The U.S. Department of Justice is targeting federal contractors and grant recipients who fail to adhere to cybersecurity requirements in their agreements and violate their obligation to monitor and report ransomware attacks and other types of cybersecurity breaches.
DOJ’s New Initiative
“For too long, companies have chosen silence under the mistaken belief that it is less risky to hide a breach than to bring it forward and report it,” Deputy Attorney General Lisa Monaco said in a press release announcing the Civil Cyber-Fraud Initiative last month. “Well, that changes today. We are announcing that we will use our civil enforcement tools to pursue companies—those who are government contractors receiving federal funds—when they fail to follow required cybersecurity standards, because we know that puts all of us at risk.”
Tools for Enforcement
Under this initiative, the principal tool the Department of Justice will use to pursue these contractors is the False Claims Act, which imposes liability on companies and individuals who defraud federal government programs while working on government contracts. False Claims Act cases may be brought not only by the U.S. government but also by private citizens who serve as whistleblowers.
Lax cybersecurity measures often go undiscovered until a breach or other catastrophic event occurs. In light of the financial incentives for private whistleblowers and plaintiffs’ attorneys to bring False Claims Act lawsuits—including automatic attorney’s fees and up to 30% of the government’s recovery in a successful action—DOJ’s policy initiative could encourage internal whistleblowers to bring cyber concerns to light and may result in a proliferation of False Claims Act litigation.
Implied Certification Cases
The Civil Cyber-Fraud Initiative comes at a time when False Claims Act litigation has already been sweeping up contractors who, while providing the contracted-for service, fail to comply with other requirements applicable to government contracts. These “implied certification” cases are based on the notion that a contractor commits fraud by submitting a claim to the federal procurement for payment while failing to disclose its noncompliance with a separate statutory, regulatory, or contractual requirement. The company’s signing of the contract serves as an implied certification that it has met all the applicable requirements.
Materiality of Requirements
Since the U.S. Supreme Court’s Escobar ruling in 2016, False Claims Act disputes have often turned on whether the requirement at issue was material to the government’s decision to pay federal contracts as well as state ones. In prior False Claims Act cases involving a failure to comply with cybersecurity requirements, contractors have argued that the violation was immaterial to the government’s payment decision, especially if the contract concerned services unrelated to information technology or cybersecurity.
While that argument has had mixed results, it is now likely to be viewed with skepticism, particularly in light of the Biden administration’s focus on cybersecurity. For example, the Department of Defense stated last year that it intended to make its standard contractual terms relating to cybersecurity more robust. And after the cyberattack on the Colonial Pipeline this year, President Biden issued an executive order focused on how government contractors detect, prevent, and remediate cyber threats, including the need for broad cyber-incident reporting requirements and the creation of standardized—and likely more stringent—cybersecurity requirements for federal contractors.
Legal and Financial Risks
Federal contractors who do not follow the latest cybersecurity best practices may face substantial legal exposure because the False Claims Act holds liable government contractors who merely act recklessly towards applicable requirements, such as cybersecurity regulations when it coms to government bids.
Additionally, the initiative is the latest example of how cybersecurity and data privacy regulations—and the penalties associated with them—continue developing rapidly. Lawmakers in the Carolinas and more than 10 other states introduced sweeping data privacy bills this year. Virginia, California, and Colorado have already passed their own.
Conclusion
Bottom line: the downside of failing to comply with best practices on cybersecurity and data privacy continues to get steeper. DOJ’s recent emphasis on cybersecurity, combined with the expanding web of federal cybersecurity regulations, creates sizable legal and financial pitfalls for unwitting government contractors. Government contractors—and businesses in general—should carefully assess the cybersecurity terms in their contracts and consider conducting an enterprise-wide assessment of their data practices and risks to avoid financial exposure from both a business and legal perspective.
About Sarah Hutchins and Michael Goldsticker
Sarah Hutchins and Michael Goldsticker are esteemed attorneys at Parker Poe, where they bring extensive legal expertise to their clients. Sarah Hutchins is renowned for her meticulous approach to corporate law and her adept handling of complex transactions. Michael Goldsticker, known for his strategic acumen in litigation, excels in navigating high-stakes cases with a focus on achieving optimal outcomes. Together, they represent the firm’s commitment to delivering exceptional legal services and tailored solutions to their diverse clientele.
Sarah Hutchins and Michael Goldsticker are attorneys at the law firm Parker Poe. They can be reached at sarahhutchins@parkerpoe.com and michaelgoldsticker@parkerpoe.com.
Comments are closed