In our transformative digital age, opportunities abound—but challenges loom large. The constant threats of hacking and data breaches in our interconnected world underscore the critical importance of robust cybersecurity. Cybercrime is expected to cost the world $8 trillion in 2023 and $10.5 trillion by 2025, according to Cybersecurity Ventures.
For government contractors, the stakes are exceptionally high. Government contracts often incorporate exacting cybersecurity requirements, with severe consequences for noncompliance. The U.S. Department of Justice’s Civil Cyber-Fraud Initiative (“Initiative”) has added a new dimension to this landscape, wielding the formidable False Claims Act (“FCA”) to combat cybersecurity deficiencies among government contractors.
This article, the first in a two-part series, provides an in-depth look at the Initiative and the DOJ’s significant enforcement actions since the Initiative’s launch in 2021. Additionally, it offers proactive strategies for government contractors to remain ahead of the curve in this high-stakes, rapidly evolving digital environment.
The DOJ’s Civil Cyber-Fraud Initiative
Launched in October 2021, the Initiative was a landmark step toward clamping down on contractors that fail to comply with federal cybersecurity standards. The Initiative aims to identify, pursue, and prosecute cybersecurity-related fraud against the government. It primarily targets three categories of misconduct:
- Noncompliance with cybersecurity standards. The FCA can be used to pursue instances where government contractors knowingly fail to comply with the cybersecurity standards in their contracts with the government. These standards might include specific measures to protect government data, restrictions on non-U.S.-citizen employees accessing systems, or prohibitions on using components from certain foreign countries. Failure to meet these standards deprives the government of what it has contracted for.
- Misrepresentation of security controls and practices. FCA liability can arise when a company knowingly misrepresents its security controls and practices during the contracting process or contract performance. Misrepresentations could influence the government’s contractor selection or contract structuring process, violating the FCA. For example, a contractor might misreport details about system security plans, monitoring practices for system breaches, or password and access requirements.
- Failure to timely report suspected breaches. A company may violate the FCA if it knowingly fails to report suspected cyber incidents promptly. Government contracts often require prompt reporting of such incidents, which is imperative for the agencies to respond, remediate vulnerabilities, and limit harm.
The False Claims Act: A Key Legal Weapon
The FCA, first enacted during the Civil War to combat fraudulent suppliers, is the government’s primary tool for punishing the known misuse of taxpayer funds. It permits the government and private citizens (acting as whistleblowers or “relators”) to sue those who defraud governmental programs. The Initiative utilizes the FCA to hold contractors accountable for misrepresentations or breaches related to their cybersecurity practices. Penalties can be severe—treble damages and substantial fines per false claim, rendering the FCA a potent deterrent.
Recent Case Developments: The Initiative in Action
Implementing the Initiative has already led to some significant case developments, detailed below, that underline the Initiative’s enforcement capabilities. These cases demonstrate the potential fallout for businesses with government contracts if they provide substandard cybersecurity services, overstate their cybersecurity capabilities, or delay reporting cybercrime. It’s a stark reminder that contractors can be held accountable for fraudulent practices. With the government’s emphasis on cybersecurity enforcement and the increasing pervasiveness of cybercrime, these first few enforcement actions under the Civil Cyber-Fraud Initiative represent only the tip of the iceberg.
Comprehensive Health Services
In March 2022, the DOJ announced its first FCA resolution involving cyber fraud since the Initiative’s inception. Comprehensive Health Services (“Comprehensive”), a medical service provider with contracts and subcontracts with the State Department and Air Force to operate medical facilities in Iraq and Afghanistan, settled FCA claims by agreeing to pay $930,000.
The United States alleged that Comprehensive submitted false claims for reimbursement under its contract and failed to disclose that it had not complied with contract terms requiring it to securely store patients’ medical records. Comprehensive allegedly left medical records in an unprotected network drive, easily accessible to nonclinical staff, a violation it had not reported.
The relators and their counsel collectively received a total recovery of $498,741, consisting of individual shares for the relators, attorney fees, and expenses.
July 2022 saw a significant settlement where defense contractor Aerojet agreed to pay $9 million. This settled allegations of Aerojet misrepresenting its compliance with cybersecurity standards and fraudulently entering into contracts with the Department of Defense and the National Aeronautics and Space Administration despite knowing it did not meet the minimum cybersecurity requirements.
The relator, a former senior director of cybersecurity at Aerojet, initiated the qui tam lawsuit in 2015. The government declined to intervene in the action. Following years of discovery and summary judgment briefing, a jury trial commenced on the relator’s promissory fraud claim. The relator asserted that Aerojet was liable for damages amounting to $19 billion. That figure represented three times the total value of each invoice paid under each agreement allegedly secured through false statements or fraud. If the jury found Aerojet to have violated the FCA, Aerojet also faced the possibility of civil penalties, debarment, and suspension.
The parties settled on the second day of trial, with the whistleblower receiving $2.61 million as his share of the $9 million that Aerojet agreed to pay the government to settle the cyber-fraud allegations.
Jelly Bean Communications Design
The United States alleged that Jelly Bean, under its contracts with the Florida Healthy Kids Corporation (“FHKC”), submitted false claims for federal funds. Jelly Bean failed to provide secure hosting and maintain proper software systems for the website HealthyKids.org, which collected and transmitted applicants’ personal information for Medicaid coverage. As a result, more than 500,000 applications were hacked, compromising sensitive data such as names, addresses, Social Security numbers, financial information, family relationships, and secondary insurance details. In response to the data breach and cybersecurity failures, FHKC shut down the application portal in December 2020.
Achieving Cybersecurity Excellence: Key Strategies for Government Contractors
As the digital landscape grows more complex and the threats more sophisticated, government contractors must approach cybersecurity compliance with an assertive and agile mindset. Below are some essential strategies.
Understand Cybersecurity Standards
Familiarize yourself with applicable cybersecurity requirements, including Federal Information Security Modernization Act (“FISMA”) requirements, National Institute of Standards and Technology (“NIST”) guidelines, and specific agency-level standards. Ensure strict adherence to these contractual obligations, and be careful in making assurances to the government when entering into government contracts to avoid any potential FCA violations.
Invest in Robust Security Infrastructure
Ensure that departments tasked with cybersecurity have sufficient resources for risk evaluation, threat mitigation, and adherence to governmental regulations. Allocate resources to develop cutting-edge cybersecurity technology and train skilled personnel. Regularly update and patch all systems to eliminate potential vulnerabilities and secure applications and systems.
Formulate an Incident Response Plan
Develop a comprehensive incident response plan outlining immediate steps in the event of a cybersecurity breach. The company’s plan should encompass notification procedures, evidence-preservation methods, remediation strategies, and a communication plan.
Respond to Internal Complaints
React to internal warnings appropriately. Allocate sufficient resources for investigating claims that surface through internal reporting channels. Importantly, ensure the protection of whistleblowers by not taking adverse actions against those raising internal warnings. Ignoring this advice could lead to additional liability for unlawful retaliation.
Comply with Reporting Timelines and Mandates
Understand and comply with the reporting timelines stipulated in government contracts. Failure to do so could lead to severe violations and potentially trigger FCA liability.
In addition, it is crucial to carefully structure and record any disclosures made to, or waivers from, the government. In the Aerojet case, for example, the government contractor had disclosed its noncompliance to the government. Still, the relator and government maintained that the contractor’s admissions did not reveal the full scope of the noncompliance.
Promote Cybersecurity Awareness
Conduct regular training sessions and awareness programs to help employees appropriately identify and respond to potential threats. Reinforce the importance of their role in maintaining cybersecurity and the possible consequences of noncompliance.
Proactively Engage with Legal Counsel
Independent legal advice is essential in deciphering a company’s legal obligations and mitigating claims of cybersecurity fraud. Good counsel becomes particularly vital in the face of potential whistleblower complaints—and even more so when contemplating any adverse action against the individual raising these concerns. Engaging counsel upholds privilege claims over the investigation and introduces specialized knowledge and experience in dealing with complex issues. By proactively seeking professional legal guidance, your company can maintain its compliance edge, fulfilling its obligations and adeptly resolving whistleblower claims.
The inception of the DOJ’s Civil Cyber-Fraud Initiative signals a heightened era of scrutiny, underscoring the importance of robust cybersecurity compliance for government contractors. Armed with the potent False Claims Act, authorities are poised to enforce stringent compliance. A company’s cybersecurity deficiencies, knowing misrepresentations, or failure to timely report breaches could lead to significant penalties. Engaging legal counsel seasoned in the intricacies of cybersecurity and FCA matters may prove indispensable in successfully navigating these obligations, potentially mitigating grave financial repercussions and safeguarding the future of the business.
Cybersecurity Ventures, Cybercrime Damages to Cost the World $8 Trillion USD in 2023, EIN Newswires (Dec. 15, 2022). ↑
Brian Boynton, Acting Assistant Att’y Gen., Civil Div., Dep’t of Just., Speech at the Cybersecurity and Infrastructure Security Agency (CISA) Fourth Annual National Cybersecurity Summit (Oct. 13, 2021). ↑
Press Release, U.S. Dep’t of Just., Medical Services Contractor Pays $930,000 to Settle False Claims Act Allegations Relating to Medical Services Contracts at State Department and Air Force Facilities in Iraq and Afghanistan (Mar. 8, 2022). ↑
United States v. Comprehensive Health Servs., Inc., No. 1:20-cv-00698 (E.D.N.Y. Feb. 28, 2022). ↑
Press Release, U.S. Dep’t of Just., Aerojet Rocketdyne Agrees to Pay $9 Million to Resolve False Claims Act Allegations of Cybersecurity Violations in Federal Government Contracts (July 8, 2022). ↑
Press Release, U.S. Dep’t of Just., Jelly Bean Communications Design and Its Manager Settle False Claims Act Liability for Cybersecurity Failures on Florida Medicaid Enrollment Website (Mar. 14, 2023). ↑