As a result of the new Civil Cyber-Fraud Initiative, it is more important than ever that companies be prepared to manage legal issues concerning cyberattacks and anticipate and take steps to mitigate potential liability for noncompliance under contractual, statutory, and regulatory standards, including potential investigations and litigation under the civil False Claims Act.
The Biden-Harris administration is strengthening the national response to cybersecurity attacks, including ransomware. As one aspect of this effort, the US Department of Justice (DOJ) recently announced a new Civil Cyber-Fraud Initiative (the Initiative). Among other tools, the Initiative will utilize the False Claims Act (FCA)—the government’s principal civil fraud enforcement tool—to investigate and pursue cybersecurity-related fraud involving government contracts and federal grant recipients. The Initiative’s purpose is to combat new and emerging cyberthreats to the security of sensitive information and critical systems.
The Initiative focuses on government contractors and recipients of federal funds who fail to comply with cybersecurity standards. Specifically, the Initiative concentrates on corporate and individual conduct that places federal government information or systems at risk by knowingly:
- providing deficient cybersecurity products or services,
- misrepresenting cybersecurity practices or protocols, or
- violating obligations to monitor and report cybersecurity incidents and breaches.
The Initiative provides an opportunity for companies, organizations, and executives to implement or redouble their preparations for navigating and responding to issues that arise during a cybersecurity investigation and follow-on or parallel government investigations or litigation.
Cyberincidents arise in a variety of ways. Based on our experience in assisting companies and organizations on a variety of cyber-related matters for several years, common means include: phishing schemes, business email compromise or other fraud schemes involving the internet, ransomware, targeted cyberattacks, an insider threat, supply chain, third-party vendors, and stolen unencrypted laptops, among others. Each is disruptive to the business.
Experienced counsel can assist in maneuvering the issues that arise during each phase of an incident, including detection, the internal cybersecurity investigation, containment and eradication, recovery, managing notification requirements and other legal obligations, addressing business relations and reputational risk issues, and anticipating civil litigation and potential regulatory review.
The affected company can obtain legal guidance under attorney-client privilege and the work product doctrine. How the company responds to the initial cyberincident will likely impact the consequences, such as potential litigation and enforcement, including those under the DOJ Cyber-Fraud Initiative.
DOJ INITIATIVE AREAS OF FOCUS
The Fraud Section of the DOJ Civil Division’s Commercial Litigation Branch leads the Initiative, along with civil enforcement attorneys in each of the 94 US Attorney Offices, the Inspector General Offices, and other agencies. This specially formed enforcement group is expected to consider all manner of cybersecurity noncompliance by contractors and subcontractors that adversely affects federal programs to be within its “jurisdiction.” The Initiative also identifies, pursues, and deters cyber-related vulnerabilities and incidents that arise with government contracts and grants that jeopardize sensitive information and critical government systems.
The Initiative is part of a broader focus by the Biden-Harris administration on cybersecurity issues, and is a product of the DOJ Comprehensive Cyber Review. Deputy Attorney General Lisa O. Monaco, the second-highest ranking DOJ official, stated that DOJ government contractors and grant recipients “entrusted to work on sensitive government systems” who “fail to follow required cybersecurity standards” will be subject to “very hefty fines” under the Initiative.
FALSE CLAIMS ACT
The Initiative will spawn both FCA investigations and litigation initiated by both the DOJ and private parties, known as qui tam relators. The FCA, 31 USC §§ 3729-3733, imposes liability and penalties on companies and individuals who defraud the government of money or property. In general, liability arises based on knowingly submitting or causing to be submitted to the government a false or fraudulent claim for payment, or knowingly avoiding an obligation to pay money to the government. The FCA reaches “knowing” conduct by companies and individuals, which includes specific intent as well as lesser levels of scienter, namely “reckless disregard” and “deliberate ignorance.” The FCA includes a unique qui tam provision, which empowers private parties to pursue civil suits based on FCA violations on behalf of the government and to receive a percentage share of any resulting recovery by judgment or settlement. The DOJ may also pursue cases on its own, without a relator.
Upon a finding of liability, an FCA defendant is liable for treble the amount of damages sustained by the government due to the FCA violation. In addition, the court must impose per-claim penalties of up to $23,331, which can result in tens of millions of dollars in penalties (even when actual damages are relatively low) where hundreds or thousands of claims are involved. On an annual basis in recent years, relators file more than 600 qui tam actions that the Justice Department must investigate, and overall annual recoveries in federal FCA cases range between $2–5 billion. The Initiative will encourage and incentivize relators and their counsel to file suit alleging cyber-related fraud, recognizing that a dedicated team of DOJ attorneys will be focused on pursuing such cases. However, in addition to allegations raised by relators, the DOJ will be initiating investigations on its own or based on referrals from federal agencies. The fact patterns will vary from case to case, but the types of claims likely will fall within two broad categories: (1) misrepresentations of cybersecurity capabilities in the bid and proposal process, and (2) false certifications of compliance—express or implied—with contractual or regulatory cybersecurity standards and amendments to those standards that take effect during contract performance.
The DOJ has a myriad of tools at its disposal to investigate potential FCA violations. These include the use of (1) Civil Investigative Demands (CIDs), which enable the DOJ to compel the production of documents, propound interrogatories, and take depositions before a complaint is filed or while a qui tam action remains under seal; and (2) federal agency Inspector General subpoenas. In fact, CIDs and agency Inspector General subpoenas frequently are the first indication a company has that an FCA investigation is underway, and receipt of such process needs to be elevated immediately to the company’s law department. In other instances, the DOJ may investigate potential violations that come to its attention via voluntary or mandatory disclosures by federal contractors who learn of potential noncompliance.
Even before the announcement of the Initiative, the FCA was used in cybersecurity cases. One qui tam case alleged that a product did not comply with security requirements and ultimately settled for $8.6 million. From this settlement amount, the relator received approximately $1.75 million as a “relator’s share” or bounty. Another qui tam case was dismissed under FCA standards. There are strong indications already that the DOJ is evaluating additional cybersecurity cases now, including ones based on qui tam actions that remain under seal.
For more background on the DOJ Cyber-Fraud Initiative, see our FAQs.
Companies should assess their level of preparedness before, during, and after a data breach. The ability to conduct confidential, privileged cyberincident investigations is essential.
Federal contractors and subcontractors should monitor and review their existing cybersecurity compliance standards and efforts and assess whether adjustments need to be made—or resources shifted—to address potential noncompliance with federal cybersecurity standards and contract requirements. The companies also should document cybersecurity compliance, including written plans and policies, ensure that cyber-related requirements are flowed down to and met by subcontractors and any third-party vendors, provide an avenue to learn about internal issues and potential whistleblower complaints, ensure that communications with the agency about compliance are well documented and accessible, assess whether a mandatory disclosure is necessary and whether a voluntary disclosure should be made when a noncompliance event occurs, engage with personnel that raise issues, engage with counsel where appropriate to assess compliance risks, and interface with the DOJ and federal investigators.
 See Executive Order on Improving the Nation’s Cybersecurity (May 12, 2021).
 See Deputy Attorney General Lisa O. Monaco Announces New Civil Cyber-Fraud Initiative (Oct. 6, 2021).
 See U.S. ex rel. Glenn v. Cisco Systems, No. 1:11-cv-00400 (W.D. NY 2019).
 See U.S. ex rel. Adams v. Dell Computer, No. 15-cv-608 (D.D.C. 2020) (insufficient allegations to satisfy demanding materiality standard and “knowing” conduct).