What Does the DOJ's New Civil Cyber-Fraud Initiative Mean for Whistleblowers?
On October 6, 2021, Deputy Attorney General Lisa O. Monaco announced the DOJ's new Civil Cyber-Fraud Initiative, which will utilize the False Claims Act to penalize government contractors who fail to comply with requisite cybersecurity standards. This initiative is no surprise, as the DOJ listed cybersecurity as one of six priorities for upcoming FCA enforcement.
What is the Civil Cyber-Fraud Initiative?
The Civil Cyber-Fraud Initiative memorializes the DOJ's commitment to using the FCA to enforce cybersecurity standards that are requisite to government contracts. While the initiative targets technology companies who knowingly provide inadequate cybersecurity products or services, the initiative also implicates companies outside of the technology industry. Any company who contracts with the government and makes misrepresentations about its cybersecurity practices or fails to monitor and report any breaches could face FCA liability.
Why is the Civil Cyber-Fraud Initiative Important?
Incidents such as the 2021 Colonial Pipeline cyberattack emphasize the importance of preventing cyber fraud. When hackers launched a cybersecurity attack involving ransomware against Colonial Pipeline, the pipeline shut down, resulting in fuel shortages throughout much of the East Coast. As companies become more reliant on technology, it becomes increasingly important that they uphold cybersecurity standards, as cyber fraud not only compromises information, but can also disrupt operations.
How Does the FCA Apply to Instances of Cyber Fraud?
In recent years, there have already been a few FCA cases involving cyber-fraud allegations. For example, in August 2019, Cisco Systems, Inc. paid $8.6 million to resolve FCA allegations arising from security flaws in their video surveillance products. The relator alleged that "Cisco markets the product as particularly suited for government customers, and knows that the product is routinely sold to government customers, even though Cisco knows that these critical security flaws render the product largely ineligible for purchase by government entities."
In May 2019, a court denied a motion to dismiss an FCA complaint alleging that Aerojet misrepresented its compliance with cybersecurity requirements when contracting with National Aeronautics & Space Administration ("NASA") and the Department of Defense ("DoD"). While the agencies knew that Aerojet was not fully compliant with the requirements, they concluded that it would be "relatively simple" for Aerojet to become compliant and entered into a contract with it. However, the relator alleged that Aerojet was actually further away from compliance than they represented to the government. Accepting these allegations as true, the court found that the government's decision to enter into a contract with Aerojet may have been based on Aerojet's misrepresentations about its cybersecurity compliance. In other words, cybersecurity compliance may be relevant to the central purposes of the contract, thus satisfying the FCA's rigorous materiality requirement.
What Should I Do If I Witness Cyber Fraud?
If you are aware of fraud against the government, whether in cybersecurity or another sector, you may be eligible to blow the whistle in a False Claims Act lawsuit and may be entitled to a portion of the recovery. To find out more, contact Goldberg Kohn for a confidential consultation.
 Complaint, United States of America ex rel. Glenn v. Cisco Systems Inc., No. 1:11-cv-00400 (W.D.N.Y.)
 United States ex rel. Markus v. Aerojet Rocketdyne Holdings, Inc., No. 2:15-cv-2245 WBS AC (E.D. Cal. May 8, 2019)