By Sarah Hutchins and Michael Goldsticker
The U.S. Department of Justice is targeting federal contractors and grant recipients who fail to adhere to cybersecurity requirements in their agreements and who violate their obligation to monitor and report ransomware attacks and other types of cybersecurity breaches.
“For too long, companies have chosen silence under the mistaken belief that it is less risky to hide a breach than to bring it forward and to report it,” Deputy Attorney General Lisa Monaco said in a press release announcing the Civil Cyber-Fraud Initiative last month. “Well that changes today. We are announcing today that we will use our civil enforcement tools to pursue companies, those who are government contractors who receive federal funds, when they fail to follow required cybersecurity standards — because we know that puts all of us at risk.”
Under this initiative, the principal tool the Department of Justice will use to pursue these contractors is the False Claims Act, which imposes liability on companies and individuals who defraud federal government programs. False Claims Act cases may be brought not only by the U.S. government but also by private citizens who serve as whistleblowers. Lax cybersecurity measures often go undiscovered until a breach or other catastrophic event. In light of the financial incentives for private whistleblowers and plaintiffs’ attorneys to bring False Claims Act lawsuits – including automatic attorney’s fees and up to 30% of the government’s recovery in a successful action – DOJ’s policy initiative could encourage internal whistleblowers to bring cyber concerns to light and may result in a proliferation of False Claims Act litigation.
The Civil Cyber-Fraud Initiative comes at a time when False Claims Act litigation has already been sweeping up contractors that are, in fact, providing the contracted-for service but fail to comply with one of the other myriad requirements applicable to government contracts. These “implied certification” cases are premised on the notion that a contractor commits fraud by submitting a claim to the government for payment while failing to disclose its noncompliance with a separate statutory, regulatory, or contractual requirement. The company’s signing of the contract serves as an implied certification that it has met all the applicable requirements.
Since the U.S. Supreme Court’s Escobar ruling in 2016, False Claims Act disputes have often turned on whether the requirement at issue was material to the government’s decision to pay. In prior False Claims Act cases involving a failure to comply with cybersecurity requirements, contractors have argued that the violation was immaterial to the government’s payment decision, insofar as the contract concerned services unrelated to information technology or cybersecurity.
While that argument has had mixed results, it now is likely to be viewed with skepticism, particularly in light of the Biden administration’s express focus on cybersecurity. For example, the Department of Defense stated last year that it intended to make its standard contractual terms relating to cybersecurity more robust. And after the cyberattack on the Colonial Pipeline this year, President Biden issued an executive order focused on how government contractors detect, prevent, and remediate cyber threats, including the need for broad cyber-incident reporting requirements and the creation of standardized, and likely more stringent, cybersecurity requirements for federal contractors.
Federal contractors who are not following the latest cybersecurity best practices may face substantial legal exposure because the False Claims Act holds liable contractors who merely act recklessly towards applicable requirements, such as cybersecurity regulations.
In addition, the initiative is the latest example of how cybersecurity and data privacy regulations – and the penalties associated with them – continue developing at a rapid rate. Lawmakers in the Carolinas and more than 10 other states introduced sweeping data privacy bills this year. Virginia, California, and Colorado have already passed their own.
Bottom line, the downside of failing to comply with best practices on cybersecurity and data privacy continues to get steeper. DOJ’s recent emphasis on cybersecurity, when combined with the expanding web of federal cybersecurity regulations, creates sizeable legal and financial pitfalls for unwitting government contractors. Government contractors – and businesses in general – should carefully assess the cybersecurity terms in their contracts and consider conducting an enterprise-wide assessment of their data practices and risks, in order to avoid financial exposure from both a business and legal perspective.
Sarah Hutchins and Michael Goldsticker are attorneys at law firm Parker Poe. They can be reached at email@example.com and firstname.lastname@example.org.