DOJ Announces New Initiative to Enforce Cybersecurity Requirements and Data Protection on Government Contractors
Authors: Ryan T. Sulkin, Lucas Schaetzel
Under the False Claims Act, any entity receiving federal funds is potentially liable if they fail to comply with government cybersecurity and data protection standards.
Earlier this month, the United States Department of Justice Civil Division (“DOJ”) announced a new Cyber-Fraud Initiative (the “Initiative”). The Initiative exhibits a new federal government focus, and places enhanced scrutiny, on entities who receive federal funds and their cyber security and data protection policies and procedures.
The DOJ sees the initiative as a tool to both ensure federal funds are used appropriately and guard the public trust in the world of substantially increasing data breaches and cybersecurity incidents. A number of recent cybersecurity incidents have targeted government agencies such as NASA and the FAA. For example, it is estimated that defense industry contractors and the Department of Defense lose almost $600 million annually as a result of cybersecurity incidents. Another example is the high profile SolarWinds hack that resulted in the largest breach of U.S. government information in recent years.
With the backdrop of exponentially growing cybersecurity threats, the federal government is seeking new tools to combat against such threats.
The new Initiative is one of those tools and signals the DOJ’s intent to use the False Claims Act (“FCA”) to pursue cybersecurity related fraud—i.e., not complying with cybersecurity and data protection obligations in government contracts—by any entity that receives federal grants or is considered a government contractor.
False Claims Act
The FCA, which was originally enacted in 1863, is the DOJ’s primary tool to assess liability on government contractors or grant recipients. The law penalizes those who make false claims to obtain federal funds or property.
Any entity that violates the FCA is liable for maximum of three times—and a minimum of two times—the amount of damages suffered by the government. Those damages are in addition to civil penalties ranging from $5,000 to $10,000. FCA claims cannot be brought more than six years after the FCA violation occurred or, alternatively, after three years from when the government did know or reasonably should have known of the violation.
Important to note is that the FCA allows any private citizen to bring a claim against an entity or individual. A private FCA complaint brought on behalf of the government can only be dismissed if the court and the U.S. Attorney General give written consent to the dismissal.
Recent case law also indicates a broader willingness to use the FCA to hold parties accountable for cybersecurity related claims. In 2019, federal courts signaled the FCA can support claims that an entity did not follow federal government cybersecurity requirements and in another case approved an $8.6 million settlement based on FCA claims related to security vulnerabilities in video surveillance software.
There are two elements that FCA claims tend to turn on. First, the FCA requires that the fraud be made “knowingly.” For an entity or individual to act with knowledge, they must act with either actual knowledge, deliberate ignorance, or a reckless disregard of the truth or falsity of certain information. In this case, that information being the efficacy of cybersecurity policies and procedures or compliance with certain cybersecurity and data protection requirements in government contracts.
Second, the FCA requires that the falsehood, or failure to comply with contractual requirements, be “material.” Something is material under the FCA if it has a natural tendency to influence, or is capable of influencing, the receipt of the funds. In a recent 2020 case, a federal court found that the promise of an entity to comply with government cybersecurity obligations was not material to that entity’s receipt of the government contract.
Cyber Fraud Initiative Details
Under the DOJ’s Initiative, an entity opens themselves up to civil liability by knowingly (1) providing deficient cybersecurity products, solutions, or services; (2) misrepresenting their cybersecurity and data protection practices or procedures; or (3) violating any obligations to monitor and report data breaches or cybersecurity incidents. The DOJ specifically listed these three acts as violations of the FCA in relation to cybersecurity policies and procedures.
The DOJ hopes the Initiative will help sure up the government’s resiliency against cybersecurity incidents and support government efforts to identify, create, or publicize any vulnerability patches in “commonly-used information technology products or services.”
The Initiative also seeks to further incentivize investments in robust cybersecurity practices and to help those entities or individuals who are following cybersecurity requirements from being put at a competitive disadvantage.
Implications Moving Forward
With the DOJ’s new focus on government contractor cybersecurity requirements, entities should be reviewing their government contracts or agreements to ensure they are complying with, and can comply with, cybersecurity and data protection obligations.
Those receiving funds from the federal government also need to ensure they are not misrepresenting their cybersecurity policies, practices, and capabilities.
Further, while the FCA requires fraud to be knowing and material to receiving the federal funds, there will undoubtedly be an increase in cybersecurity related FCA cases. Outside of the Initiative, the fact courts are open to cybersecurity FCA claims and private citizens can bring cases on behalf of the government, potentially widens the scope of liability that government contractors face.
As the federal government raises the level of cybersecurity and data privacy obligations entities face, the Benesch Data Protection and Privacy team is committed to staying at the forefront of knowledge and experience to assist our clients in compliance efforts. We are available to assist you with any compliance needs.
Ryan T. Sulkin at rsulkin@beneschlaw.com or 312.624.6398.
Lucas Schaetzel at lschaetzel@beneschlaw.com or 312.212.4977.