A Burden Lifted – Hiring of Incumbent Workforce By Follow On Contractor – It Is Again Your Decision Who You Hire
“The Federal Government’s procurement interests in economy and efficiency are served when the successor contractor hires the predecessor’s employees.” Or so began the Obama Era Executive Order, “Nondisplacement of Qualified Workers Under Service Contracts,” Executive Order 13495, 74 FR 6103 (Jan. 30, 2009). The order required successor contractors to offer jobs to essentially all the incumbent workforce. But, on Halloween, President Trump signed Executive Order 13897, “Improving Federal Contractor Operations by Revoking Executive Order 13495” Exec. Order No. 13897, 84 FR 59709, 2019 WL 5694266 (October 31, 2019), which revoked the prior order. The old Executive Order required follow-on contractors to offer jobs to many “qualified” service employees when succeeding an incumbent government contractor providing the same or similar services at the same place. The new EO directs the DOL to immediately terminate investigations and compliance actions based on the old order and withdraw rules and accompanying guidance implementing the old order.
Since President Obama signed EO 13495 in January 2009, its requirements, essentially giving a right of first refusal to non-managerial employees of the prior incumbent contractor, received criticism from government contractors. The requirement was seen as unnecessary, since most contractors do hire the incumbent’s employees when a contract changes hands. But in cases where the new contractor feels another employee would be better, the old EO effectively precluded that business decision being from carried out, creating inefficiencies and possibly increasing costs. The DOL investigated and pursued alleged violations with vigor. Ultimately, this administration decided to take steps to address the situation.
The decision is again in the hands of the government contractor. They can decide who best to fill the positions when they take over a contract. We expect contractors to continue to keep most of the incumbent workforce – as was the case before EO 13495. But it is not a requirement now; and our clients in the federal government contracting industry can use their business judgment when deciding issues related to the new workforce when the contract transitions over.
So, what do you need to do? Review solicitations out now and review your new awards to ensure the contracts and proposed contracts do not include language from EO 13495 or the implementing clauses. Take exceptions in appropriate cases and use EO 13897 as the basis for doing so.
Alabama businesses need to take note. A recently enacted law, the Alabama Data Breach Notification Act (No. 2018-396), creates new requirements for “covered entities” who have “sensitive personally identifying information” that is the subject of a “data breach.” A signed version of the act can be found here: Act No. 2018-396. The Act mandates certain security measures for businesses and requires notification if a breach occurs. Failure to comply can result in significant fines, and a violation of the Act is also considered a violation of the Alabama Deceptive Trade Practices Act (Alabama Code Sections 8-19-1, et seq.).
Data breaches can be significant and can have far reaching effects. In 2015, the U.S. Department of Defense notified more than 20 million former and current government employees that their information was stolen in one of the largest cybercrimes ever carried out against the U.S. Government. As a result, the Office of Personnel Management provided each of the affected individuals with identify theft protection and awarded a $133 million contract for identity theft protection services to pay for that protection. (https://www.opm.gov/news/releases/2015/09/opm-dod-announce-identity-theft-protection-and-credit-monitoring-contract/.) Nearly everyone can recall the 2015 Experian loss of personal data for around 15 million individuals, a loss that included social security numbers. And, the Target data breach involved as many as 70 million Target customers. (https://www.forbes.com/sites/maggiemcgrath/2014/01/10/target-data-breach-spilled-info-on-as-many-as-70-million-customers/#24fbec7ce795). Recently, Saks Fifth Avenue joined the ranks of businesses that have been hacked and whose customers’ information was stolen. (https://www.usatoday.com/story/money/2018/04/01/data-breach-hits-lord-taylors-saks/476838002/). These types of events led Alabama Senator Arthur Orr (R – Decatur) and Alabama Representative Phil Williams (R – Huntsville) to sponsor legislation to help protect the sensitive personally identifying information of Alabama citizens. Senator Orr previously tried to get legislation related to data breach notification through the legislature. (http://www.decaturdaily.com/news/other_news/state_capital/data-breach-bill-goes-to-governor/article_4b4419fe-fa08-5f91-ba42-dda53deac673.html). This year, the Alabama Legislature passed the Alabama Data Breach Notification Act. Governor Ivey signed the bill into law on March 28, 2018. “Beginning June 1, 2018, private and public entities must establish reasonable data security measures and notify those affected when personal data has been compromised. Any breached entity that determines the compromised information is ‘reasonably likely to cause substantial harm’ must notify those affected as ‘expeditiously as possible’ but no later than 45 days after discovery.” (https://alabamaretail.org/news/alabama-data-breach-notification/).
The requirements of the Alabama Data Breach Notification Act apply to covered entities and to third-party agents. These terms are defined:
(2) COVERED ENTITY. A person, sole proprietorship, partnership, government entity, corporation, nonprofit, trust, estate, cooperative association, or other business entity that acquires or uses sensitive personally identifying information.
(7) THIRD-PARTY AGENT. An entity that has been contracted to maintain, store, process, or is otherwise permitted to access sensitive personally identifying information in connection with providing services to a covered entity.
Alabama Data Breach Notification Act, Act No. 2018-396.
The Act protects “sensitive personally identifying information,” which is an Alabama resident’s first name or first initial and last name, combined with one or more numbers or other data – such as a social security number, bank account number, medical information, or username and email address information.
The Alabama Data Breach Notification Act requires: (1) reasonable security, (2) investigations, and (3) notification under certain circumstances.
Reasonable Security Measures. Covered entities and third parties are required to consider, implement, and maintain certain security measures. The Act contains a list of certain measures that should be considered. But, the statute explains that “[r]easonable security measures [are] security measures practicable for the covered entity to implement and maintain.” Factors like the size of the entity, amount of sensitive information, and cost of implementation of measures are considered when determining what security measures should be undertaken. What constitutes “reasonable security measures” is likely to be the subject of debate in the future.
Good Faith and Prompt Investigation. If a covered entity or third party determines there has been a breach of security in relation to “sensitive personally identifying information,” they have a duty under the Act to conduct a good faith and prompt investigation.
Notification. When there is a data breach, covered entities and third parties must notify affected Alabama residents. Unless an exception in the act applies, they must do so “as expeditiously as possible and without unreasonable delay.” In any event, notification must occur no later than 45 days after the covered entity or third party determines a breach has occurred and is likely to cause substantial harm. The Act sets forth the information required to be provided. Furthermore, if more than 1,000 Alabama residents are affected, the Alabama Attorney General and consumer reporting agencies must be alerted.
Businesses should review the Act and seek guidance from experts to determine appropriate data security measures. While there will be questions when data breaches occur, such as what are “reasonable security measures” and when is a loss “likely to cause substantial harm,” the Alabama Data Breach Notification Act attempts to provides answers – including recommendations concerning appropriate security measures – in addition to setting forth requirements.
Richard Raleigh, a Past President of the Alabama State Bar (2014-2015) and a U.S. Army veteran, is an experienced trial and appellate attorney at Wilmer & Lee, P.A. in Huntsville, Alabama, with a practice concentrated on government contracts law, complex litigation, cybersecurity law, and employment law. He recently served on the Alabama Law Institute’s Restrictive Covenants and Contracts Study Committee, and he serves on the American Law Institute’s Members Consultative Group for Restatement Third, Torts: Liability for Economic Harm. Richard also serves on the Alabama Supreme Court Standing Committee on Alabama Rules of Civil Procedure and the Alabama Judicial Compensation Commission, and he represents Alabama in the American Bar Association House of Delegates. He has a diverse litigation practice, has tried numerous trials in various state and federal courts, and has argued cases before the Fifth and Eleventh U.S. Courts of Appeal, the U.S. Court of Appeals for the Federal Circuit, the Florida 1st District Court of Appeals, and the United States Court of Federal Claims. Richard is admitted to practice in Alabama and Tennessee as well as various federal courts, including the United States Court of Federal Claims, the United States Tax Court, and the United States Supreme Court.