Menu

Cybersecurity FCA Whistleblowers

Thursday, March 14th, 2024

In October 2021, the United States Department of Justice (DOJ) announced its Civil Cyber-Fraud Initiative. The purpose of this initiative is to combat cybersecurity vulnerabilities and cyber threats by ensuring federal contractors and grantees implement required cybersecurity standards. Whistleblowers play a critical role in the initiative. Cybersecurity fraud is often difficult for the government to detect, so the DOJ relies on insiders to report violations under the federal False Claims Act (FCA).

The FCA allows whistleblowers, known as “relators,” to bring a lawsuit regarding an entity’s false claims to the United States for payment. This is known as a qui tam lawsuit, because it is brought in the name the government. The lawsuit is filed and initially kept under seal to allow the government to investigate.

A FCA cause of action generally has four elements: (1) falsity; (2) knowledge; (3) materiality; and (4) damages. In the cybersecurity context, the falsity element requires a false or fraudulent statement concerning the entity’s cybersecurity practices or compliance, made in connection with a federal contract or grant. This false or fraudulent statement must be made knowingly, which encompasses actual knowledge, deliberate ignorance, and reckless disregard of the truth or falsity of the information. Materiality focuses on the significance of the false or fraudulent statement—it must, at minimum, have a natural tendency to influence, or be capable of influencing, the government’s payment decision. Finally, damages focus on the harm to the government. If successful, government’s actual damages may be tripled, and a court may award civil penalties. The whistleblower will receive a “relator’s share” between 15% and 30% of the government’s recovery.

Two years in, the DOJ continues to make cybersecurity enforcement a top priority, and has a string of successful recoveries, including:

Most recently, on September 1, 2023, the United States District Court for the Eastern District of Pennsylvania unsealed a FCA lawsuit brought by a qui tam relator alleging Penn State University falsely certified its compliance with various cybersecurity controls in a DOD contract.[1] While the DOJ declined to intervene—at least for now—it continues to actively investigate the case.

Cybersecurity requirements may exist in any federal contract or grant; however, they are most prevalent in the defense, health care, and research sectors. These requirements could include:

  • The Federal Information Security Modernization Act of 2014 (FISMA) contains the most broadly applicable cybersecurity provisions. FISMA requires federal agencies and contractors that operate federal information systems to implement the required minimum protections and practices—termed “controls”—in the National Institute of Standards and Technology (NIST) Special Publication 800-53, “Recommended Security Controls for Federal Information Systems” (SP 800-53).
  • As for Department of Defense (DoD) contracts, these include specific provisions under Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012, “Safeguarding Covered Defense Information and Cyber Incident Reporting.” This regulation requires defense contractors to implement NIST Special Publication 800-171 (SP 800-171) to protect controlled unclassified information (CUI).

Both FISMA and DFARS require federal contractors to demonstrate compliance with the applicable cybersecurity controls in a number of ways, including submission of documentation (for example, a System Security Plan or “SSP”), audits (such as a third-party independent assessment), and annual security reviews. An FCA violation can occur when federal contractors make false or misleading statements concerning the status or implementation of the applicable cybersecurity requirements.

If you are concerned about cybersecurity compliance efforts, or are interested in learning more about the FCA, please contact a member of Gentry Locke’s Whistleblower Claims & Qui Tam Team.


[1] United States of America, ex rel. Decker v. Pennsylvania State University, Case No. 2:22-cv-3895 (E.D. Pa.)

Comments Off on Cybersecurity FCA Whistleblowers

Category | Tags:

Social Networks : Technorati, Stumble it!, Digg, de.licio.us, Yahoo, reddit, Blogmarks, Google, Magnolia.

FTC Amends Safeguards Rule

Wednesday, November 8th, 2023

The Federal Trade Commission (FTC) announced on October 27th that it has expanded the scope of its financial data security rule, which will now require nonbank financial institutions – like vehicle dealers and mortgage brokers – to report data breaches. This new amendment to the FTC Safeguards Rule imposes similar reporting requirements to those already applicable to banks.

Specifically, the amendment will require nonbank financial institutions to report to the FTC any data breach affecting 500 or more consumers’ data. The rule gives financial institutions 30 days to report the breach, however the FTC encourages reporting as soon as possible. Importantly, the reporting requirement applies only to breaches of unencrypted data, underscoring the importance of implementing sound cybersecurity protocols like end-to-end encryption of data.

In his statement announcing the amended rules, Samuel Levine, the director of the FTC’s Bureau of Consumer Protection, emphasized the importance of corporate transparency and rapid disclosure of incidents, even before the 30 day timeline when possible. The new requirements will take effect in approximately six months, according to the FTC.

This new reporting requirement places a significant new burden on affected financial institutions, as reporting an incident to the FTC will trigger an investigation into the company’s cybersecurity practices and compliance with the Safeguards Rule. Failure to report an incident will put the offending company into the far more precarious position of being the subject of not only an FTC investigation, but also an enforcement action accompanied by hefty fines and the potential for criminal penalties.

In light of the massive financial and reputational risk posed by increasingly active threat actors and the government’s corresponding regulation of corporate cybersecurity, it has never been more important for companies to develop and implement robust cybersecurity and data privacy policies. It is equally crucial to consult with experienced legal counsel for assistance developing these proactive policies and, when necessary, responding to cyber incidents.

If you have any questions about this update, please reach out to John Danyluk at danyluk@gentrylocke.com.

Comments Off on FTC Amends Safeguards Rule

Category | Tags:

Social Networks : Technorati, Stumble it!, Digg, de.licio.us, Yahoo, reddit, Blogmarks, Google, Magnolia.

SEC Charges SolarWinds and Chief Information Security Officer with Fraud and Internal Cybersecurity Failures

Monday, November 6th, 2023

The Securities and Exchange Commission (SEC) announced charges against SolarWinds Corp. and its chief information security officer (CISO), accusing the publicly traded company of misleading investors as to its vulnerability to cyberattacks. SolarWinds is accused of defrauding investors by overstating its cybersecurity practices, while failing to implement appropriate internal digital safeguards and ignoring red flags for years before announcing that it was the victim of a two-year long cyber attack in December 2020.

This landmark lawsuit represents the first time in an SEC cyber case that the commission has alleged that an organization intended to deceive investors. Perhaps even more alarming for information security executives performing an increasingly difficult corporate function, it is the first time in an SEC cyber case that the commission has brought action against an individual.

The SEC alleged that SolarWinds and CISO Timothy Brown, who is individually named in the lawsuit, knew as early as 2018 that software it sold to the federal government was, in the words of one company engineer quoted in the complaint, “not very secure.” According to the complaint, SolarWinds’ poor security practices were not a secret within the company, prompting several employees to express their concerns.

According to the director of the SEC’s enforcement division, “[r]ather than address these vulnerabilities, SolarWinds and Brown engaged in a campaign to paint a false picture of the company’s cyber controls environment, thereby depriving investors of accurate material information.”

The SEC’s complaint, filed in the Southern District of New York, alleges that SolarWinds and Brown violated the antifraud provisions of the Securities Act of 1933 and of the Securities Exchange Act of 1934; SolarWinds violated reporting and internal controls provisions of the Exchange Act; and Brown aided and abetted the company’s violations. The complaint seeks permanent injunctive relief, disgorgement with prejudgment interest, civil penalties, and an officer and director bar against Brown.

The SEC’s aggressive enforcement of the massive SolarWinds breach reflects the tremendous impact that a breach can have to a company’s value and stock prices. Further, by placing the company’s CISO squarely in the SEC’s crosshairs, CISOs and other cyber executives are now on notice that they may be held personally responsible for security and disclosure failures. On the heels of the criminal sentencing of former Uber CSO, Joseph Sullivan, for his role in the company’s 2016 data breach, these executives are predicted to become increasingly risk-averse and choose self-preservation over corporate profits by proactively report vulnerabilities and breaches. The government’s willingness to go after individual employees means that those employees have even greater motivation to become whistleblowers and report perceived cybersecurity failures within the company, thereby protecting themselves while potentially securing a sizable relator settlement under the False Claims Act.

If you have any questions concerning your company’s cybersecurity, please reach out to John Danyluk at danyluk@gentrylocke.com.

Comments Off on SEC Charges SolarWinds and Chief Information Security Officer with Fraud and Internal Cybersecurity Failures

Category | Tags:

Social Networks : Technorati, Stumble it!, Digg, de.licio.us, Yahoo, reddit, Blogmarks, Google, Magnolia.

FacebookTwitterLinkedIn