Cyber fraud has become an increasing concern in recent years. In November 2021, the Department of Justice (DOJ) launched the Civil Cyber-Fraud Initiative (Initiative). We explained that Initiative in this December 2021 post.
In July 2023 a panel of experts held a discussion titled “DOJ’s Civil Cyber-Fraud Initiative: Early Takeaways.” During the discussion, experts shed light on the Initiative’s objectives, the importance of cybersecurity, and its implications for federal contractors and whistleblowers. WLC’s Bruce Judge and Kelly Shivery attended the panel and provided this summary.
The panel consisted of distinguished professionals with expertise in various aspects of cybersecurity and fraud. Ingrid Shipton, a cybersecurity expert with Eminent Risk Management Group, presented the technical aspects of cybersecurity. Christopher Terranova, a DOJ Civil Frauds Senior Trial Counsel, was there to share his insight as a government attorney on cyber-fraud cases. Adam Tarosky of Nixon Peabody shared the defense perspective of cyber-fraud cases. Moderator Sam Buffone, co-founder of Black & Buffone, shared his point-of-view as an attorney for whistleblowers in cyber-fraud and other FCA cases.
Recap of the Civil Cyber-Fraud Initiative
The spotlight on federal cybersecurity protections began in 2021 with an Executive Order mandating standard federal contract language addressing cybersecurity protections. The standard cybersecurity contract language requirement is expected to begin in the near term.
The Initiative was announced in October 2021. In announcing the Initiative, Deputy Attorney General Lisa Monaco said:
For too long, companies have chosen silence under the mistaken belief that it is less risky to hide a breach than to bring it forward and to report it. Well that changes today.
Highlighting the valuable role of whistleblowers is a significant aspect of the Initiative. The Initiative strives to make whistleblowers aware of these types of cases so they will bring them to the government.
Federal Agencies Provide Support for Civil Cyber-Fraud Initiative
Although the DOJ pursued civil cyber-fraud cases prior to the Initiative, the Initiative ensures the government attorneys handling the matter have sufficient knowledge of cybersecurity rules and processes to enforce existing laws. In addition, the Initiative provides federal prosecutors with better access to cybersecurity experts. DOJ Senior Trial Counsel Terranova noted that federal agencies, including the Department of Defense, Department of Health and Human Services, and Department of Homeland Security, have shown broad support for the Initiative.
In addition to the Initiative, in March 2023, the White House outlined the five pillars of its National Cybersecurity Strategy. The pillars are: Defend Critical Infrastructure; Disrupt and Dismantle Threat Actors; Shape Market Forces to Drive Security and Resilience; Invest in a Resilient Future; and, Forge International Partnerships to Pursue Shared Goals.
The Broader Implications of Cybersecurity
Cybersecurity is broader than compliance with Defense Federal Acquisition Regulation Supplement (DFARS) and Federal Acquisition Regulations. (FARS). For example, the FDA considers cybersecurity in the premarket approval process for medical devices. HIPAA protections implicate cybersecurity. The HITECH Act (encouraging healthcare providers to adopt electronic health records) also requires cybersecurity protections.
The cybersecurity rules companies have to follow are agency specific. Typically, the agency responsible for paying the company will dictate the required rules and regulations. The enforcement and procedures for self -disclosure are also agency specific.
The panel emphasized the critical role of leadership in cyber defense. As cyber-expert Ingrid Shipton observed, responsibility for cybersecurity is not just for “the people wearing the hoodies.” CEOs and board members are ultimately responsible for their organization’s cybersecurity. A typical corporate cybersecurity team will include some variation of a Chief Information Officer (CIO), Chief Information Security Officer (CISO), Chief Security Officer, Chief Technology Officer (CTO), and Chief Risk Officer. In an ideal scenario, the cybersecurity team will sit in a separate chain of command from the IT team.
Cybersecurity and The False Claims Act
In a typical False Claims Act (FCA) case, the harm is to the public fisc. In the case of a cybersecurity breach, however, the scope of potential harm is much wider: harm to national security; harm to people’s private information; and, in the case of medical devices (e.g. pacemaker), physical harm to patients.
The panel explained the three most common fact patterns for FCA cases:
- Knowing failure to comply with regulations – some agencies have higher requirements – e.g. the National Security Agency
- Knowing misrepresentation of cyber controls and practices – system security plans must be submitted and implemented
- Knowing failure to timely report cyber failure or breach and not remediate to limit resulting harm
In all of the scenarios presented, the panel stressed that the government encourages self-disclosure. Credit will be provided to those who voluntarily disclose and take remedial action.
Recent Settlements under the Initiative:
Thus far, there have been three settlements under the Initiative:
- Comprehensive Health Solutions (CHS) – In March 2022, CHS, which operates health clinics in Iraq and Afghanistan for military and expatriates, was found to have made misrepresentations regarding how it stored protected health information (PHI). The company was required to use an Electronic Health Record (EHR) system, but was found to be storing PHI on personal laptops without adequate safeguards.
- Aerojet – In July 2022, a defense contractor, Aerojet, settled after litigation was commenced. The case involved issues of DFARS compliance. While the government declined initially due to the issue’s materiality, the court later discovered incomplete disclosures to auditors, leading to unresolved factual disputes.
- Jelly Bean Communications – The third settlement under the Initiative involved a case with typical False Claims Act connotations, highlighting the broader implications of cybersecurity beyond financial harm.
The DOJ’s Cyber-Fraud Initiative represents a significant step forward in protecting national security and safeguarding sensitive information. It also encourages whistleblowers to play a vital role in reporting cyber fraud. Companies and federal contractors must prioritize cybersecurity to mitigate risks and ensure compliance with government regulations. Businesses can contribute to a more resilient and secure cyber landscape by taking proactive measures.
We Help Whistleblowers Report Cybersecurity Failures
If you know that a government contractor has falsely certified compliance with its cybersecurity requirements, or failed to report a cybersecurity breach, contact us. Our attorneys include several former federal prosecutors with experience safeguarding sensitive government information. We can discuss your concerns in a confidential and secure setting. We can also advise you on the best options to prevent critical information and data from falling into the wrong hands.