There is a new weapon in the Department of Justice’s (DOJ’s) already powerful False Claims Act (FCA) arsenal. In October 2021, the DOJ announced a new Civil Cyber-Fraud Initiative, under which it will pursue FCA liability against government contractors in the cybersecurity space. According to the announcement from Deputy Attorney General Lisa O. Monaco, the initiative seeks to “hold accountable entities or individuals that put U.S. information or systems at risk by knowingly providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity protocols, or knowingly violating obligations to monitor and report cybersecurity incidents and breaches.”
Overview of the Civil Cyber-Fraud Initiative
The Civil Cyber-Fraud Initiative follows several significant cyberattacks, which are only becoming more prevalent. The new initiative is the first formal step DOJ has taken in combatting them by focusing on the preventative cybersecurity efforts of government contractors.
The implications for government contractors and service providers cannot be overstated. In the healthcare space, entities are already subject to a complex web of cybersecurity requirements under HIPAA. But, the Civil Cyber-Fraud Initiative brings a new enforcement dimension to all contractors, with the specter of treble damages and staggering statutory penalties under the FCA.
Under the Civil Cyber-Fraud Initiative, DOJ is likely to initiate more FCA lawsuits against government contractors that it believes are failing to meet their cybersecurity obligations under applicable law or contracts. Moreover, the initiative will likely encourage whistleblowers to be more aggressive in bringing qui tam suits under the FCA when they believe their employers are not honoring their cybersecurity obligations. Indeed, one whistleblower practice group has already put out a call to arms.
DOJ’s commitment to enforcement in this space was recently confirmed in the address of Brian Boynton, the Acting Assistant Attorney General for DOJ’s Civil Division, at the Cybersecurity and Infrastructure Security Agency (CISA) 4th Annual National Cybersecurity Summit. Boynton noted that the FCA enforcement could apply to at least the following three “common cybersecurity failures:”
- Knowing failures to meet cybersecurity standards.
- Knowing misrepresentations of security controls and practices.
- Failing to timely report suspected breaches, which he described as critical for government agencies to respond, remediate any vulnerabilities, and limit the resulting harm.
Key Takeaways for Government Contractors
In light of the DOJ’s promise to focus on increased enforcement action in this space, government contractors should take stock of applicable cybersecurity requirements and any representations or warranties they may have made in their contracts with the federal government, and they should assess whether their cybersecurity systems are meeting these thresholds. Of course, this is not a one-time activity.
Instead, contractors should review for vulnerabilities and assess risk on an ongoing basis, and fully document their efforts. Not all cybersecurity systems are the same. The size, resources, and complexity of contractor organizations vary significantly, so these reviews may look different depending on the systems, entities, and data types at issue.
But, generally speaking, contractors should try to ensure their cybersecurity programs are in line with industry standards and government requirements for organizations and systems of a similar type. They should also consider implementing available frameworks, such as HITRUST or the Cybersecurity Maturity Model Certification (CMMC) framework outlined in the Department of Defense’s September 2020 interim rule, as appropriate.
Given the recent uptick in cyberattacks and intrusions and their continued prevalence, government contractors, providers, and suppliers should take steps now to prepare for the ensuing DOJ scrutiny in the cybersecurity space in the years to come.
Contact the authors or another member of the Bass, Berry & Sims Healthcare Fraud Task Force for further discussion on the FCA’s retaliation provision and other updates on FCA cases.