The year 2021 will likely be seen as a defining moment in the history of cybersecurity enforcement. For the healthcare industry and government contractors, in particular, the government's expanding focus on cybersecurity brings increased risks and penalties for noncompliance with stricter cyber standards and requirements.
In December 2020, in widely quoted remarks, Deputy Assistant Attorney General Michael Granston told the American Bar Association's (ABA) Civil False Claims Act and Qui Tam Enforcement Institute that "cybersecurity related fraud is another area where we could see enhanced False Claims Act activity." Referring to the importance of "robust cybersecurity protections," Granston continued, "Where such protections are a material requirement of payment or participation under a government program or contract, the knowing failure to include such protections could give rise to False Claims Act liability."1
In April 2021, following the "worst year ever" for ransomware attacks, the Department of Justice ("DOJ") formed the Ransomware and Digital Extortion Task Force as part of the effort to "enhance the Department's capability to disrupt, investigate, and prosecute ransomware attacks."2 The Task Force, which includes representatives from the Department's National Security Division, Criminal Division, Civil Division, Executive Office of U.S. Attorneys and FBI, is charged with "disrupt[ing] and dismantle[ing] the ecosystem that supports ransomware, as well as the means cyber actors use to monetize their extortion schemes."3 To accomplish these aims, the Task Force will use "all available criminal, civil, and administrative actions for enforcement," work with the Department's "key federal partners," share information with the private sector, and increase collaboration with foreign partners.4 On November 8, 2021, the Department of Justice announced the indictments of two foreign nationals on charges of conducting ransomware attacks against multiple victims and the seizure of $6.1 million in funds traceable to alleged ransom payments.5
On May 12, 2021, President Biden, in response to the growing cybersecurity threat, issued an Executive Order on "Improving the Nation's Cybersecurity."6 In particular, the Order imposes sweeping and consequential requirements on government contractors and service providers. These include changes to the Federal Acquisition Regulations (FAR) and the Defense Federal Acquisition Regulations Supplement (DFARS) contract requirements and language designed to ensure that service providers collect, preserve, and share information related to cyber events. More specifically, the Order states that "information and communications technology (ICT) service providers entering into contracts with agencies must promptly report to such agencies when they discover a cyber incident involving a software product or service provided to such agencies or involving a support system for a software product or service provided to such agencies."
In July, following ransomware attacks against Colonial Pipeline and JBS Foods, the President issued a National Security Memorandum ("NSM") on "Improving Cybersecurity for Critical Infrastructure Control Systems," which addressed cybersecurity for critical infrastructure. The NSM directed the Department of Homeland Security's Cybersecurity & Infrastructure Security Agency (CISA) and the Department of Commerce's National Institute of Standards and Technology (NIST) to work with other government agencies to develop cybersecurity performance goals for critical infrastructure with the expectation that "those standards will assist companies responsible for providing essential services like power, water, and transportation to strengthen their cybersecurity." The NSM also formally established the President's Industrial Control System Cybersecurity (ICS) Initiative — "a voluntary, collaborative effort between the federal government and the critical infrastructure community to facilitate the deployment of technology and systems that provide threat visibility, indicators, detections, and warnings."7
While the government has thus generally expanded the private sector's responsibilities for cybersecurity, the Department of Justice has added threats of civil and even possibly criminal enforcement to those responsibilities. In October, the DOJ announced the launch of its Civil Cyber-Fraud Initiative, which combines "the department's expertise in civil fraud enforcement, government procurement and cybersecurity to combat new and emerging cyber threats to the security of sensitive information and critical systems."8
The Department's press release pointedly stated that the Initiative would utilize the False Claims Act ("FCA") to pursue cybersecurity-related fraud by government contractors and grant recipients, and elaborated further that it would "hold accountable entities or individuals that put U.S. information or systems at risk by knowingly providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cybersecurity incidents and breaches."9
In further remarks announcing the launch, Deputy Attorney General Lisa Monaco warned, "Where those who are entrusted with government dollars, who are entrusted to work on sensitive government systems fail to follow required cybersecurity standards, we're going to go after that behavior and extract very hefty, very hefty fines."10
In the weeks that followed, Department officials drove the point home. On October 13, 2021, Acting Assistant Attorney General for the Civil Division, Brian Boynton, told the Cybersecurity and Infrastructure Security Agency (CISA) Summit that the Department had identified at least three common cybersecurity failures that are prime candidates for potential False Claims Act enforcement: e.g., knowing failures to comply with cybersecurity standards, knowing misrepresentations of security controls and practices, and knowing failures to timely report suspected breaches.11
A week later, on October 20, 2021, Deputy Attorney General Monaco expressly described the Civil Cyber-Fraud Initiative as the Department using its civil enforcement tools to drive cybersecurity accountability. In stark terms, Monaco stated:
But where those who are entrusted with government dollars – who are trusted to work on sensitive government systems – where they fail to follow required cybersecurity standards, or misrepresent their cybersecurity practices or capabilities, we're going to go after that behavior. Specifically, our new Civil Cyber-Fraud Initiative will use the False Claims Act to both enforce civil fines on government contractors and grant recipients as well as protect whistleblowers who bring information forward.
This is a tool that we have to ensure that taxpayer dollars are used appropriately, and to guard the public fisc and the public trust. And we will use it. And to those who witness irresponsibility that exposes the government to cyber breaches, our message is this: if you see something, say something. We will use all of the legal authorities in our reach to make sure you are protected and compensated.12
The potential ramifications for government contractors and service providers are clear. Even before the recent initiative, the government and qui tam plaintiffs have tested claims of noncompliance with security regulations under the False Claims Act. In May 2019, a district court in the Eastern District of California declined to dismiss a case alleging that a defense contractor had falsely asserted its compliance with cybersecurity standards.13 Subsequently, in July 2019, the government intervened in a 2011 case alleging that Cisco Systems had sold surveillance products with security vulnerabilities to federal agencies, which was then settled for $8.6 million.14
With new and stricter cybersecurity requirements, however, the enhanced threat of treble damages and statutory penalties under the FCA for cybersecurity violations will have significant consequences for government contractors. The healthcare industry, which has been a marked target for FCA enforcement for years, is a rich source of Personally Identifiable Information (PII) and Personally Protected Information (PPI), and has been increasingly vulnerable to cyberattacks. In June 2021, the Department of Health and Human Services Office of Inspector General (HHS-OIG) found that the Centers for Medicare & Medicaid Services (CMS) had failed to provide consistent oversight for the cybersecurity of hospitals' networked medical devices.15
While healthcare companies are already and inevitably in the DOJ's sights, however, the government's cyber initiatives clearly signal that cybersecurity is both a government and a private sector responsibility. The DOJ has made it clear that it intends to pursue cybersecurity violations aggressively, and, in effect, has issued an open call for whistleblowers to bring violations to its attention by filing qui tam actions.
As with FCA cases generally, government contractors and service providers seeking to minimize their risks should consider implementing the following measures:
- The May 12, 2021 Executive Order imposed new cybersecurity requirements and standards, the violation of which could lead to whistleblower claims. Companies should evaluate their policies and practices in light of the new requirements, and revise them as necessary.
- Particularly in light of the differences among government agencies' contracts, companies should review and conduct a risk assessment of their current contracts.
- Because the various cyber initiatives include stringent requirements to report cybersecurity breaches, including the explicit threat of FCA liability for failures to report, companies should ensure that their compliance policies reflect this and their employees understand their reporting obligations.
- Finally — and, as always — companies should develop and provide regular cybersecurity compliance training.
2 https://www.wsj.com/articles/ransomware-targeted-by-new-justice-department-task-force-11619014158; https://thehill.com/policy/cybersecurity/549549-justice-department-convenes-task-force-to-tackle-wave-of-ransomware; https://www.judiciary.senate.gov/imo/media/doc/Downing%20-%20Statement.pdf;
13 U.S. ex rel Markus v. Aerojet Rocketdyne Holdings, Inc., Eastern District of California, #15-2245
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.