DOJ Cyber-Fraud Initiative Highlights Potential Civil Liability for Failing to Meet Federal Cybersecurity Requirements
DOJ Cyber-Fraud Initiative Highlights Potential Civil Liability for Failing to Meet Federal Cybersecurity Requirements
The Department of Justice (DOJ) has created a new Civil Cyber-Fraud Initiative to use the power of the False Claims Act (FCA) to initiate suits against federal contractors and grant recipients that fall short of their regulatory and contractual cybersecurity obligations. This initiative, announced on October 6, 2021, builds on the Biden administration’s efforts to protect federal government networks from cybersecurity threats and to promote notifications of incidents by federal contractors to their federal agency customers—efforts that were outlined in the President’s May 2021 Executive Order on Improving the Nation’s Cybersecurity.
The DOJ also previewed in February 2021 that cybersecurity would be one of six priorities for the DOJ’s Civil Division related to the FCA. Acting Assistant Attorney General Brian Boynton said, “with the growing threat of cyberattacks, federal agencies are relying heavily on robust cybersecurity protections to safeguard our vital governmental data and information,” adding that, “to the extent that the government pays for systems or services that purport to comply with required cybersecurity standards but fail to do so, it is not difficult to imagine a situation where False Claims Act liability may arise.”
In the recent announcement, the DOJ identified three categories of conduct that will be a focus for FCA enforcement:
The initiative exposes some of the tension between the DOJ’s role as an enforcer of fraud, waste, and abuse on the one hand, and its role as a law enforcement agency that seeks the cooperation of victims to investigate the perpetrators of cyber incidents. The prospect of being held liable for deficient cybersecurity practices may reduce the incentive of contractors and grantees to volunteer information to law enforcement beyond what is strictly required by contracts and regulations.
Because the FCA requires actual knowledge, reckless disregard, or deliberate ignorance of the truth, not every cyber incident or cybersecurity failure will result in potential liability. But the DOJ has indicated that it will be monitoring contractors and grantees more closely. The DOJ also has signaled to potential qui tam relators (and their prospective plaintiffs’ counsel) that cybersecurity-focused FCA suits might bring increased likelihood of DOJ intervention. Given this increased scrutiny and the specter of the FCA’s treble damages and per invoice administrative penalties, contractors and grantees will need to ensure rigorous cyber compliance lest they find themselves in the DOJ’s crosshairs or the subject of a qui tam suit.
With its mention of cybersecurity products and services sold to the government, the DOJ is putting contractors that sell software, hardware, firmware, and related services to government agencies on notice that their offerings may be subject to extensive examination for security flaws. One focus of the May 2021 Executive Order is software supply-chain assurance, and contractors are being asked to more carefully consider where, by whom, and with what protections code is written.
The potential for introduction of malicious code or viruses into products used by the government was exposed as a very real threat in the context of the SolarWinds incident. Recent restrictions on use and supply to the government of Chinese-origin covered telecommunications equipment also illustrates this focus on supply chain as a potential source of risk. It remains to be seen how supply chain considerations could result in knowing FCA violations. Circumstances that are likely to be of particular focus for the DOJ are those where contractors knowingly fail to remediate vulnerabilities that have been identified in their products, or knowingly use obsolete or unsupported software components as part of their product offerings.
Although the basic FAR cyber clause, 52.204-21 (Basic Safeguarding of Covered Contractor Information), includes only minimal standards, nearly all federal agencies impose additional cybersecurity requirements on contractors handling sensitive government information. The Department of Defense (DoD) scheme is perhaps the best known, currently requiring contractor compliance with the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 standards, and moving to more extensive requirements with its Cybersecurity Maturity Modernization Certification (CMMC) program.
Other agencies require compliance with the more robust NIST SP 800-53 requirements, especially for sensitive data like personally identifiable information (PII), personal health information (PHI), and tax records. Security policies such as the Department of Homeland Security’s Presidential Directives (HSPD) and the General Service Administration’s (GSA) Information Technology Security Policy and the Department of Veterans Affairs’ (VA) Directive 6500 also require specific contractor actions. FedRAMP has its own security control requirements for contractors that provide their products and services in the cloud. The Uniform Guidance (2 CFR Part 200) for grants also includes safeguarding requirements for PII, PHI, and other sensitive information. Last but not least, the National Industrial Security Program Operating Manual (NISPOM) implements comprehensive information security controls for classified information, and knowing violation of these requirements would also fall within the scope of DOJ’s FCA enforcement powers.
In short, contractors and grantees may held liable under the FCA for knowingly failing to comply with relevant regulatory and contractual obligations, including NIST, CMMC, and FedRAMP requirements, among others. Moreover, because the FCA includes qui tam provisions that allow whistleblowers to sue on behalf of the government and receive a portion of the award as compensation, contractors must also consider the risk of plaintiffs’ lawyers or disgruntled employees (or former employees) alleging deficiencies in cybersecurity practices and data breach reporting.
In addition to agency requirements that contractors meet certain security standards, agency procurement contracts and grant agreements frequently contain data breach reporting requirements. The DFARS 252.204-7012 clause is perhaps the most recognizable, with 72-hour notice required to DoD in the event of a compromise of, or an actual or potentially adverse effect on, a contractor information system and/or the information residing therein. Other agencies, including GSA, DOJ, and the VA have 24-hour, and in some cases, even one-hour, incident reporting requirements, particularly when PII or PHI is involved. FedRAMP and the NISPOM also have specialized security incident reporting requirements. For those that now ignore these requirements, or perhaps even unduly delay notification to government agencies, there is heightened risk that the DOJ or a whistleblower could pursue fines under the FCA.
Regarding cyber breaches, Deputy Attorney General Lisa Monaco said as part of the announcement of the current initiative that DOJ seeks to end “the mistaken belief that it is less risky to hide a breach than to bring it forward and to report it.” In our experience, in large part due to the cooperative posture that DOJ, the Federal Bureau of Investigation, and other law enforcement agencies previously have taken when a contractor has been the victim of a cyber breach or ransomware attack, contractors have been reporting cyber incidents, both to their government customers and to federal law enforcement. Our hope would be that DOJ would retain its cooperative posture with contractors truly trying to do the right thing, and focus exclusively on those rare companies and entities that may purposefully hide cyber incidents, whether to avoid negative publicity, costly remediation activity, or for some other reason.
To date, the published FCA decisions involving contractors and cybersecurity have been limited to qui tam relator initiated actions. One of these cases illustrates potential hurdles for the initiative, the requirement under the FCA to establish both materiality and scienter. In United States ex rel. Adams v. Dell Computer Corp.[i] the D.C. district court dismissed relator’s claim that the existence of a cybersecurity vulnerability in Dell’s product that the relator had uncovered amounted to an implied false certification[ii] by Dell. The court found the plaintiff, a self-described cybersecurity expert, failed to establish that knowledge of the vulnerability would have materially altered the government’s decision to award the contract to Dell. The court also held that the allegations fell short of demonstrating that Dell knew, or should have known, of the vulnerability, largely due to the plaintiff’s claims of unique expertise and sophisticated detection methods.
This case stands in contrast to another that confirmed failure to comply with contractual cybersecurity requirements can lead to FCA liability. In United States of America ex rel. Brian Markus v. Aerojet Rocketdyne, Inc.,[iii] the court refused to dismiss a qui tam complaint alleging that the contractor violated the minimum cybersecurity requirements of NIST SP 800-171 in safeguarding controlled unclassified information (CUI) on its IT systems. The court found materiality sufficiently alleged, because, had the contractor made full, rather than partial, disclosure of the extent of its noncompliance, government agencies may not have awarded the contracts to the defendant.
DOJ did not intervene in either of these cases. A case where it was involved, however, may foretell the type of cases that DOJ may pursue in the future. In United States ex rel. James Glenn v. Cisco Systems Inc.,[iv] a relator alleged he had been terminated from Cisco months after disclosing a massive vulnerability in the contractor’s video surveillance systems, sufficient to shut down an airport or erase criminal evidence. Cisco ultimately chose to settle the dispute in 2019 for $8.6 million in agreement with the DOJ, more than a dozen state attorneys general, and the District of Columbia.[v]
As noted, the DOJ already has the tool of FCA enforcement available. To date, the FCA has not been directed at sellers of cybersecurity products and services, or contractors and grantees that access, process, and store sensitive government data. The announcement of the initiative indicates that DOJ is focused on cybersecurity compliance and data breach reporting.
What does all this mean for government contractors and grantees?
The Biden Executive Order on cybersecurity introduced a renewed and invigorated emphasis on contractors and grantee obligations to keep the government’s information safe. This new initiative is a continuation of this focus. Further, DOJ has been vigorously pursuing claims via the FCA, including most recently, against those who have committed fraud in connection with the Paycheck Protection Act pandemic relief program. DOJ has also indicated it is ready to use the FCA against contractors in connection with the recent vaccine mandate. A new target has become clear; contractors and grantees cannot say they have not been warned to get their cybersecurity house in order.
Markus Speidel, a Law Clerk in our Washington, D.C. office, contributed to the writing of this alert.
[ii] In Universal Health Services, Inc. v. United States ex rel. Escobar, 579 U.S. ___; 136 S. Ct. 1989 (2016), the Supreme Court endorsed the FCA theory of implied false certification, which says if a contractor is out of compliance with a material contract term, every invoice submitted under that contract is implicitly false. In Escobar, the Court narrowly limited the theory, however, to cases where “the defendant knowingly violated a requirement that the defendant knows is material to the Government’s payment decision.”
[iv] United States ex rel. James Glenn v. Cisco Systems Inc., No. 1:11-cv-00400-RJA (W.D.N.Y. 2011).
[v] United States ex rel. James Glenn v. Cisco Systems Inc., No. 1:11-cv-00400-RJA (W.D.N.Y. July 13, 2019).