On October 6, 2021, Deputy Attorney General Lisa Monaco announced the launch of the new Civil Cyber-Fraud Initiative. Led by the Department of Justice (“DOJ”) Civil Division’s Commercial Litigation Branch, Fraud Section, the initiative will seek to “utilize the False Claims Act (“FCA”) to pursue cybersecurity related fraud by government contractors and grant recipients.”
In its official press release, DOJ outlined three types of allegations it may pursue against federal contractors or grant recipients under the FCA: (1) knowingly providing deficient cybersecurity products or services; (2) knowingly misrepresenting their cybersecurity practices or protocols; or (3) knowingly violating obligations to monitor and report cybersecurity incidents and breaches.
DOJ’s use of the FCA will be in conjunction with other potential sources of liability for companies that are victims of a data breach. These sources of liability may include enforcement actions by the SEC for violations of the Safeguards Rule, FTC actions for violations of Section 5 of the FTC Act, HHS actions for violations of HIPAA, class actions brought by individuals and actions brought by state attorneys general.
The FCA allows the government to recover treble damages and per-claim monetary penalties from federal contractors and grant recipients who knowingly submit false claims for payment. Under the Act, “any person” who fails to comply with contractual, statutory or regulatory obligations, and then submits a false claim for payment, may be found liable for damages or penalized.
In addition, the FCA allows for whistleblowers – often employees of contractors – to file qui tam suits on behalf of the government and receive a percentage of the money recovered. The Act also protects these whistleblowers from retaliation.
In remarks on the new Cyber-Fraud Initiative, Acting Assistant Attorney General Brian M. Boynton said that “False Claims Act enforcement and whistleblower reporting will help spur compliance by contractors and grantees.”