Consistent with the Biden Administration’s keen focus on improving the nation’s cybersecurity, as articulated in Executive Order 14028 and discussed in greater detail here, the Department of Justice (DOJ) formally announced the launch of its new Civil Cyber-Fraud Initiative (Initiative) on October 6, 2021. The Initiative will “combine the department’s expertise in civil fraud enforcement, government procurement and cybersecurity to combat new and emerging cyber threats to the security of sensitive information and critical systems.” Importantly, this Initiative aims to employ the DOJ’s civil enforcement tools, to pursue “government contractors who receive federal funds, when they fail to follow required cyber security standards.” In announcing the Initiative, DOJ Deputy Attorney General Lisa O. Monaco admonished government contractors that “have chosen silence under the mistaken belief that it is less risky to hide a [cybersecurity] breach than to bring it forward and to report it.”
The DOJ will use the teeth of the False Claims Act, codified at 31 U.S.C. section 3729(b), to implement its Civil Cyber-Fraud Initiative. The False Claims Act generally imposes treble damages on government contractors that knowingly present false claims for payment to the federal government. The Initiative will build on that foundation by seeking to hold accountable those who would increase cybersecurity risks to the government by a) knowingly misrepresenting cybersecurity practices, b) failing to monitor and report cybersecurity incidents, or c) knowingly providing cybersecurity products and services that are deficient. For example, the DOJ could target contractors that present a claim for payment after, inter alia:
- Choosing not to report a cybersecurity incident within 72 hours consistent with Defense Federal Acquisition Supplement 252.204-7012;
- Providing covered telecommunication equipment or services to the federal government in contravention with FAR 52.204-26;
- Noncompliance with National Institute of Standards and Technology Special Publication 800-171 containing “security requirements for protecting the confidentiality of [Controlled Unclassified Information] when the information is resident in nonfederal systems and organizations…”; and
- Noncompliance with Cybersecurity Maturity Model Certification requirements.
Significantly, the Initiative will not be limited to false claims uncovered by the DOJ Civil Division’s Commercial Litigation Branch, Fraud Section. There is also a whistleblower component to the Initiative, which will incentivize “private parties to assist the government in identifying and pursing fraudulent conduct and to share in any recovery…” These private parties may come from within a company performing under a contract with the federal government, or individuals or entries outside the company. Consistent with current qui tam actions, whistleblowers are protected from retaliation. Further, potential claims may originate from information provided by individual contracting agencies.
In short, government contractors should expect an uptick in all things cybersecurity compliance and enforcement from the government and through private rights of action. To stay ahead of the curve, government contractors should drill down into their existing cybersecurity safeguards and practices to ensure compliance with applicable cybersecurity laws, rules, and regulations. Those who do business with the government or receive federal funds should take the time to update their response protocols related to cybersecurity breaches, and to ensure that they have robust policies and procedures in place to avoid the heightened risks related to non-compliance with mandatory reporting obligations in light of the DOJ’s efforts associated with the Initiative.