To print this article, all you need is to be registered or login on Mondaq.com.
The U.S. Department of Justice announces an initiative
targeting cybersecurity-related fraud by government contractors and
On October 6, 2021, the U.S. Department of Justice
(“DOJ”) announced a new Civil Cyber-Fraud Initiative
(“Initiative”) that will use the False Claims Act
(“FCA”) to target cybersecurity-related fraud by
government contractors and grant recipients. The Initiative follows
a recent trend of enforcement actions concerning failure to comply
with cybersecurity requirements in government procurements, and it
signals that the U.S. government likely will take the position that
cybersecurity requirements in federal contracts and grants are
requirements “material” to payment. It also is the latest
in a spate of recent Biden administration actions focused on
increasing cybersecurity defenses in the face of the continuing
proliferation of ransomware and other cyberattacks.
DOJ intends to use the FCA against contractors and grantees that
“fail to follow required cybersecurity standards.” The
Initiative will use the FCA to specifically target entities
“knowingly providing deficient cybersecurity products or
services, knowingly misrepresenting their cybersecurity practices
or protocols, or knowingly violating obligations to monitor and
report cybersecurity incidents and breaches.”
The FCA is the primary tool for combatting fraud against the
government. In 2020 alone, DOJ recovered $2.2 billion from civil FCA settlements and
judgments. This is due, in large part, to the FCA’s unique
qui tam provisions, which incentivize private parties,
called qui tam relators, to share in any recovery.
To date, there have been several FCA cases involving cybersecurity
filed by whistleblowers. The Initiative indicates the government
will also be bringing cases in its own name.
Cybersecurity compliance has become a growing focus of FCA
enforcement. In recent years, qui tam relators have
brought allegations related to security vulnerabilities without
allegations that the vulnerabilities had been exploited. Even if a
contractor or grantee avoids FCA liability, a successful defense of
such allegations may come at significant expense.
DOJ indicated that it will partner with other federal agencies
and law enforcement on the Initiative-an important reminder of the
potential for criminal liability or debarment. To reduce the risk
of FCA liability, government contractors and grantees should
consider: (i) reviewing any cybersecurity-related representations
and certifications to understand what is required; (ii) assessing
their current cybersecurity posture and capabilities; (iii)
implementing or refreshing procedures to identify, assess, and
promptly remediate cybersecurity vulnerabilities and to
contemporaneously document these security decisions; and (iv)
educating executives and board members regarding these emerging
risks. They should also consider their mandatory reporting
obligations relating to the FCA, as we recently discussed.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
POPULAR ARTICLES ON: Technology from United States