Extracted from Law360
Companies that do business with U.S. federal, state and local government entities are no strangers to the plethora of obligations imposed on them by law, policy and contract on a variety of topics ranging from rules related to protecting workers to those protecting the environment. As U.S. government contractors expand beyond doing business with the federal government to contracting with state and local government entities, they are facing an interesting — and intensifying — predicament: How to develop a comprehensive yet straightforward compliance program that facilitates compliance with varying laws in varying jurisdictions. Below we provide some examples of conflicting regulatory requirements and share some best practices for a user-friendly compliance program targeted at complying with different requirements imposed by and among federal, state and local government entities.
The Regulatory Landscape
Over the past year, government contractors continued to encounter an ever-expanding regulatory landscape at the federal, state and local levels. Georgia, for example, enacted a law, effective July 1, 2019, that will require certain consultants that contract with local government entities — e.g., counties, municipalities, school board, etc. — to, among other things, agree to avoid the appearance of impropriety and to disclose conflicts of interest. Wyoming enacted a law, effective July 1, 2019, providing that the state’s elected officials and each member of the Wyoming legislature must disclose a list of all state entities with which the individual, or a business he/she owns 10% or more of, holds certain contracts. And the governor of Maryland signed a law requiring, by Jan. 1, 2020, the adoption of new nonvisual access procurement standards, consistent with applicable federal standards, with which contractors will need to comply.
Not all state and local laws are consistent with those of the federal government, though, leaving contractors to question how to implement or update their compliance programs in the face of an ever-changing environment. This dilemma is especially pronounced in certain high-risk areas, such as gift giving, political contributions and data protection, where state and local regulation is not just increasing, but at times can be inconsistent with existing federal rules.
Example 1: Rules on Gift Giving
The federal government generally prohibits contractors from providing gifts and hospitality to U.S. government executive branch employees but maintains exceptions. Likewise, at the state and local levels, many jurisdictions prohibit gifts to government officials, subject to enumerated exceptions. Comparing the rules of federal, state and local entities, however, reveals variations, and even inconsistencies, between jurisdictions.
Compare, for example, the general de minimis exception to gift-giving rules. At the federal level, there is an exception to the gift-giving rules for noncash gifts of $20 or less per occasion, not to exceed $50 in a year per contractor. North Carolina and Virginia prohibit gifts to certain government employees by government contractors and do not have a de minimis threshold to the applicable rules. At the local government level, San Francisco forbids its officers and employees from accepting gifts from contractors with the officers’ or employees’ department, with limited exceptions such as for “non-cash gifts worth $25 or less, up to 4 times per year.” And New York City generally prohibits gifts by contractors to city employees of $50 or more in the aggregate in a 12-month period.
Given the varying thresholds and exceptions to gift-giving rules, contractors routinely struggle with implementing easy-to-understand gift-giving policies for their employees. For contractors who decide to adopt a one-size-fits-all approach — e.g., meal limit is $50 per occasion for all public officials — this could mean taking a calculated risk that it is in noncompliance with the rules of jurisdictions with a lower standard.
Example 2: Rules on Political Contributions
Another area that government contractors are trying to monitor continually are the rules surrounding political contributions — also known as pay-to-play. At the federal level, contractors are generally prohibited from making contributions to candidates for federal office, political parties and committees.
In contrast, at the state and local government levels, contractors operate in a regulatory minefield. This is in part because state and local governments are continually proposing and passing laws and orders that restrict or ban government contractors and their owners, officers and even certain employees from making political contributions.
For instance, the District of Columbia passed a law prohibiting contractors holding or seeking contracts valued at $250,000 or more and their senior officers from contributing to “prohibited recipients,” i.e., certain government officials who oversee a procurement the contractor will bid on during a “prohibited period,” effective Nov. 4, 2020.
Another example is Montana where, in June 2018, the governor signed an executive order requiring contractors under covered contracts to disclose certain political contributions and expenditures to, among other things, prevent the concealment of improper political contributions.
And in March 2019, the New York State Senate approved a bill that, if passed by the state Assembly and signed into law, bans contractors bidding on a procurement during a specific time frame from making political contributions to candidates for, officers of or with authority over, state entities involved in the procurement.
Adding to the complexity of designing a meaningful compliance infrastructure that properly informs employees of the various play-to-pay rules is that these laws vary widely, including: (1) the contractors and individuals covered by the laws; (2) the types of contributions covered; (3) whether affirmative action, e.g., reporting, disclosure or certification, is required by the contractor; and (4) whether there is an outright ban.
Example 3: Rules on Data Protection
Data protection and information security continue to occupy a spot in the forefront of the minds of most government contractors and is yet another critical area of compliance where requirements tend to vary across jurisdictions. There was a boom in cybersecurity-related legislation in 2018 with, according to one source, over 20 states enacting over 50 bills related to cybersecurity.
At the federal, state and local levels, the extent to which contractors must take steps to protect data and information systems depends on a host of factors, including: The data at issue, the location of the data — whether on a contractor’s systems or on the government’s systems — the type of goods or services provided to the government entity, and the specific government entity with which the contractor is contracting.
Federal government contractors typically must protect their information systems using “basic safeguarding requirements and procedures” when such systems store, process or transmit federal contract information. If the contractor is working for the U.S. Department of Defense and is selling products or services other than those that are solely commercial off-the-shelf items, then the contractor may be required to implement the 110 controls contained in the National Institute of Standards and Technology special publication 800-171 to protect contractor information systems that process, store or transmit covered defense information. Taking it a step further, if a contractor has access to classified information, then an additional laundry list of information security requirements apply, including those in the National Industrial Security Program Operating Manual.
At the state and local levels, states are also requiring contractors to comply with data protection and information security requirements. Connecticut requires state contractors receiving “confidential information” from the state to “[i]mplement and maintain a comprehensive data-security program for the protection of confidential information.” Utah requires contractors providing information technology products and services through the state’s Department of Technology Services and receiving “state data” to comply with a laundry list of data protection requirements, including obligations related to network security, data storage and data encryption. And New York City requires its contractors and vendors to follow its Citywide Cybersecurity Policies and Standards.
Overlaying these government-contract-specific requirements and adding to the complexities of compliance are laws applicable to certain categories of data and companies, regardless of their government-contractor status. Federal laws such as the Health Insurance Portability and Accountability Act, Family Educational Rights and Privacy Act and Gramm-Leach-Bliley Act of 1999 contain rules relating to data protection and information security. And states are passing similar legislation. A recent example is the passage of the California Consumer Privacy Act of 2018, which is viewed by many as one of the toughest data privacy laws in the United States. Compliance with the CCPA will be required by January 2020, and many companies are working to understand how the CCPA’s requirements differ from the current regulatory framework in which they operate.
Establishing a Holistic Compliance Program
So what is a contractor to do when it contracts with federal, state and local government entities and is required to comply with varying and perhaps inconsistent requirements? Below are some best practices to consider when designing a holistic compliance program that spans doing business with all U.S. government entities.
Don’t Forget State and Local Government Contracting
When it comes to the development or enhancement of a government contracts compliance program, some companies forget state and local government contracting altogether. This is a trap for the unwary. The potential consequences for failing to comply with state and local government requirements are just as severe as those for failing to comply with federal government requirements, such as contract termination, criminal and civil liability, and exclusion from government contracting.
Always Start by Assessing the Risk
One of the first steps a contractor should take in developing any compliance program is to assess its risk profile, including by looking at the following factors:
- The contractor’s volume of government contracting
- The contractor’s offerings — e.g., commercial versus noncommercial, products versus services, classified versus unclassified
- The number of government entities with which the contractor does business
- The contractor’s practices for pursuing new work — e.g., use of third parties
- The contractor’s approach to state and local government contracting — e.g., treatment similar to federal government contracts versus treatment similar to commercial contracts
This will enable the contractor to develop a compliance program that is specifically tailored to mitigating its specific, identified risks.
Tailor Your Compliance Program to the Identified Risk
Once a contractor understands its risk areas, contractors should consider whether to: (1) implement specific policies, procedures and training for each jurisdiction in which the contractor does business, (2) implement a single set of policies, procedures and trainings applicable to all government business or (3) take a hybrid approach, implementing a single set of policies, procedures and trainings, and then creating supplements tailored to high-risk jurisdictions.
Take for example the risks associated with selling to federal, state and local government entities. As noted above, the rules on gift giving vary by jurisdiction. Should a contractor have different internal policies and guidelines for each jurisdiction? Ban gift giving altogether? Or take some hybrid approach?
The answer here, in our view, is that it depends: It depends on, among other things, the number of jurisdictions the contractor does business in, the level of risk that employees will engage in improper gift giving, and what is practically feasible for the business.
If a contractor only does business in one or two states, it may be best to have state-specific policies and procedures. That approach, however, likely will not work for a contractor that contracts with the federal government and all 50 states, or for a contractor with a large sales and business development team that interacts heavily with public officials. For that contractor, it may be prudent to ban gifts altogether or to come up with a hybrid approach that includes rigorous training and strict preapproval guidelines for the sales and business development teams.
Get Buy-In and Don’t Operate in a Vacuum
Contractors often have high hopes of implementing a state-of-the-art compliance program. But their hopes can be quickly dashed when the stakeholders needed to implement the program are unavailable or unwilling to commit the time, effort or other resources required for implementation. To avoid this scenario, it is necessary to get buy-in at the early stages of compliance-program development from not just legal or compliance, but also the business leaders responsible for federal, state and local government contracting. Buy-in will help ensure that the compliance program is not only tailored to the risks of the organization but also that it is tailored to business realities. This, in turn, will help the contractor avoid implementation issues down the road.
Developing a compliance program covering the risks associated with U.S. federal, state and local government contracting can be daunting, particularly in light of varying requirements applicable to contractors. Understanding that nuances exist and designing a program that embraces, and not ignores, those nuances can go a long way toward mitigating the inherent risks associated with government contracting.
 Act of Apr. 17, 2019, act 26 (H.B. 315), 2019 Reg. Sess. (Ga.).
 Act of Mar. 15, 2019, ch. 202, 2019 Wyo. Sess. Laws 603.
 Act of May 15, 2018, ch. 631, 2018 Md. Laws 3244.
 See 5 C.F.R. § 2635.204(a).
 See N.C. Gen. Stat. § 133-32 (applicability extended by State of North Carolina, Executive Order No. 24, Regarding Gifts to State Employees, Oct. 1, 2009); Commonwealth of Virginia Department of General Services, Vendors Manual: A Vendor’s Guide on How to Do Business with the Commonwealth of Virginia, July 2018, https://dgs.virginia.gov/globalassets/business-units/dps/documents/vendorsmanual/vendors-manual-as-of-12-01-15.pdf.
 Ethics Commission, City and County of San Francisco, Summary of Gift Rules, Feb. 2015, https://sfethics.org/ethics/2013/01/summary-of-gift-rules-march-2013.html; see also San Francisco Campaign and Governmental Conduct Code § 3.216; Ethics Commission, City and County of San Francisco, Regulations Related to Conflicts of Interest § 3.216(b)-5, Jan. 2014.
 New York City Charter, Chapter 68 § 2604(b)(5); The Rules of New York City, Title 53 § 1-01(a).
 52 U.S.C. § 30119(a).
 D.C. Code §§ 1-1161.01., 1-1163.34a.
 State of Montana, Office of the Governor, Executive Order No. 15-2018, Executive Order Requiring Disclosure of Dark Money Spending for Entities Doing Business with the State of Montana, Jun. 8, 2018.
 State of New York, S. 3167, 2019-2020 Reg. Sess.
 The National Conference of State Legislatures, Cybersecurity Legislation 2018, Feb. 8, 2019, http://www.ncsl.org/research/telecommunications-and-information-technology/cybersecurity-legislation-2018.aspx.
 FAR 52.204-21.
 DFARS 252.204-7012.
 FAR 52.204-2.
 Conn. Gen. Stat. § 4e-70(b)(2).
 Utah Division of Purchasing and General Services, Attachment A, State of Utah Standard Information Technology Terms and Conditions, Rev. May 13, 2019, https://purchasing.utah.gov/forms/.
 City of New York, Department of Information Technology & Telecommunications, Cybersecurity Requirements for Vendors & Contractors, https://www1.nyc.gov/site/doitt/business/it-security-requirements-vendors-contractors.page.