Takeaway:

The Department of Justice will use the False Claims Act as the basis for exacting civil penalties against companies who’ve fraudulently procured federal dollars while knowingly choosing to permit business practices with unacceptable cybersecurity risk.

The Department of Justice (DOJ) is getting aggressive with cyber fraud. Lisa O. Monaco, the DOJ’s Deputy Attorney General over the Department’s Civil Cyber-Fraud Initiative (Initiative), announced recently that the DOJ will actively pursue companies who receive federal funds through federal government contracts, when they fail to follow cybersecurity practices.  This type of fraud is all-too-common throughout the federal government’s supply chain. Civil penalties resulting from the DOJ’s new Initiative should be a deterrent for bad actors/contractors who refuse to invest in cybersecurity planning and risk management.

The DOJ will use the False Claims Act (FCA) as the basis for exacting civil penalties against companies who’ve fraudulently procured federal dollars while knowingly choosing to permit business practices with unacceptable cybersecurity risk.

Under the FCA, companies can be held liable if they knowingly cause a false claim to be submitted. The standard for knowing is defined as:

• Actual knowledge,
• Deliberate ignorance of the truth or falsity of the information, or
• Reckless disregard of the truth or falsity of the information.

Notably, , whistleblowers who come forward and provide information about a violation are protected under the FCA, and even allows for the whistleblower to participate in the reward following recovery of a claim.

The purpose of the Initiative appears to be two pronged:

1. Encourage companies and individuals to disclose cybersecurity incidents and breaches.
2. Recover federal funds from contractors who are not following certain cybersecurity standards.

Those two prongs were emphasized in President Biden’s May 2020 Executive Order (EO) on cybersecurity. The EO promises to “bring to bear the full scope of its authorities and resources” to protect the Country’s cyber infrastructure and assets. In addition, incident reporting and standardization of cybersecurity requirements in the government’s contracting/procurement process were central themes in President Biden’s EO.

With the Initiative, the DOJ appears to be part of the “authorities and resources” referenced in the Biden EO. In its initial press release, the DOJ emphasized its plan to work across agencies to leverage expertise in cybersecurity and law enforcement.

Deputy Attorney General Monaco said that the DOJ will rely on certain cybersecurity standards in government contracting. Although no standard was specifically referenced, President Biden‘s EO suggests that the National Institute for Standards in Technology (NIST) will play a leading role in the development of new standards. Moreover, the Department of Defense already launched its cybersecurity supply chain audit standard called the Cyber Maturity Model Certification (CMMC). CMMC could also become a template standard for other federal agencies.

All these standards and initiatives suggest that cybersecurity planning, risk management, and regulatory compliance will continue to be emphasized in the context of federal government contracting. To avoid liability under the FCA, companies doing business with the federal government should consult an attorney to explain applicable cybersecurity standards, whatever the form: implied, contractual, or regulatory.  All companies, working in both the public and private sectors, should become familiar with President Biden’s EO and NIST cybersecurity standards and practices. Increasingly, basic cybersecurity standards and practices are expected for all companies – even small businesses – operating in large supply chains. Companies that implement those standards and practices will not only be better protected against cyber incidents, but also distinguish themselves from competitors.