December 17, 2021
In October 2021, the Department of Justice announced a new initiative seeking Cyber-Fraud Whistleblowers. The initiative targets federal contractors who fail to comply with government cybersecurity requirements. In addition, the initiative targets contractors who fail to report breaches or other cybersecurity incidents.
The DOJ Cyber-Fraud initiative is the latest step in a national campaign to protect sensitive government information from cybersecurity threats.
In May 2021, the Biden Administration issued a sweeping Executive Order to improve the nation’s cybersecurity. That Order identified the detection and prevention of cyber incidents as “essential to national and economic security.”
The Executive Order will add so called “breach notification” requirements for all government service providers. In addition, the Executive Order will also add baseline security standards for computer software sold to the government.
In October 2021, DOJ announced its intention to expand use of the False Claims Act (FCA) to enforce cybersecurity compliance. In making that announcement, Deputy Attorney General Lisa Monaco identified the FCA as DOJ’s “primary civil tool” to combat fraud involving government programs.
Going forward, government contractors or grant recipients who falsely certify compliance with federal cybersecurity requirements will face significant penalties under the FCA. Similarly, contractors or grant recipients who fail to report cybersecurity incidents and breaches will face the same significant FCA penalties.
“For too long, companies have chosen silence under the mistaken belief that it is less risky to hide a breach than to bring it forward and to report it. Well, that changes today.”
Deputy Attorney General Lisa Monaco
In reviewing the success of the FCA, Deputy Attorney General Monaco recognized the FCA’s “unique whistleblower provisions.” Those provisions allow private citizens, known as relators, to assist the government in uncovering and preventing fraud. In addition, the FCA protects relators from workplace retaliation. Finally, the FCA allows relators to receive a share of the government’s financial recoveries.
In United States ex rel. James Glenn v. Cisco Systems Inc., a relator claimed he was terminated after he disclosed critical software vulnerabilities in Cisco’s video surveillance systems. Cisco sold those systems to the United States and other state and local governments. Eventually, in 2019, Cisco settled the dispute for $8.6 million.
The Cisco Systems matter was the first cybersecurity case resolved under the FCA. However, as the DOJ Cyber-Fraud initiative makes clear, it will not be the last.
DOJ is not alone in making cybersecurity an enforcement priority. For instance, the SEC recently announced a cybersecurity settlement with the company First American Financial Corp. The SEC fine resulted from the company’s deficient disclosures about its cybersecurity risks. Specifically, vulnerabilities which put the security of customer financial information at risk.
First American Financial had issued a public statement about its cybersecurity vulnerabilities. However, the SEC found that the disclosure did not go nearly far enough. As a result, the SEC fined First American because its senior executives lacked information necessary to fully evaluate the company’s cybersecurity vulnerabilities.
And the New York Department of Financial Services (NYDFS) recently brought enforcement actions for failure to comply with NYDFS Cybersecurity Regulations. NYDFS found that two regulated insurance companies falsely certified their compliance with those regulations. Therefore, NYDFS imposed total fines of more than $1.8 million for failing to protect consumer data from cybersecurity risks.
If you are aware that a government contractor or grant recipient has falsely certified compliance with its cybersecurity requirements, or failed to report a cybersecurity breach, we urge you to contact the Whistleblower Law Collaborative. Our attorneys include several former federal prosecutors with experience safeguarding sensitive government information. We can discuss your concerns in a confidential and secure setting. We can also advise you on the best options to prevent critical information and data from falling into the wrong hands.