Justice Department Extends False Claims Act Scope to Cyber ​​Security | Bass, Berry & Sims PLC

There is a new weapon in the already powerful arsenal of the Department of Justice (DOJ) False Claims Act (FCA). In October 2021, the DOJ announced a new civilian cyber fraud initiative, under which it will pursue FCA liability against government contractors in the area of ​​cybersecurity. According to announcement by Deputy Attorney General Lisa O. Monaco, the initiative aims to “empower entities or individuals who endanger American information or systems by knowingly providing deficient cybersecurity products or services, by knowingly distorting their security protocols. cybersecurity or knowingly violating obligations to monitor and report cybersecurity incidents and breaches.

Overview of the Civil Cyber ​​Fraud Initiative

The Civil Cyber-Fraud Initiative follows several major cyber attacks, which are only on the increase. The new initiative is the first formal step taken by the Justice Department to combat them by focusing on the preventive cybersecurity efforts of government contractors.

The implications for government contractors and service providers cannot be overstated. In healthcare, entities are already subject to a complex web of cybersecurity requirements under HIPAA law. But, the Civil Cyber-Fraud Initiative brings a new dimension of enforcement to all entrepreneurs, with the specter of treble damages and staggering legal penalties under the FCA.

As part of the Civil Cyber-Fraud Initiative, the DOJ is likely to initiate more prosecutions against the FCA against government contractors who it believes are not fulfilling their cybersecurity obligations under the law or applicable contracts. In addition, the initiative will likely encourage whistleblowers to be more aggressive to qui tam prosecutions under the FCA when they believe their employers are not meeting their cybersecurity obligations. Indeed, a practice group of whistleblowers has already published a call to arms.

The commitment of the Ministry of Justice in terms of enforcement in this area was recently confirmed in the address by Brian Boynton, Acting Deputy Attorney General of the Civil Division of the Department of Justice at the Cybersecurity and Infrastructure Security Agency (CISA) 4^e Annual National Cyber ​​Security Summit. Boynton noted that the FCA application could apply to at least the following three “common cybersecurity failures”:

1. Know the breaches of cybersecurity standards.
2. Know the misrepresentation of security controls and practices.
3. Failure to timely report suspected violations, which he described as critical for government agencies to respond, fix vulnerabilities, and limit resulting damage.

Key takeaways for government contractors

In light of the Justice Department’s promise to focus on increased enforcement action in this space, government contractors should take stock of applicable cybersecurity requirements and any representations or warranties they make. may have made in their contracts with the federal government, and they should assess whether their cybersecurity systems meet these thresholds. Of course, this is not a one-off activity.

Instead, entrepreneurs should review vulnerabilities and assess risks on an ongoing basis, and fully document their efforts. Not all cybersecurity systems are the same. The size, resources, and complexity of outsourcing organizations vary widely, so these reviews may look different depending on the systems, entities, and types of data involved.

But, generally speaking, entrepreneurs should try to ensure that their cybersecurity programs meet industry standards and government requirements for organizations and systems of a similar type. They should also consider implementing available frameworks, such as HITRUST or the Cyber ​​Security Maturity Model (CMMC) certification framework outlined in the MoD September 2020 Interim Rule, as applicable.

Given the recent increase in cyber attacks and intrusions and their continued prevalence, government contractors, contractors and vendors should take action now to prepare for the Department of Justice’s scrutiny in the area of ​​cybersecurity in coming years.