The U.S. False Claims Act (FCA), traditionally associated with combating fraud in government contracts and programs, is increasingly being applied to cybersecurity non-compliance. The shift highlights the growing importance of robust cybersecurity practices for organizations, especially those engaged in federal contracts. The implications for whistleblowers and prosecutors from the U.S. Department of Justice (DOJ) are significant, with recent cases underscoring this trend.
The FCA imposes liability on individuals and companies that defraud governmental programs. Recently, cybersecurity compliance has become a focal point within FCA enforcement, particularly in light of increasing cyber threats and the critical need to protect sensitive government data. The DOJ has signaled its intent to pursue FCA cases where entities fail to meet cybersecurity standards required by their contracts, thus potentially defrauding the government."The use of the FCA demonstrates the government's continued focus on leveraging all of the tools in their tool box to push businesses to focus on, and address, cybersecurity in their businesses," said Jordan Fischer, Founder and Partner at Fischer Law LLC.
To enhance cybersecurity compliance and mitigate FCA risk, organizations should concentrate on several critical areas, including ensuring full compliance with cybersecurity requirements outlined in federal contracts, encompassing frameworks such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework and Defense Federal Acquisition Regulation Supplement (DFARS).
Organizations should conduct regular internal and external audits to assess cybersecurity measures and identify potential vulnerabilities. Third-party assessments can provide an unbiased evaluation of compliance status. In addition, businesses should develop and maintain detailed incident response plans to quickly address and mitigate cyber incidents. Regularly update and test these plans to ensure effectiveness.
Employee training and awareness is vital. Organizations should implement robust training programs to educate end-users about cybersecurity best practices and compliance requirements. Continuous education is essential to keep pace with evolving threats.
Don't forget documentation and reporting; it's key to maintain meticulous documentation of cybersecurity measures, compliance efforts, and incident response actions. Accurate records are crucial for demonstrating compliance and addressing potential FCA allegations.
The expanded focus on cybersecurity under the FCA has significant implications for whistleblowers and DOJ prosecutors.
Whistleblowers, often employees or insiders, play a pivotal role in identifying and reporting non-compliance. They can file qui tam lawsuits on behalf of the government, potentially receiving a portion of any recovered funds.
The rise in cybersecurity FCA cases encourages whistleblowers to report failures in implementing mandated cybersecurity measures, thereby contributing to enhanced overall compliance.
The DOJ is actively pursuing cases where cybersecurity non-compliance constitutes a violation of the FCA. Recent cases, such as the landmark action against Aerojet Rocketdyne Holdings, Inc., illustrate the DOJ's commitment to holding entities accountable for cybersecurity failures.
[RELATED: Federal Judge Dismisses Most of SEC Claims Against SolarWinds, CISO]
In Aerojet's case, the DOJ alleged that the company misrepresented its compliance with cybersecurity requirements, resulting in a significant settlement​.
Several recent DOJ cases highlight the application of the FCA in the cybersecurity domain:
Aerojet Rocketdyne Holdings, Inc.
This case involved allegations that Aerojet falsely claimed compliance with DFARS cybersecurity requirements while pursuing government contracts. The settlement underscored the DOJ's readiness to address cybersecurity non-compliance under the FCA.
United States ex rel. Markus v. Aerojet Rocketdyne Holdings, Inc.
In this related qui tam case, a whistleblower exposed the company's failure to meet cybersecurity standards, leading to government action and further emphasizing the FCA's role in enforcing cybersecurity compliance.