There is a new weapon in the Department of Justice’s (DOJ’s) already powerful False Claims Act (FCA) arsenal. In October 2021, the DOJ announced a new Civil Cyber-Fraud Initiative, under which it will pursue FCA liability against government contractors in the cybersecurity space. According to the announcement from Deputy Attorney General Lisa O. Monaco, the initiative seeks to “hold accountable entities or individuals that put U.S. information or systems at risk by knowingly providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity protocols, or knowingly violating obligations to monitor and report cybersecurity incidents and breaches.”
Overview of the Civil Cyber-Fraud Initiative
The Civil Cyber-Fraud Initiative follows several significant cyberattacks, which are only becoming more prevalent. The new initiative is the first formal step DOJ has taken in combatting them by focusing on the preventative cybersecurity efforts of government contractors.
The implications for government contractors and service providers cannot be overstated. In the healthcare space, entities are already subject to a complex web of cybersecurity requirements under HIPAA. But, the Civil Cyber-Fraud Initiative brings a new enforcement dimension to all contractors, with the specter of treble damages and staggering statutory penalties under the FCA.
Under the Civil Cyber-Fraud Initiative, DOJ is likely to initiate more FCA lawsuits against government contractors that it believes are failing to meet their cybersecurity obligations under applicable law or contracts. Moreover, the initiative will likely encourage whistleblowers to be more aggressive in bringing qui tam suits under the FCA when they believe their employers are not honoring their cybersecurity obligations. Indeed, one whistleblower practice group has already put out a call to arms.
DOJ’s commitment to enforcement in this space was recently confirmed in the address of Brian Boynton, the Acting Assistant Attorney General for DOJ’s Civil Division, at the Cybersecurity and Infrastructure Security Agency (CISA) 4th Annual National Cybersecurity Summit. Boynton noted that the FCA enforcement could apply to at least the following three “common cybersecurity failures:”
- Knowing failures to meet cybersecurity standards.
- Knowing misrepresentations of security controls and practices.
- Failing to timely report suspected breaches, which he described as critical for government agencies to respond, remediate any vulnerabilities, and limit the resulting harm.