October 11, 2021
Many commentators (including us) have been predicting it for years — cybersecurity is the next wave of False Claims Act enforcement. Despite a handful of publicly reported fraud cases involving cybersecurity issues, a wave has yet to materialize. Some wondered if former Deputy Assistant Attorney General Michael Granston’s remarks in December 2020, where he noted that “cybersecurity related fraud is another area where we could see enhanced False Claims Act activity,” could be a watershed moment. A signal of things to come, perhaps, but no wave. However, with a recent announcement from the Department of Justice (“DOJ”), the wave we have been predicting appears to be real and getting closer.
On October 6, 2021, DOJ issued a press release announcing a new Civil Cyber-Fraud Initiative. The Initiative will be aimed at “combat[ting] new and emerging cyber threats to the security of sensitive information and critical systems.” Deputy Attorney General Lisa Monaco described the new Initiative as “a tool . . . to ensure that taxpayer dollars are used appropriately and guard the public fisc and public trust.”
Led by the DOJ Civil Division’s Commercial Litigation Branch, Fraud Section, the Initiative will rely on the civil False Claims Act, 31 U.S.C. §§ 3729 et seq., (“FCA”) “to pursue cybersecurity related fraud by government contractors and grant recipients.” The Initiative aims to “hold accountable entities or individuals that put U.S. information or systems at risk by knowingly providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cybersecurity incidents and breaches.”
Should contractors and grant recipients be worried? Maybe, but they should at least be paying attention. With DOJ’s pledge to “pursue cybersecurity related fraud,” we could very well see government-initiated cyber FCA cases on the rise in the near future. And if nothing else, this announcement by DOJ is likely to lead to additional qui tam actions for perceived misrepresentations surrounding cybersecurity compliance. With its treble damages, relaxed scienter standard, and bounty provision, the FCA is already a headache for many, but application of the FCA in the cybersecurity space is a potential nightmare. Due to the ever-evolving requirements and application to contractors that may not historically have had to comply with such requirements, there are numerous compliance traps for the unwary. And with the Government only needing to show reckless disregard or deliberate ignorance to establish the requisite scienter, the fact that many contractors know they are likely noncompliant (or even choose to ignore their obligations) presents a substantial risk. FCA liability is bet-the-company stuff and contractors should not ignore DOJ’s announcement.
However, the Government may still find it difficult to bring successful FCA cases for cybersecurity noncompliance, at least initially. Even if DOJ plans to aggressively investigate and enforce cybersecurity-related fraud, they must still meet the FCA’s “demanding” materiality requirement. Materiality means that to establish liability under the FCA, the noncompliance must influence the Government’s choice to pay the contractor. Given the myriad cybersecurity obligations in many contracts, which are typically part of a far larger number of non-cybersecurity obligations, the Government may be hard-pressed to show that its decision to pay was based on compliance with the cybersecurity requirements. But this is likely to change as the Government takes steps to emphasize the materiality of cybersecurity. For example, where a solicitation requires a cybersecurity certification (e.g., a Cybersecurity Maturity Model Certificate (“CMMC”) at a particular level), it may be easier for the Government to show materiality. And considering the heightened emphasis that is already placed on cybersecurity requirements, the safest course would be to assume that such requirements are material.
Notwithstanding the relatively low bar for scienter, showing a contractor’s noncompliance was “knowing” may be difficult to prove when it comes to cybersecurity requirements. Because the requirements and standards are constantly evolving, and many are unclear, a contractor’s good faith, reasonable belief that it is compliant should not automatically lead to FCA liability where the Government disagrees. For example, when a security incident is “discovered” is often the trigger for the contractor’s reporting obligation. The contractor and the Government may have different, but reasonable interpretations of whether or when a triggering incident is discovered. It is hard to imagine the Government bringing a successful FCA claim against the contractor based on a disagreement regarding the reporting trigger — but it is easy to imagine a relator filing suit and making the allegations. And contractors should be aware of developments that shed light on the Government’s views regarding compliance and be prepared to adjust their understanding of the requirements accordingly.
So what next? Below are some considerations for contractors and grant recipients looking to prepare for and ride the wave to come without getting pulled under.
- Understand the Requirements. As mentioned above, government cybersecurity requirements are numerous and evolving. Some contracts include requirements to implement prescriptive government controls, some require security at a level equivalent to a government or industry standard, some require the presence or absence of specific products or services, and many require compliance down the supply chain depending on specific factors. Each requirement presents unique technical and legal challenges, and contractors and grantees alike should treat the DOJ announcement as an impetus to ensure that they understand the various requirements they are subject to.
- Consider the Risks. With the myriad requirements, each contractor may face different risks of potential fraud allegations. The risks can vary based the customer or the type of work contracted for — cybersecurity requirements may be more material for a contractor handling large amounts of sensitive but unclassified information. The risks can also vary by the requirement. For example, some contracts include prescriptive cybersecurity requirements, contracts implementing the DoD Assessment Methodology for NIST SP 800-171 require self-assessments with the option for the Government to conduct its own assessment, and soon many DoD solicitations will require a CMMC certificate from a third party assessment organization. Each of these presents unique compliance risks (g., failure to meet specific requirements, self-assessments that differ from a Government-conducted assessment, a CMMC certification based on a questionable assessment). Contractors should consider the risks before undertaking new requirements wherever possible.
- Consider Products and Services. The DOJ announcement calls out deficient cybersecurity products and services. Suppliers to the government should take note. By flagging this, DOJ appears to be signaling that security requirements for goods and services are going to be treated as material. In the wake of several high-profile security incidents involving commercial products and services that affected the Government, this is not surprising. However, materiality may not be assumed, and understanding the nature of the security requirements and the nature and type of the products and services will be important for assessing each supplier’s risks.
- Consult an Expert. Cybersecurity is complicated and expensive, but it can become far more challenging and costly if ignored. The same is true for government contracting cybersecurity compliance. It is important to work with the right technical and legal experts to ensure that your business is protected, particularly now that DOJ has announced that cybersecurity compliance is a target. And if a company finds itself facing FCA allegations from the Government or a qui tam plaintiff, the same technical and legal expertise, in conjunction with counsel experienced in handling FCA matters, is crucial for an effective defense.
Nichols Liu has extensive experience advising clients on false claims act matters and on cybersecurity compliance and can assist with the evolving requirements.
The information provided in this blog does not, and is not intended to, constitute legal advice; instead, all information, content, and materials available on this site are for general informational purposes only. Information on this website may not constitute the most up-to-date legal or other information. Readers of this website should contact their attorney to obtain advice with respect to any particular legal matter.
 Press Release, Department of Justice, Deputy Attorney General Lisa O. Monaco Announces New Civil Cyber-Fraud Initiative (Oct. 6, 2021), https://www.justice.gov/opa/pr/deputy-attorney-general-lisa-o-monaco-announces-new-civil-cyber-fraud-initiative.
 See Universal Health Servs., Inc., v. United States ex rel. Escobar, 136 S. Ct. 1989, 2003-04 (2016) (Government’s right to refuse payment for violation of contract requirement does not necessarily mean such a violation is material).
 See Executive Order 14028, “Improving the Nation’s Cybersecurity,” 86 Fed. Reg. 26633 (May 12, 2021).
 For example, in October 2020, a federal judge in D.C. dismissed a qui tam suit alleging cybersecurity fraud, finding in part that the plaintiff’s allegations did not meet the materiality standard because the plaintiff had not alleged that the cybersecurity vulnerability violated a term of the contract.