In June 2016, the U.S. Supreme Court handed a victory to the federal government and whistleblowers who bring qui tam cases against health care and other businesses under the federal False Claims Act. In its decision in Universal Health Services, Inc., v. United States, the Court rejected the hyper-technical interpretations of that statute being put forth by a wide array of business groups across the health care industry, and validated the “implied certification” theory of liability under the False Claims Act. The ruling will impact on the ability of government contractors to defend against whistleblower lawsuits and to pursue action against whistleblowers who may have acted improperly.
Supreme Court Says “Yes” to Liability in the Absence of Express Certifications
The issue before the court related to whether a government contractor could be liable in the absence of an express certification regarding the truthfulness or accuracy of its government billing. The Supreme Court answered in the affirmative, focusing the liability inquiry on the question of whether the government had been misled into paying money to a company that hid its own conduct while at the same time seeking payments from government-funded programs.
But consider this scenario: An employee believes that he has witnessed improper billing of Medicare (or other improper activities) by his employer, contacts a lawyer, and begins the preparation of a qui tam lawsuit. In connection with the preparation of the lawsuit, the employee removes highly confidential electronic and original documents from the workplace, some of which may even be covered by the Health Insurance Portability and Accountability Act (HIPAA), by downloading electronic files from the company’s secure network. After the qui tam suit is unsealed, the company learns of the theft of information in violation of multiple company policies and documents signed by the employee during the course of employment, all of which prohibit the removal of confidential information and mandate its return upon termination of employment. The employee claims removal of the information is a protected activity because it was done in furtherance of the qui tam suit and/or the public good.
To Counterclaim or Not to Counterclaim?
In deciding whether to bring a counterclaim against a whistleblower for taking company information in violation of its policies and procedures, the company should consider several factors:
First, identify the information the employee copied and/or otherwise removed, and its value to the company. Did the employee take the company’s most protected trade secrets? Courts will examine the nature and scope of such information when assessing whether to permit a claim against a whistleblower to go forward.
Second, determine the method used by the employee (and possible collaborators) to remove the information. Less-legitimate methods, such as breaking into the office outside of business hours or hacking into a system, may add weight to a counterclaim.
Third, review the company’s existing confidentiality and related policies and procedures. Asserting a counterclaim based on clear policies and employment agreements may have the bonus effect of deterring future information theft.
Fourth and finally, review the applicable laws and interpretations of these statutes in your jurisdiction — this may shed light on the possible outcome of a counterclaim.
As a general rule, federal and state law recognize a public policy that protects whistleblowers from retaliation for actions they take in investigating and reporting fraud to the government. That said, courts have recognized that a qui tam defendant “may maintain a claim [against a relator] for independent damages; that is, a claim that is not dependent on a finding that the qui tam defendant is liable.” In this manner, courts attempt to balance the need to protect whistleblowers and uncover fraud against the government against an employer’s legitimate expectation that its confidential information will be protected.
Anti-Hacking Statutes May Support Counterclaims
In 1984, Congress passed the precursor to what is known today as the Computer Fraud and Abuse Act (CFAA). At its inception, this ominous-sounding statute was designed to criminally punish individuals who (a) misused computer technology to obtain national security secrets or personal financial records, or (b) hacked into government computers. Today, however, this little-known anti-hacking statute has become one of the broadest federal criminal laws currently on the books and has been amended to protect against fraud and related activities in connection with access devices and computers, and to provide civil remedies for a statutory breach. Claims based on the CFAA may be brought as a counterclaim against a whistleblower in addition to or instead of claims for breach of contract or trade secret misappropriation.
A significant challenge to asserting a CFAA claim against a qui tam relator, however, is the absence of any uniform interpretation of the statute by the federal courts. For healthcare companies operating on a national platform, this lack of predictability and uniformity in the interpretation of the CFAA may handcuff management, both in adopting uniform policies and procedures that balance the interests of employers and employees, and in pursuing potential counterclaims.
Employee Actions: “Authorized” or “Exceeds Authorized Access?”
With respect to potential violations of the CFAA, a key issue is whether an action by an employee constitutes accessing a computer without authorization or in a manner that exceeds authorized access. Federal courts are split in interpreting this key part of the statute, a state of affairs that may severely weaken the anti-retaliation protections afforded a whistleblower.
The CFAA’s legislative history suggests that Congress anticipated that those who exceed their authority are likely to be corporate insiders, with some rights to the computer, and those who act without authorization are likely to be outsiders with no rights. Recent opinions, however, have blurred the lines between those two basic assumptions.
One set of decisions has imposed liability based on an individual’s wrongful use of information to which the individual otherwise had access. Federal circuits, basing their rulings on contract law and agency law principles, have imposed liability on individuals in situations involving a breach of (a) an employer’s computer-use or other policies, company handbooks, or contractual agreements with an employer, or (b) a duty of loyalty by the individuals. Liability would apply whenever an employee acts in violation of corporate policy, no matter the device or platform used to improperly access information. With this in mind, companies should establish and clearly communicate policies regarding authorized and unauthorized access.
In a more recent trend, federal circuits have taken a stricter view of the CFAA, rejecting the notion that the CFAA is a federal data misappropriation or misuse statute. Instead, these courts have held that if access had been authorized in any way, there can be no liability notwithstanding any improper use of the information. This means that if an employee has access to a medical company or hospital’s computer system as a result of his or her job or position, there is no liability to the employee under this statute even if the employee accesses files that are off limits.
Depending on your point of view, the implications of these differences in approach can be dramatic and potentially draconian for businesses, employees, and vendors. Because the CFAA imposes civil and criminal liability, under the less strict interpretation adopted by federal courts employees located in those jurisdictions may find themselves subject to civil and possibly even criminal penalties for violating their employer’s confidentiality policy. A conviction could also cause such whistleblowers to lose the protections provided under the Sarbanes-Oxley Act, which protects “lawful” activities. In circuits adopting the latter interpretation, however, the CFAA may be far less relevant in civil litigation.
Analyze, Then Act
For most businesses, computer fraud either already has been or will be an issue. New and more innovative threats arise each and every day and the magnitude of the problem must be appreciated by business decision makers and corporate boards.
It is likewise axiomatic that employers who feel aggrieved may demonstrate an increased willingness to vindicate their own rights and obtain the protection that they need. Companies’ options run the gamut from civil claims to criminal prosecution. Taking a stance that is overly aggressive, however, can prove particularly troublesome and costly for an employer.
Since the law does not provide clear guidance regarding the options available to a corporate defendant, before making any decisions with respect to strategy, a company and its advisors need to analyze the law of the particular jurisdiction, the company’s contracts and policies, and the deterrent effect of taking affirmative action.
Please contact your Much Shelist attorney for more information on preventing and responding to qui tam lawsuits and related whistleblower issues.