Earlier this month, the White House released the National Cybersecurity Strategy Implementation Plan outlining specific “high impact initiatives” that the federal government will carry out to achieve its cybersecurity objectives.
National Cybersecurity Implementation Plan Overview
Initiative Number 3.5.2 of the Implementation Plan is titled: “Leverage the False Claims Act to improve vendor cybersecurity.” Specifically, the initiative states that the Department of Justice (DOJ) will “expand efforts to identify, pursue, and deter knowing failures to comply with cybersecurity requirements in Federal contracts and grants.”
This is part of the Civil Cyber-Fraud Initiative (CCFI), which the DOJ launched in October 2021 to “hold accountable entities or individuals that put US information systems at risk by knowingly providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cyber incidents and breaches.”
Enforcement under the CCFI
Since its launch, the DOJ has announced several False Claims Act (FCA) settlements under the initiative. For example, in March 2022, the DOJ announced that Comprehensive Health Services LLC (CHS) paid $930,000 to resolve allegations that it billed the State Department approximately $485,00 for storing medical records in a secure Electronic Medical Record system, although the DOJ alleged that many medical records were in fact saved to an internal network drive accessible to non-clinical staff, in direct violation of CHS’s government contract.
The initiative has also successfully encouraged whistleblowers–known as relators–to bring cases on behalf of the government for perceived cybersecurity failures by companies receiving federal funds. In perhaps the most-watched case in this space, a former compliance officer at Aerojet Rocketdyne Inc. filed a case alleging that Aerojet knew its cybersecurity program fell short of the Department of Defense and NASA regulations that were part of Aerojet’s contracts with those agencies. The case proceeded to summary judgment, where the district court denied Aerojet’s motion after the DOJ filed a statement of interest assailing Aerojet’s arguments. In July 2022, the DOJ announced that Aerojet had agreed to pay $9 million to settle the allegations in a deal that was struck on the second day of trial.
Expect More Whistleblower Cybersecurity Suits
Historically, relators have been the driving force of enforcement under the FCA, typically filing between 500-600 qui tam suits on behalf of the government per year. As civil cyber-enforcement becomes more prevalent in the news and awareness grows among would-be whistleblowers, government contractors and healthcare providers should be on the lookout for an uptick in these types of cases. And the government’s continued focus on cyber-enforcement as a “high impact initiative” highlights the need for companies receiving federal funds to understand and comply with the cybersecurity requirements in the applicable regulations, contracts, and certifications submitted to the government, including ensuring any vendors maintaining information on behalf of the companies are also in compliance.