Client Alert: DOJ Threatens Government Contractors With Fraud Claims Over Alleged Non-Compliance With Ambiguous Requirements
Date: October 7, 2021
On October 6, 2021, DOJ announced a “New Civil Cyber-Fraud Initiative.”[1] As a response to political pressure to “do something!” about cybersecurity risks, this initiative may sound like a good idea. After all, many people do want the U.S. government to aggressively go after those bad actors engaged in ransomware and other cyber exploitation sanctioned by nation states.
But what does the DOJ mean when it says it will use the False Claims Act against contractors for:
“knowingly providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cybersecurity incidents and breaches”?
The False Claims Act
Breach of contract isn’t fraud. The False Claims Act (FCA), 31 U.S.C. §§ 3729 – 3733, provides that any person who knowingly submits false claims to the government are liable for triple the government’s damages plus a statutory penalty. The FCA is a fraud statute. “Promissory fraud” must be coupled with a present intent not to honor promises made, and not every breach of contract performance requirements results from any such intent. How many future DOJ enforcement suits will even try to draw that distinction?
A “claim” is required
A False Claim requires … well, a “claim” … that is “false.” Before DOJ can properly invoke the False Claims Act, a contractor must have made a claim – like seeking payment – and the claim itself must include some objective falsehood. Do your invoices to the government include any affirmative statement about your cybersecurity compliance? How many future DOJ enforcement suits will even try to allege that?
The Risk of Implied Certification
Lacking an actual claim, these new Cyber-Fraud enforcements likely will rely on “implied certification” claims. The idea is that, when a contractor submits a claim for payment, it also is certifying compliance with other contract requirements that are material to the government’s decision to pay. When the contracting officer approves a payment for the item you sell or the service you provide, it is hard to imagine that the contracting officer’s decision to pay was based on the idea that your invoice was a representation that your cybersecurity protocol met a certain standard.
A Moving Target for Business
Implied certification claims must be based on clear cybersecurity requirements. Because cybersecurity standards are often tied to fact-specific risk assessments, and based on the fuzzy and ever-changing concepts of “reasonableness” and “industry standards,” clear cybersecurity standards do not always exist, except perhaps in the context of a contractor’s duty to report certain types of incidents. But even in that context, if state breach laws are implicated, reporting requirements vary by state, some states impose deadlines that can be subjective, and reporting requirements can further vary by industry. This lack of clarity creates a serious point of risk for business. For example, the Cybersecurity Maturity Model Certification (CMMC) – has not yet been implemented. Even guidance from the National Institute of Standards and Technology (NIST) following Executive Order 14028, has not been published. The lack of a clear standard leaves businesses grasping for a standard and waiting to find out when they “got it wrong.”
Your Business as A Target
DOJ does not have the unlimited power required to declare a “sentence first–verdict afterward.” Yet, when the government threatens an enforcement action, in which DOJ may try to seek three times the value of the entire contract (and then suggest a “compromise” involving a lesser multiple of the contract value), the effect can be the same: once DOJ decides to pursue a company, few have the resources or the expertise to defend themselves.
But not only those who have DOJ’s attention should be worried. The new Civil Cyber-Fraud Initiative includes a link for those who want to take advantage of the “unique whistleblower provision” – and companies can expect disgruntled Cybersecurity (and other) employees to report their employers to DOJ, either to proclaim the protection of whistleblower laws, or just to “buy a lottery ticket” on the chance DOJ picks up the case and extracts a settlement from a company that is attempting to comply with ever-shifting guidance.
If you need help understanding Cybersecurity obligations, or you need help defending against government overreach, we are here to help.
The full text of DOJ’s press release is posted below:
Department of Justice
Office of Public Affairs FOR IMMEDIATE RELEASE
Wednesday, October 6, 2021
Deputy Attorney General Lisa O. Monaco Announces New Civil Cyber-Fraud Initiative
Deputy Attorney General Lisa O. Monaco announced today the launch of the department’s Civil Cyber-Fraud Initiative, which will combine the department’s expertise in civil fraud enforcement, government procurement and cybersecurity to combat new and emerging cyber threats to the security of sensitive information and critical systems.
“For too long, companies have chosen silence under the mistaken belief that it is less risky to hide a breach than to bring it forward and to report it,” said Deputy Attorney General Monaco. “Well that changes today. We are announcing today that we will use our civil enforcement tools to pursue companies, those who are government contractors who receive federal funds, when they fail to follow required cybersecurity standards — because we know that puts all of us at risk. This is a tool that we have to ensure that taxpayer dollars are used appropriately and guard the public fisc and public trust.”
The creation of the Initiative, which will be led by the Civil Division’s Commercial Litigation Branch, Fraud Section, is a direct result of the department’s ongoing comprehensive cyber review, ordered by Deputy Attorney General Monaco this past May. The review is aimed at developing actionable recommendations to enhance and expand the Justice Department’s efforts against cyber threats.
Civil Cyber-Fraud Initiative Details
The Civil Cyber-Fraud Initiative will utilize the False Claims Act to pursue cybersecurity related fraud by government contractors and grant recipients. The False Claims Act is the government’s primary civil tool to redress false claims for federal funds and property involving government programs and operations. The act includes a unique whistleblower provision, which allows private parties to assist the government in identifying and pursing fraudulent conduct and to share in any recovery and protects whistleblowers who bring these violations and failures from retaliation.
The initiative will hold accountable entities or individuals that put U.S. information or systems at risk by knowingly providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cybersecurity incidents and breaches. The benefits of the initiative will include:
- Building broad resiliency against cybersecurity intrusions across the government, the public sector and key industry partners.
- Holding contractors and grantees to their commitments to protect government information and infrastructure.
- Supporting government experts’ efforts to timely identify, create and publicize patches for vulnerabilities in commonly-used information technology products and services.
- Ensuring that companies that follow the rules and invest in meeting cybersecurity requirements are not at a competitive disadvantage.
- Reimbursing the government and the taxpayers for the losses incurred when companies fail to satisfy their cybersecurity obligations.
- Improving overall cybersecurity practices that will benefit the government, private users and the American public.
The department will work closely on the Initiative with other federal agencies, subject matter experts and its law enforcement partners throughout the government.
Report Cyber-Fraud
Tips and complaints from all sources about potential cyber-related fraud, waste, abuse and mismanagement can be reported by accessing the webpage of the Civil Division’s Fraud Section, which can be found here.
Topic(s): Cyber Crime
Component(s):
Civil Division
Office of the Deputy Attorney General
Press Release Number: 21-971
[1] Deputy Attorney General Lisa O. Monaco Announces New Civil Cyber-Fraud Initiative | OPA | Department of Justice
The information contained here is not intended to provide legal advice or opinion and should not be acted upon without consulting an attorney. Counsel should not be selected based on advertising materials, and we recommend that you conduct further investigation when seeking legal representation.
The information contained here is not intended to provide legal advice or opinion and should not be acted upon without consulting an attorney. Counsel should not be selected based on advertising materials, and we recommend that you conduct further investigation when seeking legal representation.