreting ambiguous cybersecurity requirements as cases of first impression—a troubling prospect for defendants with treble damages at stake.
Fortunately, FCA defendants still have another, much more favorable Supreme Court decision at their disposal for summary judgement in appropriate cases: Universal Health Services, Inc. v. United States ex rel. Escobar, which applied a “demanding” materiality standard to FCA cases that looks to the likely or actual effect of the alleged violations on government payment. 579 U.S. 176, 194 (2016). Despite some inconsistent decisions from district courts interpreting this standard, the Escobar materiality defense has gained traction as a useful summary judgment argument over the past seven years, and we can expect the elimination of Safeco as an FCA defense to put even more weight on Escobar as the most significant pre-trial legal defense for many defendants. Contractors who can no longer rely on Safeco as an FCA defense may consider preemptively creating support for an Escobar materiality defense by disclosing to regulators in detail information about how they plan to interpret and implement ambiguous regulatory requirements: under Escobar, continued government payment despite “actual knowledge that certain requirements were violated . . . is strong evidence that the requirements are not material[.]” Id. at 195. Although such disclosures require careful drafting to truly bolster a future materiality defense, and involve weighing various business and legal risks, strategic disclosures can be a powerful defense tool where a contractor recognizes that an unclear legal requirement raises FCA risk. Moreover, once FCA complaints that have been initiated as a result of the Civil Cyber Fraud Initiative reach the litigation stage, we expect those defendants to take significant discovery of the agencies that implement and regulate government contractors in that space, because what the government understood about both individual and industry practice can be critical evidence in support of an FCA materiality defense.