New Civil Cyber-Fraud Initiative Signals Increased Litigation Risk Arising From Cybersecurity Practices – Technology

Our Privacy, Cyber & Data Strategy and White Collar,
Government & Internal Investigations teams answer the questions
government contractors will have about how to evaluate the False
Claims Act risks signaled by the Department of Justice's latest
cybersecurity initiative.

• Do you have a process to investigate and remediate
  cybersecurity-related complaints?
• Do you know if your cybersecurity controls and processes
  satisfy current standards?
• Do you know what you are telling the government about your
  controls and capabilities?
• Are you monitoring the changing landscape for reporting cyber
  incidents to the government?

On October 6, 2021, Deputy Attorney General Lisa O. Monaco
announced the Department of Justice's (DOJ) "Civil
Cyber-Fraud Initiative." This new enforcement project led by
the DOJ's Civil Fraud Section will seek civil penalties under
the False Claims Act (FCA) against government contractors and grant
recipients that put U.S. information or systems at risk, for
example by providing deficient cybersecurity products,
misrepresenting cybersecurity capabilities, or knowingly violating
obligations to monitor and report data breaches. The initiative is
the latest in a line of Biden Administration actions that aim to
combat the growth in cyber-attacks with aggressive use of criminal
enforcement against the attackers and new requirements for
industry.

The Initiative Signals Increased Risk of FCA Litigation with
the DOJ or Private Plaintiffs

The DOJ used the FCA to recover $2.2 billion in settlements and
judgments in 2020 and anticipates using the FCA's "very
hefty" monetary penalties to change contractors'
cybersecurity behavior. FCA liability involves claims that are
factually false, which may include "false certifications"
if contractors expressly or implicitly certify compliance with a
particular statute, regulation, or contractual term when compliance
is a prerequisite to payment. Under this new initiative, it appears
the DOJ intends to use a similar theory to enforce compliance with
cybersecurity and breach-reporting provisions contained in federal
contracts. To the extent compliance with these provisions is not
already a contractual prerequisite for payment, contractors should
expect that to change. Indeed, federal departments and agencies are
already in the process of implementing the President's May 2021 Executive Order that, among other
things, required a broad review of federal contracting rules on
cybersecurity and breach reporting.

There are few known FCA cases involving cybersecurity claims,
though given the sensitive nature of the subject matter, more may
be filed under seal. Relators have had mixed results attempting to
bring such FCA cases, with one case against an aerospace contractor
moving past a motion to dismiss, while another case against a
computer manufacturer was dismissed. The initiative likely signals
an aggressive civil enforcement approach, with the DOJ bringing
more FCA cases on its own volition, intervening more frequently in
relator cases raising colorable claims and encouraging
whistleblowers to more willingly come forward.

Contractors should use this announcement as a call to revisit
their cybersecurity controls and certifications, confirm that their
processes satisfy all contractual requirements, and investigate
whether corrections need to be made to prior statements or
representations to the government regarding the security of their
systems or their products. The following are questions companies
can ask internally as they evaluate these risks.

Do You Have a Process to Investigate and Remediate
Cybersecurity-Related Complaints?

FCA litigation often arises from whistleblowers either
contacting the government or independently bringing suit under the
FCA's qui tam provisions. This initiative will be no different
– the DOJ's announcement specifically mentions relying on
whistleblowers to assist the government in bringing these actions.
One practical way companies can reduce the likelihood of triggering
these suits is to ensure there is a robust internal investigations
process for receiving and resolving employee concerns about
cybersecurity or product vulnerabilities. Counsel can assist in
building a process for triaging, investigating, responding, and
remediating these complaints that is protected by privilege, run
independently, and provides ammunition for defeating a subsequent
claim that the company ignored or inadequately addressed
concerns.

Do You Know If Your Cybersecurity Controls and Processes
Satisfy Current Standards Required by Contract and/or a Minimum
Baseline of Reasonable Security?

Currently, there is not a unified cybersecurity standard for
government contractors. While FAR 52.204-21 lays out "basic
safeguarding of covered contractor information systems,"
additional requirements will be contract-specific and can change
depending on the procuring agency, data at issue, and type of
service or product being offered. For civilian agencies in
particular, more detailed cybersecurity requirements were often
included in a scope of work, which could result in vague,
confusing, and conflicting requirements. But going forward,
contractors should expect a stricter level of standardization in
contractually required cybersecurity controls and certifications.
At the Department of Defense, the Cybersecurity Maturity Model Certification
program is getting off the ground with its five levels of
security assessments and certifications. Similarly, the National
Institute of Standards and Technology is currently developing additional guidelines for
contractors based on the May 2021 Executive Order. While final
guidelines may not yet have been completed, we can expect more
contractual requirements that reflect the "reasonable
security" standard as a baseline. Consider conducting an
internal assessment of your controls and processes to confirm you
could satisfy either any existing contractual requirements or this
baseline of reasonable security. Alston & Bird has published a
separate guide, the "12 Elements for Effective Cybersecurity: What Does
'Reasonable Security' Look Like
Organizationally?," that can be a starting point for your
internal discussions.

Do You Know What You Are Telling (or Have Told) the
Government About Your Cybersecurity Controls and
Capabilities?

The announced initiative specifically highlights
misrepresentations made to the government about cybersecurity. Once
contractors have determined their cybersecurity controls baseline,
they may want to consider conducting an internal investigation with
counsel comparing the statements they have made (or are making) to
the government on the cybersecurity front with their cybersecurity
controls baseline. This effort will help paint a picture of any
existing FCA cyber-risk and provide an opportunity to address any
discrepancies with the government outside the
litigation/whistleblower context.

Are You Monitoring the Changing Landscape for Reporting
Cyber Incidents to the Federal Government?

While you may (or may not) have contractual obligations to report
certain types of cybersecurity incidents to your contracting
officer or the procuring agency, it appears that the government may
soon require expanded reporting of security incidents from
contractors. The May 2021 Executive Order already signaled new
cybersecurity reporting regulations for contractors, and additional
legislation is moving through Congress on this issue. Monitoring
and testing your existing incident notification procedures and
preparing for changes to this landscape will be important.

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.

Comments are closed.