DOJ Announces Civil Initiative Focused on Using the False Claims Act to Prosecute Cybersecurity-Related Fraud by Government Contractors and Grant Recipients

On Oct. 6, 2021, Deputy Attorney General Lisa O. Monaco announced the creation of a Department of Justice (DOJ) Civil Cyber-Fraud Initiative (the Initiative). According to the announcement, the Initiative combines the DOJ’s expertise in civil fraud enforcement, government procurement and cybersecurity “to combat new and emerging cyber threats to the security of sensitive information and critical systems.” Specifically, its focus is to pursue False Claims Act (FCA) enforcement actions against government contractors and grant recipients who “fail to follow required cybersecurity standards” and thus “put U.S. information or systems at risk.” According to Deputy Attorney General Monaco, the need for cyberfraud enforcement has become a priority because “companies have chosen silence under the mistaken belief that it is less risky to hide a [cyber] breach than to bring it forward and to report it.”

The False Claims Act and Its Stated Application to Cybersecurity-Related Fraud

The FCA is an enforcement tool used by the government to address fraudulent claims for federal funds. It includes provisions that encourage whistleblowers to identify possible FCA violations by allowing them to share in any recovery the government obtains through a civil enforcement action.^[1] Defendants found liable under the FCA are required to pay treble damages, or three times the actual damages “which the [g]overnment sustains because of the act” giving rise to liability.^[2] They are also required to pay a mandatory penalty for each false claim.^[3]

In the context of the Initiative, the DOJ has stated that it will invoke the FCA to target government contractors and grant recipients who “knowingly provid[e] deficient cybersecurity products or services; knowingly misrepresent[] their cybersecurity practices or protocols; and knowingly violat[e] obligations to monitor and report cybersecurity incidents and breaches.”^[4] In targeting this conduct, the DOJ has stated that its goals include:

• Building broad resiliency against cybersecurity intrusions across the government, the public sector and key industry partners
• Holding contractors and grantees to their commitments to protect government information and infrastructure
• Supporting government experts’ efforts to timely identify, create and publicize patches for vulnerabilities in commonly used information technology products and services
• Ensuring that companies that follow the rules and invest in meeting cybersecurity requirements are not at a competitive disadvantage
• Reimbursing the government and taxpayers for losses incurred when companies fail to satisfy their cybersecurity obligations
• Improving overall cybersecurity practices that will benefit the government, private users and the American public^[5]

Key Considerations for Government Contractors and Grantees

The creation of the Initiative — which follows President Biden’s Executive Order 14028 announcing his administration’s commitment to cybersecurity improvement^[6] — reflects the DOJ’s continued and enhanced focus on cybersecurity compliance and data-breach reporting. It also signals that the DOJ’s cybersecurity-related enforcement efforts will likely increase, consistent with the recent efforts of other federal regulatory agencies, including the Securities and Exchange Commission. To avoid DOJ scrutiny and potential FCA claims, government contractors and grant recipients should consider the following:

• Compliance teams should prioritize cybersecurity compliance. Government contractors and grantees should develop internal cybersecurity proficiency or engage external cybersecurity consultants, and implement trusted cybersecurity tools that meet federal standards, relevant regulatory obligations and the standards of any controlling government contract.
• Government contractors and grantees should carefully assess whether they comply with requirements for cybersecurity practices applicable to them, which are likely to include obligations related to incident response, data-loss protection and identity management, among many others. They should also monitor changes to those requirements.
• Government contractors and grantees should be aware of their reporting requirements, including who must be alerted, and when, in the event of a cyber incident. 

^[1] _{See 31 U.S.C. § 3730.}

^[2] _{31 U.S.C. § 3729.}

^[3] _{See id.}

^[4] _{U.S. Dept. of Justice, Deputy Attorney General Lisa Monaco Announces Creation of New Cyber Fellows Positions (Aug. 27, 2021), available at https://www.justice.gov/opa/pr/deputy-attorney-general-lisa-o-monaco-announces-new-civil-cyber-fraud-initiative.}

^[5]  _Id.

^[6] _{See Exec. Order No. 14,028, 86 Fed. Reg. 26,633 (May 12, 2021), available at https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/.}