DOJ Will Use False Claims Act to Target Cybersecurity Fraud

On October 6, Deputy Attorney General Lisa Monaco announced the launch of the US Department of Justice’s (DOJ) Civil Cyber-Fraud Initiative. The DOJ will utilize the False Claims Act (FCA) to pursue cybersecurity related fraud by government contractors and grant recipients.

The False Claims Act was enacted during the Civil War to stamp out fraud in the Union Army’s supply chains. A 1986 amendment increased incentives for whistleblowers by allowing them to share in the recovery of any fraudulent funds. Under the amended FCA, a violating entity which submits a fraudulent contract to the government can be forced to pay triple the damages done to the government–with civil penalties as high as $10,000.

The announcement suggests that the DOJ will initiate more FCA lawsuits targeting government contractors that fail to meet their cybersecurity requirements. The DOJ is also likely to support qui tam FCA cases brought forward by whistleblowers. Qui tam actions – a provision of the 1986 FCA amendment – allows individual whistleblowers to bring FCA cases. In fiscal year 2020 the DOJ recovered more than $2.2 billion in FCA cases. The DOJ is hoping whistleblowers will help them uncover unknown fraud and recover their rightful funds.

The Civil Cyber-Fraud Initiative will be led by the Fraud Section of the DOJ Civil Division’s Commercial Litigation Branch. The Initiative will hold accountable those who put federal information and systems at risk by knowingly providing deficient cybersecurity products or services, misrepresenting their cybersecurity practices or protocols, or violating obligations to monitor and report cybersecurity incidents and breaches.

“For too long, companies have chosen silence under the mistaken belief that it is less risky to hide a breach than to bring it forward and to report it,” said Deputy Attorney General Monaco. “Well, that changes today. We are announcing today that we will use our civil enforcement tools to pursue companies, those who are government contractors who receive federal funds, when they fail to follow required cybersecurity standards–because we know that puts all of us at risk.”

In an op-ed published the same day of the Civil Cyber-Fraud Initiative announcement, Deputy Attorney General Monaco called on Congress to enact legislation that would create a national standard for reporting cyber incidents, including ransomware that affects critical infrastructure and supply chains. Her calls have not fallen on deaf ears.

There are several cyber notification bills competing in Congress. The debate around these bills focuses primarily on two areas: reporting times and enforcement mechanisms. Introduced by Senator Mark Warner (D-VA), The Cyber Incident Notification Act of 2021 calls for a 24-hour reporting period and civil fines for companies who fail to properly report cyber incidents. The Cyber Incident Reporting Act of 2021 introduced by Senator Gary Peters (D-MI) calls for a 72-hour reporting period and subpoena power as its enforcement mechanism. In Hill testimony from last month, CISA Director Jen Easterly expressed support for the 24-hour reporting period and criticized subpoena power as “not an agile enough mechanism to allow us to get the information that you need to share it as rapidly as possible to prevent other potential victims.”

U.S. government contractors should continue to implement the Cybersecurity Maturity Model Certification (CMMC) framework and appropriate NIST standards to reduce the risk of FCA liability. Government contractors should review the cybersecurity compliance requirements in their existing contracts with the federal government and approach new contracts with heightened diligence. They would be wise to have strong controls and processes in place for reporting cybersecurity incidents.