Cybersecurity-related FCA cases poised to increase as FCA enforcement ramps up

On February 7, 2023, the Department of Justice (DOJ) announced that settlements and judgments under the False Claims Act exceeded $2.2 billion during the 2022 fiscal year and that the government posted its second-highest number of settlements and judgments in a single year.

While most of that enforcement activity—about 77 percent—was aimed at the healthcare industry, DOJ’s press release highlighted the Department’s Civil Cyber-Fraud Initiative as well, noting that 2022 saw DOJ’s first settlement pertaining to the initiative, when a Florida-based medical services provider paid $930,000 to resolve allegations that it falsely represented that it had complied with contract requirements relating to the provision of medical services at State Department and Air Force facilities in Iraq and Afghanistan. Among other issues, the company’s representations involved the level of security of the electronic medical records system it agreed to utilize, with the government alleging that the defendant failed to disclose that it had not consistently stored patients’ medical records on a secure system, and instead put copies of some records on an internal, unsecured, network drive.

In July 2022, a second cybersecurity FCA action reached settlement, when Aerojet Rocketdyne agreed to pay $9 million to resolve FCA allegations that it misrepresented its compliance with cybersecurity requirements in certain of its federal government contracts. While a subsequent address by Brian M. Boynton, Principal Deputy Assistant Attorney General, noted a variety of ways to run afoul of the FCA under this initiative, the aforementioned cases arose from the specific cybersecurity stipulations in the respective government contracts.

The Civil Cyber-Fraud Initiative launched in October 2021 and uses the False Claims Act (FCA) to pursue cybersecurity-related fraud by government contractors and grant recipients. According to DOJ, the initiative would hold accountable those who put U.S. information and systems at risk by “knowingly providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cybersecurity incidents and breaches.”

The initiative takes on even more significance—and likely even more compliance obstacles to navigate—given that the U.S. government has continued to install more and more reporting requirements for federal contractors. For example, in March 2022, Congress passed the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), which among other things mandates operators of critical U.S. infrastructure to report certain cyberattacks to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours. The same critical infrastructure operators must also report ransomware payments to CISA within 24 hours.

Additionally, as with many FCA cases, the aforementioned cybersecurity initiative cases were spurred by qui tam actions from whistleblowers. According to DOJ, over $1.9 billion of the $2.2 billion in 2022 FCA settlements and judgments arose from lawsuits that were filed under the FCA’s qui tam provisions and pursued by either the government or whistleblowers. During the same period, 652 qui tams were filed—an average of more than 12 new cases every week—and the government paid out over $488 million to whistleblowers. This highlights the larger necessity for companies to maintain a stringent and comprehensive compliance program, complete with periodic assessments and, when necessary, enhancements. This includes clear reporting avenues, internal investigation mechanisms, and, when necessary, self-disclosures. Indeed, the DOJ recently announced new policies to encourage both voluntary self-disclosures and employee compensation tied to compliance, among other items. While the full scope and extent of both the Civil Cyber-Fraud initiative and the CISA’s reporting requirements will take time to be known, companies should begin taking steps now to ensure they are in position to comply.

View the full article