DOJ’s Cyber Fraud Initiative Gains Steam in 2024
When Deputy Attorney General Lisa Monaco announced in October 2021 that the Department of Justice would be pursuing a new initiative to combat cybersecurity related fraud, white-collar criminal defense attorneys took notice. DAG Monaco’s message in that announcement was clear: DOJ plans to combine its expertise in fraud enforcement and government procurement to aggressively pursue cyber threats and cybersecurity related fraud. Since that time, DOJ has secured a number of high-profile settlements that have sent the message to government contractors that misrepresenting their cybersecurity posture or failing to report a breach will result in a costly DOJ enforcement action.
The latter half of 2024 has been a particularly busy time for DOJ Cyber Fraud settlement announcements. First, in June 2024, DOJ announced a settlement with Guidehouse, Inc. and its subcontractor, Nan Kay and Associates, for $11,300,000 stemming from allegations that the two companies failed to meet cybersecurity requirements in their contracts with the government. An ex-Guidehouse employee was the whistleblower in this case and earned $1,949,250 as part of the settlements. Both firms had been selected by New York to administer that state’s emergency rental assistance program (“ERAP”), a program established in early 2021 as part of the federal government’s COVID relief funding efforts. The consulting firms contracted with the government to ensure that ERAP applications underwent proper cybersecurity testing before deployment. The settlements alleged that neither of the companies’ tools functioned properly, yet they still allowed the applications to launch. Notably, while there was some data leakage as soon as the ERAP application launched online, no PII was accessed, so there was actually no tangible harm in this case, but it still resulted in a hefty settlement. The prosecuting AUSA’s quote in the DOJ press release for this settlement perfectly summarizes the purpose of DOJ’s Cyber Fraud initiative: “Contractors who receive federal funding must take their cybersecurity obligations seriously…[w]e will continue to hold entities and individuals accountable when they knowingly fail to implement and follow cybersecurity requirements essential to protect sensitive information.” The takeaway for white collar defense lawyers and their clients: even when the actual harm is negligible or non-existent, companies that do business with the government need to be extremely careful that they are in compliance with their cybersecurity obligations.
Next, the DOJ filed its complaint-in-intervention in August 2024 in an FCA cyber fraud suit against Georgia Tech in a case originally initiated in 2022 by a whistleblower who was a former member of GT’s cybersecurity team. The complaint alleged that GT failed to comply with various cyber requirements, like implementing a system security plan and submitting false cybersecurity assessment scores to DOD. When DOJ intervened in 2024, they raised claims of fraud, negligent misrepresentation, and breach of contract. The intervention in the Georgia Tech case comes as DOD finalizes rules for the Cybersecurity Maturity Model Certification (CMMC) program, which will require many contractors to receive a third-party audit of their cybersecurity compliance as a condition of contract award.
Most recently, on October 22, 2024, DOJ announced a settlement with Pennsylvania State University to resolve allegations that Penn State violated the False Claims Act (“FCA”) by failing to comply with cybersecurity requirements in contracts involving the Department of Defense and the National Aeronautics and Space Administration (“NASA”). The FCA claims were initiated in January 2023, when a whistleblower filed a complaint alleging that Penn State submitted false self-attestations of National Institute of Standards and Technology (“NIST”) compliance to DOD. These self-attestations concerning its cybersecurity policies and procedures are required to be submitted to DOD as part of the contracting process. DOJ intervened for settlement purposes in October 2024, representing the second FCA action by the government against a university in 2024, following their intervention in the Georgia Tech case.
Any organization accepting federal contract dollars, as well as the lawyers who represent them, should take notice of the recent momentum that is gaining in the DOJ Cyber Fraud initiative, which had initially gotten off to a slow start. Notably, the role of the whistleblower is particularly important in these cyber fraud cases due to the complex subject matter involved; the whistleblower is often an insider with specialized knowledge. The attention paid to the fraudulent practices of non-traditional government contractors, namely colleges and universities, is also a point of interest for attorneys advising clients on compliance priorities. Finally, it is noteworthy that the goals of the initiative are really cyber and national security goals – trying to achieve a more secured environment for national security, encouraging whistleblowers to come forward, and encouraging government contractors to be in compliance with cybersecurity obligations.
If you have questions related to data privacy and cybersecurity, reach out to attorney John Danyluk who is a Certified Information Privacy Professional (CIPP/U.S.) with the International Association of Privacy Professionals (IAPP). John guides clients through complex and evolving data privacy and cybersecurity laws and regulations, defends government enforcement actions, and shepherds clients through data breach responses.