In remarks on October 13, 2021, at the Cybersecurity and Infrastructure Security Agency (“CISA”) National Cybersecurity Summit, Acting Assistant Attorney General Brian Boynton fleshed out the Department of Justice’s (“DOJ”) thinking regarding the nature of the cybersecurity failures that are likely targets for potential False Claims Act (“FCA”)1 enforcement under the Civil Cyber-Fraud Initiative (“Initiative”). He was clear that DOJ expects whistleblowers to “play a significant role” in pursuing actions for “knowing” failures and misconduct by contractors and grantees.
DOJ expects this Initiative to focus on federal agencies as “victims” of knowing misrepresentations by contractors or grantees about their cybersecurity practices or failure to abide by requirements in their agreements, grants or licenses.
The remarks identified what are viewed as “at least three common cybersecurity failures” as candidates for FCA enforcement.
First, DOJ appears to believe that there may be knowing2 failures by contractors (and inferentially their supply chain) and grantees to comply with cybersecurity standards contained in contracts or grants. DOJ’s comments identified potential failures to comply with required standard contract terms3 or specific agency requirements, such as standards requiring protection of government data. The remarks also identified failure to restrict non-US citizens from accessing certain systems or avoid using certain components from foreign countries (which might include, for example, failure to properly screen for the sale of certain telecommunications or video surveillance equipment or use of services involving such equipment that are prohibited under section 889 of the 2019 National Defense Authorization Act).
Second, there appears to be a concern that contractors and grantees may be misrepresenting their security controls and practices. Examples include representations in a proposal or during contract performance about products, services and cybersecurity practices that may be viewed as “knowing” violations with respect to their accuracy. Other examples include representations about a system security plan setting forth controls that the company has in place, processes for monitoring systems for breaches, or password and access requirements. A contractor or grantee that did not accurately explain these practices may receive an award to which it was not entitled. Such practices also may influence the structure of the agreement and protections that are included for the government’s benefit.
Third, DOJ suggested in its announcement and in these remarks that there may have been situations where contractors or grantees have knowingly failed to timely report suspected breaches.
The remarks acknowledged that cyber incidents and breaches may occur even when a company has a robust cybersecurity monitoring, detection and reporting system. The tone of the comments, however, suggests that an incident or breach will result in a very hard look at contractor compliance, particularly if there is a view that reporting was not sufficiently prompt. Contractors and grantees will need to be extremely vigilant about compliance and monitoring of their practices and systems.4
It is DOJ’s stated view that significant benefits will accrue from the Initiative. These include the belief that: (i) the federal government’s cybersecurity requirements and compliance will “raise the bar” for industry; (ii) FCA enforcement of government requirements can promote adherence to rules and bolster internal company compliance efforts; (iii) compliance will “ensure a level playing field,” i.e., companies that spend the resources to comply will not be competitively disadvantaged compared to those who do not; (iv) the Initiative supports the work of government experts to “timely identify, create, and publicize patches for vulnerabilities” in products and services that are in widespread use; and (v) taxpayers will be reimbursed for losses that may be incurred in the case of failure to follow requirements.
The potential for substantial recoveries is also an incentive for whistleblowers who will benefit from bringing qui tam actions.
DOJ indicated that it already has set up an internal structure in the Fraud Section to lead this Initiative. And DOJ has created a mechanism for reporting cyber fraud located on the DOJ website describing how to report tips or complaints, or file a whistleblower action. DOJ also is partnering with Inspector General Offices across many federal agencies.
All in all, DOJ expects this Initiative to substantially enhance cybersecurity efforts throughout the government. As described, the Initiative will require increased compliance resources, vigilance and training on the part of contractors, subcontractors and grantees.
2 The FCA defines “knowing” or “knowingly” as a person with “actual knowledge of information” who “acts in deliberate ignorance” or “reckless disregard” of the “truth or falsity of the information.” 31 USC § 3729(b)(1)(A).
4 At least one recent case has indicated that “sophisticated players” in the industry may be held to a higher standard, in connection with a motion to dismiss an FCA case on the pleadings. United States ex rel. Prose v. Molina Healthcare of Ill., Inc., 10 F.4th 765 (7th Cir. 2021).