October 07, 2021
Heightened Cyber False Claims Risk: New DOJ Approach to US Government Contractor and Federal Grantee Cybersecurity Enforcement
On October 6, 2021, the US Department of Justice (DOJ) announced a new initiative to address cyber-fraud and that focuses on government contractors. Specifically, DOJ has launched a “Civil Cyber-Fraud Initiative” (Initiative), which will combine DOJ’s “expertise in civil fraud enforcement, government procurement and cybersecurity to combat new and emerging cyber threats to the security of sensitive information and critical systems.” The Initiative will impact US government contractors and participants in similar agreements, e.g., Other Transactions, as well as grant recipients across the country.
What Happened and Why
DOJ formed the Civil Cyber-Fraud Initiative to address a concern that contractors may be failing to give required notice of cyber breaches. Based on its press release announcing the Initiative, DOJ appears to be of the view that some companies are electing to remain silent regarding known breaches even though the incidents should be reported according to the contract terms.
The Civil Cyber-Fraud Initiative will utilize the civil False Claims Act (FCA) to pursue cybersecurity-related fraud by government contractors and grant recipients. The FCA is the government’s primary civil tool to redress false claims for federal funds and property involving government programs and operations. The FCA permits the government to obtain treble damages and penalties for “knowingly” submitting false claims for payment. The statutory definition of “knowingly” includes deliberate ignorance and reckless disregard. The FCA also includes a whistleblower provision that allows private parties (known as “relators”) to pursue fraudulent conduct and to share in any recovery.
DOJ stated that the Initiative “will hold accountable entities or individuals that put U.S. information or systems at risk by knowingly providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cybersecurity incidents and breaches.”
What to Expect
Many government contracts include clauses that require contractors to provide prompt notice of any cybersecurity breach. For example, DoD contracts that require contractors or subcontractors to safeguard covered defense information contain DFARS 252.204-7012. That clause requires a contractor (or subcontractor) to report a cyber incident within 72 hours of discovery. This timing may require the company to report an incident before the full extent of the breach has been determined.
DOJ emphasized that it expects the Initiative to, among other things, “hold[] contractors and grantees to their commitments to protect government information and infrastructure”; “ensure[] that companies that follow the rules and invest in meeting cybersecurity requirements are not at a competitive disadvantage”; and “support[] government experts’ efforts to timely identify, create and publicize patches for vulnerabilities in commonly-used information technology products and services.” The heightened scrutiny of US government contractor cybersecurity indicates that DOJ will allocate greater resources to identifying and pursuing FCA actions with regard to cybersecurity products and practices. The increased attention also may draw additional interest from the counsel who represent relators.
For additional information or to discuss what the Initiative means for you, please contact Marcia G. Madsen, David F. Dowd or David A. Simon.
What Happened and Why
DOJ formed the Civil Cyber-Fraud Initiative to address a concern that contractors may be failing to give required notice of cyber breaches. Based on its press release announcing the Initiative, DOJ appears to be of the view that some companies are electing to remain silent regarding known breaches even though the incidents should be reported according to the contract terms.
The Civil Cyber-Fraud Initiative will utilize the civil False Claims Act (FCA) to pursue cybersecurity-related fraud by government contractors and grant recipients. The FCA is the government’s primary civil tool to redress false claims for federal funds and property involving government programs and operations. The FCA permits the government to obtain treble damages and penalties for “knowingly” submitting false claims for payment. The statutory definition of “knowingly” includes deliberate ignorance and reckless disregard. The FCA also includes a whistleblower provision that allows private parties (known as “relators”) to pursue fraudulent conduct and to share in any recovery.
DOJ stated that the Initiative “will hold accountable entities or individuals that put U.S. information or systems at risk by knowingly providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cybersecurity incidents and breaches.”
What to Expect
Many government contracts include clauses that require contractors to provide prompt notice of any cybersecurity breach. For example, DoD contracts that require contractors or subcontractors to safeguard covered defense information contain DFARS 252.204-7012. That clause requires a contractor (or subcontractor) to report a cyber incident within 72 hours of discovery. This timing may require the company to report an incident before the full extent of the breach has been determined.
DOJ emphasized that it expects the Initiative to, among other things, “hold[] contractors and grantees to their commitments to protect government information and infrastructure”; “ensure[] that companies that follow the rules and invest in meeting cybersecurity requirements are not at a competitive disadvantage”; and “support[] government experts’ efforts to timely identify, create and publicize patches for vulnerabilities in commonly-used information technology products and services.” The heightened scrutiny of US government contractor cybersecurity indicates that DOJ will allocate greater resources to identifying and pursuing FCA actions with regard to cybersecurity products and practices. The increased attention also may draw additional interest from the counsel who represent relators.
For additional information or to discuss what the Initiative means for you, please contact Marcia G. Madsen, David F. Dowd or David A. Simon.
Stay Up To Date With Our Insights
See how we use a multidisciplinary, integrated approach to meet our clients' needs.
Subscribe