On Octoberr 6, 2021, Deputy Attorney General Lisa O. Monaco announced a new Civil Cyber-Fraud Initiative through which the Department of Justice (“DOJ”) is able to utilize the False Claims Act (“FCA”) as a tool to enforce cybersecurity standards required of federal contractors and grant recipients. Specifically, the DOJ can now target companies and individuals that allegedly misrepresent their cybersecurity practices or protocols to win a federal contract or grant, or that knowingly submit claims to the government for payment while in violation of regulatory or contractual cybersecurity requirements.
Additionally, the Biden administration has signaled that it views national cybersecurity as an important enforcement priority. In May 2021, President Biden signed an Executive Order on Improving the Nation’s Cybersecurity, stating that “the Federal Government must bring to bear the full scope of its authorities and resources to protect and secure its computer systems.” That same month, Deputy AG Monaco ordered a comprehensive cyber review “aimed at developing actionable recommendations to enhance and expand the Justice Department’s efforts against cyber threats.” The Civil Cyber-Fraud Initiative arose from that review.
FCA and Cybersecurity Liability
A contractor faces potential FCA liability for falsely certifying that it complied with a legal or contractual obligation—even where it provided goods or services in accordance with the contract—if it can be shown that the noncompliance is material to the government’s decision whether to pay the claim. The Supreme Court has recognized that false certifications may be express or implied: “the implied false certification theory can be a basis for liability . . . when the defendant submits a claim for payment that makes specific representations about the goods or services provided, but knowingly fails to disclose the defendant’s noncompliance with a statutory, regulatory, or contractual requirement.” Some courts have specifically found that an alleged false certification of compliance with cybersecurity protocols required to do business with the government may form the basis for FCA liability.
In an October 13, 2021 speech at the Cybersecurity and Infrastructure Security Agency’s National Cybersecurity Summit, Brian Boynton, assistant acting attorney general for the DOJ Civil Division, gave the following rationale for using the FCA framework for enforcing cybersecurity requirements against federal contractors:
Importantly, [the Civil Cyber-Fraud Initiative] will focus on cases where federal agencies are victims. When companies that do business with the government knowingly make misrepresentations about their own cybersecurity practices, or when they fail to abide by cybersecurity requirements in their contracts, grants or licenses, the government does not get what it bargained for. Even more significantly, when false assurances are made to the government, sensitive government information and systems may be put at risk without the government even knowing it.
Boynton described three types of knowing misconduct by federal contractors as “prime candidates” for FCA enforcement under the new initiative:
- Noncompliance with cybersecurity standards required as a condition for payment under the contract (e.g., measures to protect governmental data or prohibitions on using components made in restricted foreign countries);
- Misrepresentation of security controls or practices to secure a government contract; and
- Failure to timely report suspected cybersecurity breaches or incidents.
Boynton stated that the DOJ had secured additional resources, including appointment of a supervisor within the DOJ’s Civil Fraud Section to oversee the initiative. He promoted a new tool on the DOJ website with instructions on how to report cybersecurity complaints via hotline or seek legal counsel to file a whistleblower lawsuit. He also said that the DOJ had partnered with the offices of inspector general of numerous federal agencies to “promote information sharing and technical expertise, generate referrals for investigations, and multiply the number of experienced federal agents and attorneys dedicated to combatting knowing cybersecurity failures.”
The FCA continues to be an effective tool to enforce cybersecurity standards required of federal contractors. Last month, Verizon Business Network Services agreed to pay $4,091,317 to resolve FCA allegations that it failed to satisfy certain cybersecurity controls in connection with service provided to federal agencies. A recently unsealed case against Penn State alleges violations of compliance with the Defense Federal Acquisition Regulation Supplement (“DFARS”). That case is pending in the Eastern District of Pennsylvania (United States ex rel. Matthew Decker v. Pennsylvania State University, 22-cv-03895-PD).
Hoyer Law Group is proud to represent and advocate for whistleblowers. Please contact us for a confidential evaluation if you have questions about a potential case.