In a recent press release, Deputy Attorney General Lisa O. Monaco announced the Department of Justice’s (DOJ) new Civil Cyber-Fraud Initiative, which will pursue cybersecurity-related fraud by government contractors and grant recipients through the False Claims Act (FCA).
Broadly speaking, the FCA prohibits submission of false or fraudulent claims to the government. The Civil Cyber-Fraud Initiative will seek to hold accountable individuals or entities that knowingly provide deficient cybersecurity products or services, knowingly misrepresent their cybersecurity practices or protocols, or knowingly violate obligations to monitor and report cybersecurity incidents and breaches.
The FCA includes a whistleblower provision that not only protects whistleblowers, but also allows them to share in any recovery. These provisions are explicitly cited in the DOJ’s press release, likely in the hopes of encouraging whistleblowers to come forward. In addition, relators may also bring civil actions on behalf of the government under the FCA (qui tam suits). The DOJ has already intervened in some of these proceedings, and it may continue doing so through the Civil Cyber-Fraud Initiative.
Contractors who find themselves facing FCA claims may have a number of defenses available. Among other things, violations of the FCA must be “knowing,” which may be a difficult standard to meet where there is room for disagreement on interpretation of a less-than-clear regulation. Violations must also be “material,” a standard the government has failed to meet in at least one prior suit regarding cybersecurity.
Nonetheless, contractors should be careful to comply with requirements for cybersecurity practices and reporting obligations. Such obligations are likely to undergo significant revisions under President Biden’s Executive Order on Improving the Nation’s Cybersecurity, issued May 12, 2021. Among other things, that order requires review and recommendations for updating contract requirements and language for contracting with information and operations technology service providers. Contractors should also be sure to monitor changes to cybersecurity-related contracting requirements.
If you have any questions about what the Civil Cyber-Fraud Initiative may mean for your company, please reach out to your Nixon Peabody privacy and cybersecurity attorney for guidance.