Cybersecurity FCA Whistleblowers

In October 2021, the United States Department of Justice (DOJ) announced its Civil Cyber-Fraud Initiative. The purpose of this initiative is to combat cybersecurity vulnerabilities and cyber threats by ensuring federal contractors and grantees implement required cybersecurity standards. Whistleblowers play a critical role in the initiative. Cybersecurity fraud is often difficult for the government to detect, so the DOJ relies on insiders to report violations under the federal False Claims Act (FCA).

The FCA allows whistleblowers, known as “relators,” to bring a lawsuit regarding an entity’s false claims to the United States for payment. This is known as a qui tam lawsuit, because it is brought in the name the government. The lawsuit is filed and initially kept under seal to allow the government to investigate.

A FCA cause of action generally has four elements: (1) falsity; (2) knowledge; (3) materiality; and (4) damages. In the cybersecurity context, the falsity element requires a false or fraudulent statement concerning the entity’s cybersecurity practices or compliance, made in connection with a federal contract or grant. This false or fraudulent statement must be made knowingly, which encompasses actual knowledge, deliberate ignorance, and reckless disregard of the truth or falsity of the information. Materiality focuses on the significance of the false or fraudulent statement—it must, at minimum, have a natural tendency to influence, or be capable of influencing, the government’s payment decision. Finally, damages focus on the harm to the government. If successful, government’s actual damages may be tripled, and a court may award civil penalties. The whistleblower will receive a “relator’s share” between 15% and 30% of the government’s recovery.

Two years in, the DOJ continues to make cybersecurity enforcement a top priority, and has a string of successful recoveries, including:

• $930,000 recovery from Comprehensive Health Services LLC, resolving allegations that it failed to implement required cybersecurity controls for electronic medical records, brought to light by two whistleblowers.
• $9 million recovery from Aerojet Rocketdyne, Inc., resolving allegations that it misrepresented compliance with federal cybersecurity requirements in federal contracts from the National Aeronautics and Space Administration (NASA) and Department of Defense (DOD), revealed by an internal whistleblower.
• $293,771 recovery from Jelly Bean Communications Design LLC, resolving allegations that it failed to appropriately secure personal identifying information on a Medicaid-funded health insurance website. These vulnerabilities were exploited by hackers in a data breach affecting over half a million applications.
• $4 million recovery from Verizon Business Network Services LLC, resolving allegations that it failed to implement cybersecurity controls used to provide secure connections for federal agencies.

Most recently, on September 1, 2023, the United States District Court for the Eastern District of Pennsylvania unsealed a FCA lawsuit brought by a qui tam relator alleging Penn State University falsely certified its compliance with various cybersecurity controls in a DOD contract.[1] While the DOJ declined to intervene—at least for now—it continues to actively investigate the case.

Cybersecurity requirements may exist in any federal contract or grant; however, they are most prevalent in the defense, health care, and research sectors. These requirements could include:

• The Federal Information Security Modernization Act of 2014 (FISMA) contains the most broadly applicable cybersecurity provisions. FISMA requires federal agencies and contractors that operate federal information systems to implement the required minimum protections and practices—termed “controls”—in the National Institute of Standards and Technology (NIST) Special Publication 800-53, “Recommended Security Controls for Federal Information Systems” (SP 800-53).
• As for Department of Defense (DoD) contracts, these include specific provisions under Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012, “Safeguarding Covered Defense Information and Cyber Incident Reporting.” This regulation requires defense contractors to implement NIST Special Publication 800-171 (SP 800-171) to protect controlled unclassified information (CUI).

Both FISMA and DFARS require federal contractors to demonstrate compliance with the applicable cybersecurity controls in a number of ways, including submission of documentation (for example, a System Security Plan or “SSP”), audits (such as a third-party independent assessment), and annual security reviews. An FCA violation can occur when federal contractors make false or misleading statements concerning the status or implementation of the applicable cybersecurity requirements.

If you are concerned about cybersecurity compliance efforts, or are interested in learning more about the FCA, please contact a member of Gentry Locke’s Whistleblower Claims & Qui Tam Team.

[1] United States of America, ex rel. Decker v. Pennsylvania State University, Case No. 2:22-cv-3895 (E.D. Pa.)