The US Department of Justice (DOJ) recently announced plans to use the False Claims Act (FCA) to pursue cybersecurity-related fraud by government contractors, subcontractors and grant recipients, including for providing deficient products, misrepresenting cybersecurity capabilities and failing to report cybersecurity incidents. This announcement came during Deputy Attorney General Lisa Monaco's speech on the new Civil Cyber Fraud Initiative (the Initiative) at the Aspen Institute Cyber Summit on October 6, 2021.1 Under the Initiative, Deputy AG Monaco said that DOJ will seek to "extract very hefty fines" against companies that fail to report security breaches. The announcement of the Initiative follows Acting Assistant Attorney General Brian Boynton's remarks in February previewing DOJ's use of the False Claims Act to counter "cybersecurity related fraud" committed by government contractors. Given these statements, federal contractors, subcontractors and grant recipients should be attentive to cybersecurity requirements in their contracts, the Federal Acquisition Regulations (FAR) and the Defense Federal Acquisition Regulations Supplement (DFARS), and seek counsel in the event of potential cyber incidents.
The Initiative appears designed to enhance implementation of cybersecurity safeguards, monitoring and assessments, including those that are set forth in the Cybersecurity Maturity Model Certification.2 The Initiative's initial focus appears to be on existing and forthcoming reporting requirements included in federal government contracts. The Department of Defense requires contractors and subcontractors to provide notice of certain cyber incidents within 72 hours.3 Additionally, the standard FAR contract clause related to "[p]rivacy or security" generally provides that "[i]f new or unanticipated threats or hazards are discovered by either the Government or the Contractor, or if existing safeguards have ceased to function, the discoverer shall immediately bring the situation to the attention of the other party."4 Moreover, the Cybersecurity and Infrastructure Security Agency (CISA) is implementing requirements for critical infrastructure sectors that may include mandatory incident reporting. Civilian agencies will also implement a new mandatory cyber reporting requirement under Executive Order 14028, which we discussed in our May 14, 2021 Client Alert.5
We have discussed previously the Biden Administration's FCA enforcement priorities, including a focus on cybersecurity. The new Initiative reflects this continued focus on cybersecurity and cyber incident reporting.
Contractors, subcontractors and grant recipients subject to civil or criminal FCA claims brought under the Initiative for failing to implement required cybersecurity safeguards or report cyber incidents may have strong defenses to FCA liability. The government cannot prevail under the FCA unless it establishes that the contractor knowingly failed to comply with a material contractual requirement that the contractor knows was material to the government's payment decision.6 Whether a requirement is material can be a fact-intensive inquiry that turns on the relative importance of the requirement to the overall contract and on the government's prior conduct in handling similar breaches, not only on the existence of an explicit mandatory reporting requirement.7 Moreover, at least one court has held that "purely post hoc enforcement actions . . . are less probative [of materiality] than allegations that the government actually refuses to make payments once it determines that the . . . condition has been violated."8 Contractors, subcontractors and grant recipients should assume that the government will take further steps to underscore the materiality of cybersecurity-related provisions in government contracts and grants in the future. Our FCA annual review discusses these considerations in greater detail.
Accordingly, federal contractors, subcontractors and grant recipients should be especially attentive to cybersecurity and cyber incident requirements in their contracts and seek counsel in the event of any potential violations. While there may be strong potential defenses against FCA litigation or enforcement action related to timely reporting of cybersecurity incidents, the best defense is a proactive compliance system that is designed to facilitate timely submission of required incident reports.
1 The same day, Deputy AG Monaco also published an op-ed calling for Congress to help close gaps in cyber incident reporting from private companies by enacting legislation to create a national standard for reporting cyber incidents and a single mechanism to do so.
2 See DFARS 252.204-7019 and 7021.
3 See DFARS 252.227-7012.
4 FAR 52.239-1 (emphasis added).
5 As of October 12, 2021, the FAR open case report indicates that the FAR implementation of this order remains in the agency implementation process.
6 See Universal Health Servs., Inc. v. United States, 136 S. Ct. 1989, 2001 (2016).
8 United States v. Strock, 982 F.3d 51, 63–64 (2d Cir. 2020).
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.