On October 6, 2021, Deputy Attorney General Lisa O. Monaco announced the Department of Justice’s (DOJ) “Civil Cyber-Fraud Initiative.” This new enforcement project led by the DOJ’s Civil Fraud Section will seek civil penalties under the False Claims Act (FCA) against government contractors and grant recipients that put U.S. information or systems at risk, for example by providing deficient cybersecurity products, misrepresenting cybersecurity capabilities, or knowingly violating obligations to monitor and report data breaches. The initiative is the latest in a line of Biden Administration actions that aim to combat the growth in cyber-attacks with aggressive use of criminal enforcement against the attackers and new requirements for industry.
The Initiative Signals Increased Risk of FCA Litigation with the DOJ or Private Plaintiffs
The DOJ used the FCA to recover $2.2 billion in settlements and judgments in 2020 and anticipates using the FCA’s “very hefty” monetary penalties to change contractors’ cybersecurity behavior. FCA liability involves claims that are factually false, which may include “false certifications” if contractors expressly or implicitly certify compliance with a particular statute, regulation, or contractual term when compliance is a prerequisite to payment. Under this new initiative, it appears the DOJ intends to use a similar theory to enforce compliance with cybersecurity and breach-reporting provisions contained in federal contracts. To the extent compliance with these provisions is not already a contractual prerequisite for payment, contractors should expect that to change. Indeed, federal departments and agencies are already in the process of implementing the President’s May 2021 Executive Order that, among other things, required a broad review of federal contracting rules on cybersecurity and breach reporting.
There are few known FCA cases involving cybersecurity claims, though given the sensitive nature of the subject matter, more may be filed under seal. Relators have had mixed results attempting to bring such FCA cases, with one case against an aerospace contractor moving past a motion to dismiss, while another case against a computer manufacturer was dismissed. The initiative likely signals an aggressive civil enforcement approach, with the DOJ bringing more FCA cases on its own volition, intervening more frequently in relator cases raising colorable claims and encouraging whistleblowers to more willingly come forward.
Contractors should use this announcement as a call to revisit their cybersecurity controls and certifications, confirm that their processes satisfy all contractual requirements, and investigate whether corrections need to be made to prior statements or representations to the government regarding the security of their systems or their products. The following are questions companies can ask internally as they evaluate these risks.
Do You Have a Process to Investigate and Remediate Cybersecurity-Related Complaints?
FCA litigation often arises from whistleblowers either contacting the government or independently bringing suit under the FCA’s qui tam provisions. This initiative will be no different – the DOJ’s announcement specifically mentions relying on whistleblowers to assist the government in bringing these actions. One practical way companies can reduce the likelihood of triggering these suits is to ensure there is a robust internal investigations process for receiving and resolving employee concerns about cybersecurity or product vulnerabilities. Counsel can assist in building a process for triaging, investigating, responding, and remediating these complaints that is protected by privilege, run independently, and provides ammunition for defeating a subsequent claim that the company ignored or inadequately addressed concerns.
Do You Know If Your Cybersecurity Controls and Processes Satisfy Current Standards Required by Contract and/or a Minimum Baseline of Reasonable Security?
Currently, there is not a unified cybersecurity standard for government contractors. While FAR 52.204-21 lays out “basic safeguarding of covered contractor information systems,” additional requirements will be contract-specific and can change depending on the procuring agency, data at issue, and type of service or product being offered. For civilian agencies in particular, more detailed cybersecurity requirements were often included in a scope of work, which could result in vague, confusing, and conflicting requirements. But going forward, contractors should expect a stricter level of standardization in contractually required cybersecurity controls and certifications. At the Department of Defense, the Cybersecurity Maturity Model Certification program is getting off the ground with its five levels of security assessments and certifications. Similarly, the National Institute of Standards and Technology is currently developing additional guidelines for contractors based on the May 2021 Executive Order. While final guidelines may not yet have been completed, we can expect more contractual requirements that reflect the “reasonable security” standard as a baseline. Consider conducting an internal assessment of your controls and processes to confirm you could satisfy either any existing contractual requirements or this baseline of reasonable security. Alston & Bird has published a separate guide, the “12 Elements for Effective Cybersecurity: What Does ‘Reasonable Security’ Look Like Organizationally?,” that can be a starting point for your internal discussions.
Do You Know What You Are Telling (or Have Told) the Government About Your Cybersecurity Controls and Capabilities?
The announced initiative specifically highlights misrepresentations made to the government about cybersecurity. Once contractors have determined their cybersecurity controls baseline, they may want to consider conducting an internal investigation with counsel comparing the statements they have made (or are making) to the government on the cybersecurity front with their cybersecurity controls baseline. This effort will help paint a picture of any existing FCA cyber-risk and provide an opportunity to address any discrepancies with the government outside the litigation/whistleblower context.
Are You Monitoring the Changing Landscape for Reporting Cyber Incidents to the Federal Government?
While you may (or may not) have contractual obligations to report certain types of cybersecurity incidents to your contracting officer or the procuring agency, it appears that the government may soon require expanded reporting of security incidents from contractors. The May 2021 Executive Order already signaled new cybersecurity reporting regulations for contractors, and additional legislation is moving through Congress on this issue. Monitoring and testing your existing incident notification procedures and preparing for changes to this landscape will be important.
*****
As you ask these questions internally, our cross-functional Alston & Bird team has the experience in internal investigations, government procurement, cybersecurity, False Claims Act enforcement, and litigation to not only help you build out these processes and conduct internal investigations and assessments but also to defend you against any government action or whistleblower claims. Please reach out to any of our team members to address how these questions can be addressed by your organization.