United States: DOJ announces civil initiative focused on using the False Claims Act to prosecute cybersecurity fraud by government contractors and grant recipients
To print this article, simply register or connect to Mondaq.com.
On October 6, 2021, Deputy Attorney General Lisa O. Monaco announcement the creation of a Ministry of Justice (DOJ) civilian cyber fraud initiative (the Initiative). According to the announcement, the Initiative combines DOJ’s expertise in combating civil fraud, public procurement and cybersecurity “to combat new and emerging cyber threats to the security of sensitive information and critical systems.” Specifically, its goal is to pursue False Claims Act (FCA) enforcement actions against government contractors and grant recipients who “fail to meet required cybersecurity standards” and thus “endanger information or American systems “. According to the Deputy Attorney General of Monaco, the need to fight cyber fraud has become a priority because “companies have chosen silence by mistakenly believing that it is less risky to hide an [cyber] violation than to report and report it.
The False Claims Act and its declared application to cybersecurity fraud
The FCA is an enforcement tool used by the government to process fraudulent requests for federal funds. It includes provisions that encourage whistleblowers to identify possible FCA violations by allowing them to participate in any clawback the government obtains through civil action.1 Natural or legal persons found liable under the CFL are required to pay three times the damages, or three times the actual damages “as the [g]the government suffers because of the act “engaging the responsibility.2 Defendants found liable under the FCA are required to pay triple damages, or three times the actual damages “as the [g]the government suffers because of the act “engaging the responsibility.3They are also required to pay a mandatory penalty for each false declaration.
In the context of the Initiative, the DOJ said it would use the FCA to target government contractors and grant recipients who “knowingly provide[e] deficient cybersecurity products or services; knowingly distort their cybersecurity practices or protocols; and knowingly violate[e] obligations to monitor and report cybersecurity incidents and breaches.4 In targeting this conduct, the DOJ said its goals include:
- Build resilience against cybersecurity intrusions across government, the public sector and key industry partners
- Keep entrepreneurs and beneficiaries on their commitments to protect government information and infrastructure
- Support the efforts of government experts to identify, create and release patches for vulnerabilities in commonly used information technology products and services in a timely manner
- Ensure that companies that play by the rules and invest to meet cybersecurity requirements are not at a competitive disadvantage
- Reimburse government and taxpayers for losses incurred when businesses fail to meet cybersecurity obligations
- Improve overall cybersecurity practices that will benefit government, private users and the U.S. public5
Key considerations for entrepreneurs and government beneficiaries
The creation of the Initiative – which follows President Biden’s Executive Order 14028 announcing his administration’s commitment to improving cybersecurity6 – reflects the DOJ’s continued and increased focus on cybersecurity compliance and reporting data breaches. It also signals that the Justice Department’s cybersecurity enforcement efforts are likely to increase, in line with recent efforts by other federal regulators, including the Securities and Exchange Commission. To avoid Justice Department scrutiny and potential FCA claims, government contractors and grant recipients should consider the following:
- Compliance teams should prioritize cybersecurity compliance. Government contractors and grantees should develop in-house cybersecurity skills or engage external cybersecurity consultants, and implement reliable cybersecurity tools that meet federal standards, relevant regulatory obligations, and the standards of any government contract. control.
- Government contractors and grantees should carefully assess whether they are complying with the cybersecurity practice requirements applicable to them, which may include obligations related to incident response, protection against loss of data and identity management, among others. They should also monitor changes to these requirements.
- Government contractors and beneficiaries should be aware of their reporting requirements, including who should be alerted and when, in the event of a cyber incident.
See 31 USC § 3730.
2 31 USC § 3729.
3 See id.
4 United States Department of Justice, Deputy Attorney General Lisa Monaco announces the creation of new Cyber Fellows positions (August 27, 2021), available at https://www.justice.gov/opa/pr/deputy-attorney-general-lisa-o-monaco-announces-new-civil-cyber-fraud-initiative.
See Executive Order No. 14,028, 86 Fed. Reg. 26,633 (May 12, 2021), available at https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/.
The content of this article is intended to provide a general guide on the subject. Specialist advice should be sought regarding your particular situation.
POPULAR POSTS ON: US Technology