As discussed in a previous post, the Department of Justice (DOJ) has announced a new Civil Cyber-Fraud Initiative to utilize one of the strongest tools in its toolbox—the False Claims Act—to hold entities receiving federal dollars accountable where it believes they are failing to meet their cybersecurity obligations.

Who should be aware of this initiative?

The reach of the False Claims Act is extremely broad. Anyone who tells the government that they are abiding by cybersecurity standards to receive money from the government can be a potential defendant in a False Claims Act suit. These statements can come in several forms. For example, a company may say that it is abiding by industry standards or has adopted reasonable cybersecurity protocols in its bid to procure a government contract, or the company may make such a statement in the contract itself.

For example, in a case out of the Eastern District California discussed in a previous post, a former cybersecurity director for Aerojet brought a False Claims Act case alleging that the company failed to comply with its cybersecurity obligations under its Department of Defense and NASA contracts, and it continued to seek government contracts after it became aware of its noncompliance. Depending on the industry, a company might also certify through cost reports, claim submissions, securities disclosures, contracts, or other forms that it abides by applicable statutes and regulations, including applicable privacy and security regulations. Even when not expressly stated in a contract or form submitted for payment, requirements for adopting and implementing reasonable cybersecurity practices may be implied in some circumstances.

And, the False Claims Act doesn’t just apply to companies who directly contract with or bill the government. The False Claims Act also applies to anyone who “causes” false statements or claims to be submitted to the government.  For example, in a recent case in Minnesota – U.S. ex rel. Higgins v. Boston Scientific Corp. – a federal district court held that a defendant who made false statements to obtain Food and Drug Administration (FDA) approval for its medical device could be liable for claims later submitted to Medicare by third parties who relied on the FDA approval when certifying that the device was medically necessary for their patients—even though the defendant never submitted any requests for payment to the government itself.

For cybersecurity purposes, this means that even if you are not providing services directly to the government or directly seeking reimbursement from the government, but you are handling data or information for a third-party that is contracted with or seeking reimbursement from the government, you could be potentially liable under the False Claims Act for failing to comply with applicable cybersecurity standards.

Why is the False Claims Act such a powerful tool?

Private Whistleblowers

The False Claims Act allows the government to initiate civil fraud lawsuits against defendants who it believes are knowingly avoiding their cybersecurity obligations.  However, the key to the False Claims Act’s enforcement reach is that it also encourages private whistleblowers (known as relators) to raise claims of fraud in exchange for a portion of the recovery.  As the Acting Assistant Attorney General for DOJ’s Civil Division told the Cybersecurity and Infrastructure Security Agency’s Annual National Cybersecurity Summit, the DOJ relies heavily on “inside information” from whistleblowers to uncover and report “new and evolving fraud schemes that might otherwise remain undetected.”

Indeed, these whistleblower suits (called qui tam suits) are the primary driver of civil fraud enforcement under the False Claims Act, and the financial incentive for bringing these suits can be considerable.  Of the $5.6 billion in settlements and judgments by the government in 2021, more than $1.6 billion resulted from qui tam lawsuits.  For their part, the relators who brought these suits received $237 million of the government’s recoveries.

Given the substantial financial incentives and growing prevalence of qui tam suits (relators filed nearly 600 of them in 2021 alone), the DOJ’s new Civil Cyber-Fraud Initiative will likely encourage whistleblowers to be more aggressive in bringing qui tam suits asserting that companies are not honoring their cybersecurity obligations.

Lengthy Sealed Investigations

Under the False Claims Act, relators bring their allegations of fraud to the government confidentially, which triggers a mandatory sealed investigation by the DOJ.  Although the False Claims Act prescribes an initial 60-day period for sealed investigations, it has become increasingly common for the government to request lengthy extensions, often keeping False Claims Act cases under seal for years.  While cases remain under seal, the defendants may or may not know they are under investigation or have claims of fraud raised against them.

Often, a defendant first learns of a sealed investigation when the DOJ issues a Civil Investigative Demand (CID), which grants the government broad authority to collect documents, request written responses to interrogatories, and obtain sworn deposition testimony from the defendants.  While cases are under seal, defendants are obligated to respond to the government’s demands, but they cannot move to dismiss the case or otherwise challenge the allegations against them in court until the seal is lifted and the qui tam complaint becomes public.

Costly Fines & Treble Damages

Perhaps the main reason the False Claims Act has become the DOJ’s primary enforcement tool is that it imposes treble damages, per-claim penalties (which were recently increased to $11,803 – $23,607, as discussed here), and it requires a defendant to cover the relator’s attorneys’ fees in successful cases.  Together, these can quickly create steep exposure for defendants facing False Claims Act litigation.

By way of example, in a case out of Florida last year – U.S. ex rel. Yates v. Pinellas Hematology & Oncology – a jury concluded that a clinical laboratory had submitted 214 claims to Medicare for tests performed at some of its locations that did not have all of the required certificates.  The jury found that the United States had sustained just $755.54 in actual damages, but, as is required by the False Claims Act, the court trebled the government’s actual damages. It then imposed the lowest per-claim civil penalty ($5,500), resulting in a total judgment of $1.179 million, plus attorneys’ fees (which were estimated at more than $450,000 after trial). The lab appealed this judgment to the Eleventh Circuit, arguing it violated the Excessive Fines Clause of the Eighth Amendment, but, as discussed in a previous blog post, the Eleventh Circuit found that the total award of $1.179 million, plus attorneys’ fees was not unconstitutional, giving deference to Congress’s decision to impose steep damages and significant per-claim civil penalties under the False Claims Act.

Key Takeaway

By rewarding private whistleblowers for reporting suspected fraud, and with the specter of steep financial penalties, the DOJ has successfully collected billions in settlements and judgments under the False Claims Act.

The DOJ’s newly-announced focus on cybersecurity sends a message to contractors, vendors, suppliers, and providers that noncompliance with cybersecurity obligations will be met with heightened DOJ scrutiny and carry a heavy threat of financial penalties.