In October 2021, the U.S. Department of Justice launched the Civil Cyber-Fraud Initiative leveraging the federal False Claims Act (FCA) to address cybersecurity-related fraud by government contractors. According to the announcement from Deputy Attorney General Lisa O. Monaco, the initiative seeks to “hold accountable entities or individuals that put U.S. information or systems at risk by knowingly providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity protocols, or knowingly violating obligations to monitor and report cybersecurity incidents and breaches.” This announcement follows DOJ’s cyber review conducted in response to President Biden’s “Executive Order on Improving the Nation’s Cybersecurity” issued in May 2021 strengthen the government’s ability to respond to cybersecurity attacks and improve national cybersecurity.
This initiative represents a significant shift in focus for the DOJ. Historically, the DOJ’s anti-fraud cyber work had focused more on hackers and foreign cyber-security threats which unlawfully access private networks to steal data. Successful prosecution has required cooperation from impacted companies, including government contractors targeted by hackers. The initiative now intensifies scrutiny on these same government contractors in the cybersecurity space by increasing their liability under the FCA if they fail to meet cyber-security contracting requirements. This shift to increase potential contractor accountability and liability may affect the collaborative approach that the DOJ has historically relied upon in its pursuit of cyber criminals.
Key Aspects of the Civil Cyber-Fraud Initiative
In a recent address, the DOJ has identified at least three common cyber-security failures that are prime candidates for potential False Claims Act enforcement against government contractors through this initiative:
- Knowing failure to comply with contractual cyber-security standards. Government contractors are required to meet contract terms which may include specific measures to protect government data, as well as not subcontracting offshore and limiting system access to certain individuals. If a government contractor is aware of its failure to meet contractual security standards, it can be subject to FCA fines and penalties.
- Intentional misrepresentation of security controls and practices. As part of the procurement process, potential contractors are required to provide detailed information about their products, services and cyber-security practices. For example, a potential contractor may be asked about its protocols for monitoring its system for hacks and breaches, as well as password and access controls. This information is critical to contracting decisions. Therefore, if a company overstates or misrepresents its security practices and controls, government data can be at risk.
- Failure to timely report suspected cyber incidents. Similar to HIPAA breaches, government contractors have a duty to promptly notify their contracting agency of suspected breaches or loss of data. Organizations can be hesitant to disclose suspected events until they complete a full internal investigation which can delay disclosure to government agencies. Such delays can now result in significant monetary penalties.
Whistleblower Exposure
Use of the False Claims Act to address and deter cyber risks and incidents that arise with government contracts also brings to bear the Act’s whistleblower (or “qui tam”) provisions. These provisions allow private parties outside of the government to bring cases on behalf of the government when fraud in federal programs is detected. Whistleblowers with inside information are critical to identifying fraud schemes that might otherwise remain undetected. Exposure to whistleblower actions and reporting increases both financial and reputational risk to organizations with deficient safeguards and practices that fail to address fraud.
What it Means for Government Contractors
This expansion of FCA penalties into cyber-security fraud is a significant development for government contractors. While the DOJ has acknowledged that “cyber incidents and breaches may result even when a contractor has a robust monitoring, detection and reporting system”, contractors now face greater penalties for failure to report breaches and other omissions puts increased pressure on contactors to assure that their security processes and infrastructure meet the required cybersecurity safeguards.
To avoid unintended FCA exposure, contractors should consider taking the following actions:
- When bidding on a government contract, do not overstate your organization’s current cybersecurity procedures – material misrepresentation of current security protocols and guardrails can subject an organization to adverse outcomes.
- Monitor and immediately report breaches and suspected breaches as required by contract
- Review current security program and protocols for vulnerabilities and assess risk on an ongoing basis, and fully document those efforts.
- Stay fully informed of new risks to data within the control of your organization.
- Through audits and review of downstream contractors, assure that any restrictions on data access and usage remain fully compliant with federal contract mandates.
- Do not allow slippage in the quality of products or services purchased by federal agencies over the term of the contract.
- Develop strong internal fraud teams dedicated to data security that continually monitor system activity and which remain current on new or trending cyber risks.
The penalties under the FCA can be debilitating to an organization. The False Claims Act provides for statutory penalties that are adjusted for inflation. Currently, the maximum penalty for each false claim stands at approximately $23,000. However, an enforcement action can entail many false claims which can drive the penalty exponentially upward. In addition, in cases where the government has actually suffered a loss, an organization can face damages of up to three times the government’s losses. In addition to the financial penalties, the reputational damage to an organization within the health care industry is also a factor.
Conclusion
The intention of these new cyber protections is to reward government contractors who act in good faith to meet contractual requirements and protect government data and to identify and weed out bad actors. With the unabated barrage of cyber-attacks that organizations have faced in recent years, the DOJ investigation and enforcement activities will continue to gain steam. In light of these factors, government contractors, providers, and suppliers should take the steps necessary to ensure that their fraud programs meet government standards for data protection and cyber security to avoid unnecessary DOJ scrutiny related to the protection of government data.