The DOJ’s Civil Cyber-Fraud Initiative, Part 2: Empowering Whistleblowers in the Fight Against Cyber Fraud

6 Min Read By: Daniel P. Schaefer

In the ongoing war against cyber fraud, a whistleblower is one of the most valuable soldiers. With insider access and detailed knowledge about a contractor’s operations, whistleblowers are uniquely poised to reveal cyber fraud in the intricate landscape of government contracts. The U.S. Department of Justice’s Civil Cyber-Fraud Initiative (“Initiative”), launched in 2021, further empowers these individuals, arming them with the formidable False Claims Act (“FCA”).

This piece, the second in a two-part series about the Initiative, is designed to enlighten potential whistleblowers on their journey to unveiling cyber fraud. It offers an in-depth look at the FCA, essential cybersecurity standards integral to potential claims, and strategic advice for whistleblowers.

The False Claims Act: Arming Whistleblowers in the Battle Against Fraud

The FCA provides the government with a potent weapon to counteract fraud, helping recover billions of stolen taxpayer dollars annually. The FCA covers all government programs. Examples of FCA actions include those brought against healthcare providers who defraud Medicare and Medicaid by overbilling, contractors who charge federal agencies for goods and services not delivered, and individuals who defraud federal agencies by using misrepresentations to obtain grants or loans. The FCA provides for recovery of triple the damages incurred by the United States, plus a penalty for each violation.

In qui tam actions, individuals or entities with inside information about fraudulent conduct file suits on behalf of the United States. The government then investigates the allegations. If a case is successful, whistleblowers can receive a percentage of the government’s recovery. If the government intervenes or takes over the lawsuit, the relator is typically entitled to between 15 and 25 percent of the recovery. The exact percentage within this range often depends on the extent of the relator’s contribution to the prosecution of the action. If the government decides not to intervene, the relator can proceed with the lawsuit independently. In this case, the relator can receive a higher recovery percentage, typically between 25 and 30 percent. The rate could be more or less depending on factors detailed in the FCA.

Cybersecurity Standards: The Core Battlefront for FCA Claims

In cases involving allegations of cyber fraud, noncompliance with cybersecurity standards and contractual requirements—by neglecting to meet mandated data protection measures, utilizing components from restricted foreign countries, or allowing unauthorized access to systems, for example—can be the basis for an FCA claim. Whistleblowers and their counsel should be familiar with these requirements, including the following.

Federal Information Security Modernization Act (“FISMA”)

FISMA requires federal agencies and contractors to develop, document, and implement an agency-wide program to provide information security for their information systems and data.

National Institute of Standards and Technology (“NIST”) Guidelines

NIST provides a framework for improving critical infrastructure cybersecurity. It comprises a set of standards, guidelines, and practices to manage cybersecurity risk, including detailed technical recommendations for securing information systems.

Defense Federal Acquisition Regulation Supplement (“DFARS”)

For contractors working with the Department of Defense (“DoD”), compliance with DFARS’s cybersecurity requirements is mandatory. These requirements include implementing NIST standards and reporting cyber incidents to the DoD within a prescribed time frame.

Agency-Specific and Contractual Cybersecurity Requirements

Various government agencies may introduce additional, specific cybersecurity requirements in their contracts. For example, the Department of Health and Human Services has its own Health Insurance Portability and Accountability Act (HIPAA) Security Rule for protecting sensitive patient health information. Additionally, individual contracts often dictate specific cybersecurity measures tailored to the project, such as implementing particular security software, limiting data access, or mandating regular security audits.

Suiting Up for Battle: Key Steps in Preparing a Whistleblower Claim

To maximize recovery under the FCA, a whistleblower must carefully prepare and plan. Below are a few essential steps to consider.

Keep Detailed Records

Document any suspected violations meticulously. Include dates, locations, individuals involved, and actions taken. It is crucial to respect laws and company policies while collecting this information.

Know Your Rights

The FCA protects against employer retaliation, including provisions for reinstatement, double back pay, and compensation for any costs or damages. Familiarize yourself with these provisions.

Seek Legal Guidance

Navigating an FCA claim is a complex process. Retain an attorney experienced in FCA litigation and cybersecurity issues to guide you through the process. An attorney can assist in investigating a potential FCA violation, filing the claim, prosecuting the case, and negotiating your share in the recovery.

Maneuvering the Minefield: Tips for a Successful Whistleblower Campaign

While the path of a whistleblower is long and arduous, careful navigation can avoid potential landmines. Below are some tips to steer clear of common pitfalls.

Don’t Delay

The FCA operates on a “first-to-file” rule, precluding later suits based on the same facts. For this reason, promptly filing your claim is wise once you’ve amassed sufficient evidence of a violation.

Maintain Operational Secrecy

Keep the details of your suit confidential until the government decides whether to intervene. Prematurely disclosing allegations may jeopardize your eligibility to share in any recovery.

Avoid Public Intelligence Leaks

Publicly disclosing allegations can potentially bar your claim under the FCA’s public disclosure rule. A whistleblower should avoid divulging information to the media, social media, or other public forums before bringing a complaint.

Secure Personal Boundaries

While collecting evidence to support your claim, remain within the confines of the law and your employment agreement. Illegally obtained evidence could discredit your claim and expose you to legal liability.

Brace for Repercussions

The whistleblower journey can often be challenging, personally and professionally. Understand that you may face pushback or ostracism at your workplace. Prepare for these challenges mentally and emotionally, and seek support where needed, such as from legal professionals or support networks for whistleblowers.

Remain Committed

Throughout the process, keep sight of the importance of your role. Whistleblowing is crucial to uncovering cyber fraud, contributing significantly to a safer digital landscape. This sense of purpose can give you the resilience to navigate the challenges.


The FCA and the Initiative empower whistleblowers to combat cyber fraud within government contracts. Whistleblowers stand as critical defenders on the front line of cybersecurity enforcement. An intimate understanding of cybersecurity standards and careful documentation of suspected infringements are essential for strong FCA claims. The FCA’s protections against retaliation further equip these brave individuals for the task.

A whistleblower’s journey may be fraught with challenges. Still, the potential financial and psychological rewards—the gratification of being a crucial ally in the fight against cyber fraud—are compelling. Through their courage and commitment, whistleblowers contribute significantly to maintaining the integrity of government contracts, ensuring a safer and more reliable digital landscape for all. By sounding the alarm, they help fortify our nation’s cybersecurity defenses and drive us toward a more secure digital future.

By: Daniel P. Schaefer


Connect with a global network of over 30,000 business law professionals


Login or Registration Required

You need to be logged in to complete that action.