Recently, Deputy Attorney General Lisa O. Monaco announced the Department of Justice’s new Civil Cyber-Fraud Initiative, aimed at combatting “new and emerging cyber threats to the security of sensitive information and critical systems.” The Initiative will be led by the Department’s Civil Division Commercial Litigation Branch, Fraud Section, and is a direct result of the Department’s comprehensive cyber review ordered by Deputy Monaco last May.
The Initiative will utilize the broad civil enforcement provisions of the False Claims Act (FCA) to pursue cybersecurity-related fraud by federal government contractors and grant recipients. The FCA is a powerful tool used by the federal government to redress false claims for federal funds and property involving government programs and operations. The FCA has whistleblower provisions that allow private parties (called relators) to bring legal actions on behalf of the federal government (called qui tam actions) to pursue fraudulent conduct and share in any recovery while protecting whistleblowers from retaliation. In its announcement, the Department also called attention to where whistleblowers may report fraud, waste, abuse, and mismanagement.
According to Deputy Monaco, the government intends to “pursue companies, those who are government contractors who receive federal funds, when they fail to follow required cybersecurity standards…” According to the government, the benefits of the Initiative include:
- Building broad resiliency against cybersecurity intrusions across the government, the public sector, and key industry partners.
- Holding contractors and grantees to their commitments to protect government information and infrastructure.
- Supporting government experts’ efforts to timely identify, create and publicize patches for vulnerabilities in commonly-used information technology products and services.
- Ensuring that companies that follow the rules and invest in meeting cybersecurity requirements are not at a competitive disadvantage.
- Reimbursing the government and the taxpayers for the losses incurred when companies fail to satisfy their cybersecurity obligations.
- Improving overall cybersecurity practices that will benefit the government, private users, and the American public.
Utilizing the FCA to pursue government contractors who fail to comply with federal cybersecurity procurement regulations is not new. In 2019, a Federal District Court in California ruled that a federal contractor’s violation of cybersecurity requirements found in the Department of Defense’s Federal Acquisition Supplement (DFARS) clause 252.204-7012 and NASA’s acquisition regulations could form the basis of a qui tam action brought by an employee under the FCA.
- Federal contractors should take notice. In light of the FCA’s treble-damages provisions and increased penalties of up to $23,607 per claim, the FCA provides strong incentives for relators to bring qui tam lawsuits on behalf of the government and collect their share of any recovery.
- The federal government is serious about pursuing FCA claims against federal contractors who fail to comply with cybersecurity requirements imposed by federal contracts and grants.
- There are many sources of cybersecurity obligations for federal contractors, especially those who handle sensitive or classified information, and these obligations continue to evolve, for example, the newly revised Cybersecurity Model Maturity Certification program.
- Federal contractors should ensure compliance by maintaining business-wide compliance systems to detect and remediate cybersecurity failures and timely report any breaches as required.
 United States ex rel. Markus v. Aerojet Rocketdyne Holdings, Inc., No. 2:15-cv-2245 WBS AC, 2019 U.S. Dist. LEXIS 78018, (E.D. Cal. May 8, 2019).