DOJ Announces New Civil Cyber-Fraud Initiative
On October 6, 2021, Deputy Attorney General Lisa O. Monaco announced the launch of the US Department of Justice’s (DOJ) Civil Cyber-Fraud Initiative. The initiative will focus on using the False Claims Act (FCA) to pursue fraud related to cybersecurity, with an emphasis on fraudulent acts perpetrated by government contractors and recipients of federal funds. The FCA gives the DOJ authority to bring civil enforcement actions against companies that make false claims for federal funds, and it empowers whistleblowers to advance the government’s interest in combatting fraud by allowing private parties to bring lawsuits on the government’s behalf and take a share of the proceeds of any recovery.
Led by the Fraud Section of the DOJ Civil Division’s Commercial Litigation Branch, the initiative seeks to “hold accountable entities or individuals that put U.S. information or systems at risk by knowingly providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity protocols, or knowingly violating obligations to monitor and report cybersecurity incidents and breaches.” The DOJ’s announcement lists a series of benefits the DOJ hopes to achieve through the initiative, which include “[h]olding contractors and grantees to their commitments to protect government information and infrastructure[,]” and “[e]nsuring that companies that follow the rules and invest in meeting cybersecurity requirements are not at a competitive disadvantage.”
INCREASED EMPHASIS ON CIVIL ENFORCEMENT
Notably, the Civil Cyber-Fraud Initiative is the first major initiative announced by the Department as a result of an ongoing cyber review ordered by the Deputy Attorney General in May 2021.* The initiative also puts into action statements made by DOJ officials following the 2020 presidential election, and it underscores the importance of affirmative civil enforcement in broader efforts to counter threats posed by ransomware attacks and other cyberattacks. For example, last December, at the ABA Civil False Claims Act and Qui Tam Enforcement Institute, Deputy Assistant Attorney General Michael D. Granson warned that there may be enhanced False Claims Act activity in the cybersecurity space. In February 2021, Acting Assistant Attorney General Brian M. Boynton emphasized in remarks at the Federal Bar Association Qui Tam Conference that “[t]o the extent that the government pays for systems or services that purport to comply with required cybersecurity standards but fail to do so, it is not difficult to imagine a situation where False Claims Act liability may arise.”
On the same day that the DOJ announced the creation of the Civil Cyber-Fraud Initiative, Deputy Attorney General Monaco published an op-ed in which she urged Congress to pass legislation to create a national standard for reporting cyber incidents that pose significant risk, including ransomware and incidents that affect critical infrastructure. Deputy Attorney General Monaco called for Congress to designate a single mechanism where victims can file reports to the federal government to be shared immediately with the DOJ and US Department of Homeland Security.
The Civil Cyber-Fraud Initiative and Deputy Attorney General Monaco’s op-ed should be viewed in conjunction with a variety of other recent measures from the Biden administration that seek to combat ransomware and malign cyber activities, including:
Deputy National Security Advisor Anne Neuberger’s June 2, 2021, Open Letter to Corporate Executives and Business Leaders, emphasizing that the private sector has a “critical responsibility” to protect against cyber threats, “urg[ing]” businesses “to take ransomware crime seriously and ensure [their] corporate cyber defenses match the threat” and recommending a variety of cyber “best practices” to be implemented by companies (e.g., multifactor authentication, endpoint detection and response, encryption and a skilled, empowered security);
US President Joe Biden’s August 25, 2021, meeting with corporate leaders from technology, finance, energy and water, insurance and education sectors to discuss the “whole-of-nation” effort needed to address cyber threats, especially in critical infrastructure;
The US Department of the Treasury’s September 21, 2021, Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments;
Guidance from the Federal Bureau of Investigation’s (FBI) Internet Crime Compliant Center’s (IC3) (Ransomware: What It Is & What To Do About It), Cybersecurity and Infrastructure Security Agency (CISA) (Stop Ransomware) and CISA and FBI (Ransomware Awareness for Holidays and Weekends); and
FinCEN June 30, 2021, announcement regarding its anti-money laundering and countering the financing of terrorism priorities, which identified cybersecurity and ransomware as a “top priority” for FinCEN and financial institutions (FinCEN Announces Anti-Money Laundering Priorities).
In addition, a bipartisan group of US Senators has introduced the Cyber Incident Notification Act; if enacted, the legislation would require federal agencies, government contractors and critical infrastructure owners and operators to report cyber intrusions to CISA within 24 hours of their discovery. A number of states—including New York, North Carolina, Pennsylvania and Texas—are considering legislation that would ban or restrict state and local government agencies from paying ransom in the event of a cyberattack.
The Civil Cyber-Fraud Initiative demonstrates that cybersecurity is increasingly on the government’s enforcement radar. In light of DOJ’s announcement, government contractors should keep in mind the following key takeaways:
Formation of the Civil Cyber-Fraud Initiative suggests that the DOJ will initiate more FCA lawsuits targeting US government contractors that fail to uphold their legal or contractual obligations pertaining to cybersecurity. Relatedly, the initiative signals that the DOJ may be more willing to intervene in qui tam cases alleging FCA violations relating to cybersecurity and may embolden whistleblowers and their counsel to bring more FCA suits in this area.
US government contractors should continue their efforts to implement the Cybersecurity Maturity Model Certification (CMMC) framework and other cybersecurity requirements set forth in the US Department of Defense interim rule published in September 2020, emphasizing compliance and reducing the risk of FCA-liability.
US government contractors should review cybersecurity representations and warranties in their existing contracts with the federal government, and they should evaluate such terms in new contract proposals to evaluate FCA-enforcement risk.
US government contractors should conduct periodic, privileged reviews of their cybersecurity programs to ensure they comport with industry standards and government expectations.