A New Tool to Combat Cybersecurity Breaches: DOJ Opens Door for Whistleblowers to Report Cyber-Fraud on Federal Contractors

Authors: Mark Blando & Robby Dube[1]

On October 6, 2021, Deputy Attorney General Lisa Monaco announced the Department of Justice’s Civil Cyber-Fraud Initiative.[2] The Cyber-Fraud Initiative will utilize the False Claims Act, 31 U.S.C. §§ 3729 et seq. (“FCA”) to “combat new and emergency cyber threats to the security of sensitive information and critical systems.”[3] This initiative comes after years of increased cybersecurity attacks against private companies and the Government.[4] It also reflects the Biden Administration’s focus on federal cybersecurity standards.[5] President Biden’s May 12, 2021 Executive Order stressed that, “[t]he Federal Government must adopt security best practices [and] advance toward Zero Trust Architecture”[6] These measures, alongside likely Congressional[7] and Securities and Exchange Commission action,[8] signal an increasingly critical need for federal contractors to ensure compliance with heightened cybersecurity standards.

Previously, the Federal Government had primarily restricted its use of the FCA to prosecute government contractors and subcontractors that violated material conditions of their government contracts. Now, with the launch of the Civil Cyber-Fraud Initiative, the Department of Justice (“DOJ”) is planning to use the FCA as an enforcement tool to “identify, pursue and deter cyber vulnerabilities and incidents that arise with government contracts.”[9] In other words, the DOJ is cracking down on federal contractors that fail to maintain contractually compliant cybersecurity obligations.

Brian Boynton, Assistant Acting Attorney General for the DOJ Civil Division, has described the following common cybersecurity failures as “prime candidates” for FCA enforcement under this initiative:

  1. knowingly failing to comply with cybersecurity standards;[10]
  2. knowingly misrepresenting security controls and practices, like security plans that detail security controls or monitor breaches; and
  3. knowing failure to timely report suspected cybersecurity breaches.[11]

Deputy Attorney General Monaco and Assistant Acting Attorney General Boynton echo concerns that contractors who knowingly violate cybersecurity standards may deprive the Government of products or services they bargained for under the affected contracts.[12] Thus, by using the FCA as an enforcement tool, the Civil Cyber-Fraud Initiative aims to protect government information and reimburse taxpayers for losses incurred because of a contractor’s failure to meet those standards.

The FCA is the principal tool that the Federal Government uses to prosecute fraudulent conduct relating to federal funds and property. In the cybersecurity context, the Civil Cyber-Fraud Initiative intends to use the FCA to “hold accountable entities or individuals that put U.S. information or systems at risk by knowingly providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cybersecurity incidents and breaches.”[13] Importantly, the FCA does not require a person to have a specific intent to defraud; only that the person acted knowingly. Thus, a person who certifies that a federal contract meets applicable cybersecurity requirements when that individual or company reasonably should know that it does not could face FCA liability. In addition, the FCA allows individual whistleblowers to bring lawsuits on behalf of the Government. Under this qui tam provision, whistleblowers who identify fraudulent conduct are protected from retaliation and share in 15 to 25% of the any recovery against the contractor.

The Civil Cyber-Fraud Initiative is led by the DOJ’s Commercial Litigation Branch, Civil Fraud Section. Violations of the FCA may result in treble damages and penalties of up to $23,331 per claim, although this amount is increased periodically.[14] The Government’s expenditures on FCA cases typically pay off, as the rate of return is approximately 20:1.[15] If federal contractors were uncertain of the Federal Government’s seriousness in implementing this new initiative, the FCA’s effectiveness as an enforcement tool should remove any such doubts.

If you are concerned about your company’s compliance with federal cybersecurity standards, or would like additional information regarding the impact of this new initiative, please contact the government contract attorneys at Eckland & Blando LLP.

[1]     Rachel Lantz contributed research for this article.
[2]     Deputy Attorney General Lisa O. Monaco Announces New Civil Cyber-Fraud Initiative, Dep’t. of Just., (Oct. 6, 2021), https://www.justice.gov/opa/pr/deputy-attorney-general-lisa-o-monaco-announces-new-civil-cyber-fraud-initiative.
[3]     Id.
[4]     Significant Cyber Incidents, Ctr. for Strategic & Int’l Studies, https://www.csis.org/programs/strategic-technologies-program/significant-cyber-incidents.
[5]     Executive Order on Improving the Nation’s Cybersecurity, The White House, (May 12, 2021), https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/.
[6]     Id. Zero Trust Architecture is a strategic initiative to prevent data breaches that is rooted in the principle of “never trust, always verify.”
[7]     Cyber Incident Reporting Act, S. 2875, 117th Cong. (2021), https://www.congress.gov/bill/117th-congress/senate-bill/2875/text?r=5&s=1.
[8]     SEC Charges Issuer with Cybersecurity Disclosure Controls Failures, U.S. Sec. and Exch. Comm. https://www.sec.gov/news/press-release/2021-102.
[9]     Acting Assistant Attorney General Brian M. Boynton Delivers Remarks at the Cybersecurity and Infrastructure Security Agency (CISA) Fourth Annual National Cybersecurity Summit, Dep’t of Just., (Oct. 13, 2021), https://www.justice.gov/opa/speech/acting-assistant-attorney-general-brian-m-boynton-delivers-remarks-cybersecurity-and.
[10]   Although no existing standards were specifically referenced in the press release, President Biden’s Executive Order directed that the National Institute for Standards in Technology to develop new standards for public and private entities using critical software. See The White House, supra note 5, § 4. However, federal government contractors may already be subject to cybersecurity standards, if their contracts contain the Federal Acquisition Rules (FAR) 52.204-31 clause that imposes fifteen basic cybersecurity controls for contractor information systems that process, store, or transmit Federal contract information. FAR 52.204-21 (2021).
[11]   Dep’t. of Just., supra note 9.
[12]   Id., notes 2, 9.
[13]   Id., note 2.
[14]   28 C.F.R. § 85.5 (last updated Oct. 12, 2021), https://www.ecfr.gov/current/title-28/chapter-I/part-85/section-85.5.
[15]   John McCabe, Taxpayers Against Fraud Education Fund, False Claims Act Enforcement: $20 Returned for Every $1 Spent, (Sept. 5, 2021), https://www.taf.org/post/fraud-by-the-numbers-september-5.