On October 6, 2021, Deputy Attorney General Lisa O. Monaco announced the launch of the Department of Justice’s Civil Cyber-Fraud Initiative. The Department plans to use civil enforcement tools to “pursue…those who are government contractors who receive federal funds, when they fail to follow required cybersecurity standards.” Stating the Department will pursue “very hefty fines,” this initiative will combine the Department’s roles in civil fraud enforcement, government procurement, and cybersecurity to combat new and emerging cyber threats to the security of sensitive information and critical systems.
- Government Contractors Should Expect Increased False Claims Act Risk.
The Department states it will use the False Claims Act to pursue cybersecurity related fraud by government contractors and grant recipients. It expects to focus on three groups of entities: (a) those that knowingly provide deficient cybersecurity products or services; (b) those that knowingly misrepresent their cybersecurity practices or protocols; and (c) those that knowingly violate obligations to monitor and report cybersecurity incidents and breaches.
This announcement comes on the heels of the Department of Defense’s Cybersecurity Maturity Model Certification which requires contractors to, among other things, attest to certain levels of cybersecurity compliance. It also comes as the Biden Administration has already ordered the development of cybersecurity standards for government contractors and Congress is considering new reporting requirements for cybersecurity incidents and ransomware payments by companies providing critical infrastructure. These factors all combine to increase the risk that government contractors will be forced to defend against False Claims Act allegations.
- The Department of Justice Is Already Seeking Whistleblowers Which May Also Trigger Private False Claims Act Enforcement.
The Department’s announcement specifically mentions relying on whistleblowers and private parties to assist the government in bringing these actions. It also solicits “tips and complaints from all sources” regarding cyber-related fraud, waste, abuse, and mismanagement. The False Claims Act’s qui tam provisions allow whistleblowers to sue on behalf of the government and receive a portion of the award as compensation. As such, government contractors may expect not only DOJ enforcement but also plaintiffs’ lawyers alleging lapses in cybersecurity and data breach reporting.