IBM’s motion to dismiss the Army’s nearly $6 million claim for overcharges failed with the Armed Services Board of Contract Appeals. The Army asserted that IBM failed to provide adequate cybersecurity protections, as required by its task order, and that IBM provided and billed for employees who were not qualified for the work. The Army based its claim on a breach of systems IBM had been hired to protect. IBM tried to convince ASBCA that the Army’s claim was time-barred, because it accrued when the breach occurred, more than six years prior. However, the Army argued its claim accrued after it completed its investigation, which suggested IBM’s failure to perform certain cybersecurity tasks contributed to the breach. ASBCA held that more discovery was necessary to determine when the Army’s claim accrued.
The case:
Appellant’s motion to dismiss the government’s claim as time-barred is denied, where further discovery is needed to determine whether the government’s claims accrued on the date its networks were breached, or when its investigation concluded the breaches were the result of the appellant’s alleged failure to perform required IT security services. Additional motions to dismiss are also denied, where the contracting officer’s final decision encompassed the complaint’s allegations that the appellant failed to perform cybersecurity services required under its task order and billed for employees who were not qualified to complete IT security tasks.
IBM Corporation appealed the Army contracting officer’s final decision asserting a government claim for $5,903,353 in alleged overcharges by IBM, based on IBM’s alleged failure to perform the requirements on a task order issued under its IDIQ contract for worldwide IT services. IBM moved for a partial dismissal for lack of jurisdiction, moved for summary judgment on the basis that the government’s claim is time-barred by the six-year statute of limitations, and moved to dismiss the government’s complaint with prejudice for failure to state a claim upon which relief can be granted.
Between 2006 and 2009, DoD identified a total of six malicious intrusions of National Defense University networks, the first two of which occurred while IBM was performing on a task order supporting the university.
The six attacks resulted in the exfiltration of unclassified but sensitive DoD information, including personally identifiable information of NDU students and faculty, expense and budget reports, and documents related to U.S. military technology and technical tradecraft. The attacks degraded NDU’s network and compromised the DoD Non-Classified Internet Protocol Router Network.
In March 2013, the CO issued a demand for payment of $8,998,187, resulting from IBM’s alleged failure to perform and deliver services as required under its task order. The CO alleged that IBM failed to plan, develop, manage, and execute substantial network security IT services and related enterprise architecture management, and that IBM personnel did not have the appropriate subject matter expertise, and were not qualified to execute IT security related tasks. The CO also alleged IBM failed to develop, test, and execute a proper network security incident response plan.
In June 2013, the Defense Contract Audit Agency completed a labor billing analysis identifying 22 individuals that IBM purportedly billed at different labor category rates than those applicable to the actual tasks performed, and some who did not perform the minimum required elements of the task order.
In response to the claim, IBM asserted that it was not contractually liable for security breaches. IBM also argued that its performance was monitored by NDU’s chief information officer and that NDU failed to implement many of IBM’s recommendations for improving network security. Nonetheless, the CO issued a COFD asserting a government claim for $5,903,353. This appeal followed.
In its brief, IBM first moved for a partial dismissal for lack of jurisdiction. IBM argued that the board lacked jurisdiction to hear the government’s allegations that IBM failed to meet the acceptable quality levels established in its contract for network security functions, because those allegations were not within the COFD.
The government argued that the COFD’s reference to IBM’s failure to complete tasks corresponding to three desired functions, which included the network security functions, was sufficient to maintain the board’s jurisdiction regarding its allegation that IBM failed to meet its network security AQLs. The board agreed, noting that the COFD specifically stated that IBM failed to execute substantial network security IT services, and referenced IBM’s responsibility—and subsequent failure—to perform network security tasks. While the language of the government’s complaint was more specific, the board concluded that its allegations relied on the same set of operative facts in the COFD and that it had jurisdiction to consider them.
Next, IBM moved for summary judgment, arguing that the government’s claim is time-barred by the six-year statute of limitations.
IBM argued that the government’s claims accrued more than six years before March 8, 2013, when it issued the demand for payment letter. The government also referred to its March 2013 demand letter as a claim, but argued the claim was within the six-year statute of limitations. The board agreed that the demand letter satisfied the definition of a claim, as it sought payment of a sum certain.
IBM argued that the government’s deficient performance claim accrued at the time of the first network intrusion in January 2006, or, at the latest, by December 2006, when the government discovered the first network intrusion. In response, the government argued that it could not have known of its claim against IBM until it completed an investigation of the network intrusion.
The board held that IBM had not demonstrated the government knew or should have known the facts concerning IBM’s performance at the time it discovered the first network intrusions. IBM established the date of the intrusion and its discovery, and asserted that IBM staff worked alongside NDU employees, but the board found these details insufficient to demonstrate the government knew the basis for its claims at that time. Further, the board found the record did not contain complete details about the scope, nature, and details of the government’s internal investigations, and that there was a genuine dispute regarding which party was responsible for implementing various network security measures. Because the board needed more information to draw conclusions about the government’s knowledge of the network intrusions, and IBM’s alleged failure to prevent the intrusions, the board denied summary judgment with respect to the deficient performance claim.
Separately, IBM also asserted that the government’s labor mischarging claim was time-barred. IBM argued that the latest the claim could have accrued was September 2008, the month when the task order performance needed, and that the government did not assert this claim until March 2015. According to IBM, the March 2013 demand letter did not include a claim for labor mischarging.
In response, the government explained that the primary concern of the labor mischarging claim is that IBM mischarged the government for personnel who did not meet the contractually specified qualifications. The government noted that the March 2013 demand letter stated that its investigation discovered that that IBM personnel did not have the appropriate subject matter expertise and were not qualified to execute the IT security related tasks. The board found this language encompassed the government’s labor mischarging claim.
Alternatively, IBM argued that it was entitled to summary judgment with respect to 18 of the 22 employees encompassed by the claim, because they began worked on the task order before March 2007, and therefore the government would have received their resumes at the time the employees were hired. The board disagreed, finding that IBM had not conclusively demonstrated the date the employees were hired. Similarly, the board found that IBM had not established the dates of specific invoices for which it sough summary judgment.
IBM also sought summary judgment on the portion of the government’s claim alleging it failed to meet the network security acceptable quality levels. According to IBM, an AQL violation occurs only if a relevant deficiency is noted in monthly metric reports, and none were ever reported. In response, the government disputed the veracity of the information contained in the monthly metric reports, which IBM prepared as a deliverable under the task order. The government argued that its investigation revealed that security patches were missing, documentation was lacking, and that information systems were not in compliance with DoD configuration standards at the time when IBM was reporting no deficiencies and policy compliance in its reports. The board held that the government had established a material fact in dispute and denied summary judgment.
Finally, IBM moved to dismiss the government’s complaint for failure to state a claim for breach of contract, arguing that the complaint did not identify any contractual provision specifying that particular tasks may only be performed by a person in a specific labor category. According to IBM, the contract required merely that IBM bill based on labor rates defined by each worker’s labor category, not by the actual tasks performed.
In response, the government explained that the primary concern in its complaint is that IBM mischarged the government for personnel who did not meet the contractually-specified qualifications, not that contractor personnel worked on tasks outside their assigned labor categories. According to the government, it does not matter what task an employee is performing if the government is consistently paying the contractor for a more costly labor category.
The board sided with the government, broadly interpreting the labor mischarging allegations as alleging both that appellant overcharged for tasks performed by certain individuals, and that certain individuals did not perform the minimum required elements of the task order. The board acknowledged that the government’s complaint could have been more specific in terms of identifying alleged violations of contractual terms, but found that the COFD alleged that IBM employees violated the task order by failing to perform tangible work in the area of quality assurance, network security and enterprise architecture as prescribed in the PWS. Further, the COFD alleged that IBM personnel did not have appropriate subject matter expertise, and were not qualified to execute IT security tasks. Taken together, the board found the allegations in the complaint and the COFD were sufficient to state a claim for labor mischarging.
IBM Corporation is represented by David W. Burgett, Brendan M. Lill, and Nicole D. Picard of Hogan Lovells US LLP. The government is represented by Raymond M. Saunders, Army Chief Trial Attorney, and Frank A. March, Trial Attorney.
