May 23, 2022

Volume XII, Number 143


May 20, 2022

Subscribe to Latest Legal News and Analysis

DOJ Announces New Civil Cyber-Fraud Initiative

On October 6, 2021, Deputy Attorney General Lisa O. Monaco announced the launch of the US Department of Justice’s (DOJ) Civil Cyber-Fraud Initiative. The initiative will focus on using the False Claims Act (FCA) to pursue fraud related to cybersecurity, with an emphasis on fraudulent acts perpetrated by government contractors and recipients of federal funds. The FCA gives the DOJ authority to bring civil enforcement actions against companies that make false claims for federal funds, and it empowers whistleblowers to advance the government’s interest in combatting fraud by allowing private parties to bring lawsuits on the government’s behalf and take a share of the proceeds of any recovery.

Led by the Fraud Section of the DOJ Civil Division’s Commercial Litigation Branch, the initiative seeks to “hold accountable entities or individuals that put U.S. information or systems at risk by knowingly providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity protocols, or knowingly violating obligations to monitor and report cybersecurity incidents and breaches.” The DOJ’s announcement lists a series of benefits the DOJ hopes to achieve through the initiative, which include “[h]olding contractors and grantees to their commitments to protect government information and infrastructure[,]” and “[e]nsuring that companies that follow the rules and invest in meeting cybersecurity requirements are not at a competitive disadvantage.”


Notably, the Civil Cyber-Fraud Initiative is the first major initiative announced by the Department as a result of an ongoing cyber review ordered by the Deputy Attorney General in May 2021.* The initiative also puts into action statements made by DOJ officials following the 2020 presidential election, and it underscores the importance of affirmative civil enforcement in broader efforts to counter threats posed by ransomware attacks and other cyberattacks. For example, last December, at the ABA Civil False Claims Act and Qui Tam Enforcement Institute, Deputy Assistant Attorney General Michael D. Granson warned that there may be enhanced False Claims Act activity in the cybersecurity space. In February 2021, Acting Assistant Attorney General Brian M. Boynton emphasized in remarks at the Federal Bar Association Qui Tam Conference that “[t]o the extent that the government pays for systems or services that purport to comply with required cybersecurity standards but fail to do so, it is not difficult to imagine a situation where False Claims Act liability may arise.”

On the same day that the DOJ announced the creation of the Civil Cyber-Fraud Initiative, Deputy Attorney General Monaco published an op-ed in which she urged Congress to pass legislation to create a national standard for reporting cyber incidents that pose significant risk, including ransomware and incidents that affect critical infrastructure. Deputy Attorney General Monaco called for Congress to designate a single mechanism where victims can file reports to the federal government to be shared immediately with the DOJ and US Department of Homeland Security.

The Civil Cyber-Fraud Initiative and Deputy Attorney General Monaco’s op-ed should be viewed in conjunction with a variety of other recent measures from the Biden administration that seek to combat ransomware and malign cyber activities, including:

  • Deputy National Security Advisor Anne Neuberger’s June 2, 2021, Open Letter to Corporate Executives and Business Leaders, emphasizing that the private sector has a “critical responsibility” to protect against cyber threats, “urg[ing]” businesses “to take ransomware crime seriously and ensure [their] corporate cyber defenses match the threat” and recommending a variety of cyber “best practices” to be implemented by companies (e.g., multifactor authentication, endpoint detection and response, encryption and a skilled, empowered security);

  • US President Joe Biden’s August 25, 2021, meeting with corporate leaders from technology, finance, energy and water, insurance and education sectors to discuss the “whole-of-nation” effort needed to address cyber threats, especially in critical infrastructure;

  • The US Department of the Treasury’s September 21, 2021, Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments;

  • Guidance from the Federal Bureau of Investigation’s (FBI) Internet Crime Compliant Center’s (IC3) (Ransomware: What It Is & What To Do About It), Cybersecurity and Infrastructure Security Agency (CISA) (Stop Ransomware) and CISA and FBI (Ransomware Awareness for Holidays and Weekends); and

  • FinCEN June 30, 2021, announcement regarding its anti-money laundering and countering the financing of terrorism priorities, which identified cybersecurity and ransomware as a “top priority” for FinCEN and financial institutions (FinCEN Announces Anti-Money Laundering Priorities).

In addition, a bipartisan group of US Senators has introduced the Cyber Incident Notification Act; if enacted, the legislation would require federal agencies, government contractors and critical infrastructure owners and operators to report cyber intrusions to CISA within 24 hours of their discovery. A number of states—including New York, North Carolina, Pennsylvania and Texas—are considering legislation that would ban or restrict state and local government agencies from paying ransom in the event of a cyberattack.


The Civil Cyber-Fraud Initiative demonstrates that cybersecurity is increasingly on the government’s enforcement radar. In light of DOJ’s announcement, government contractors should keep in mind the following key takeaways:

  • Formation of the Civil Cyber-Fraud Initiative suggests that the DOJ will initiate more FCA lawsuits targeting US government contractors that fail to uphold their legal or contractual obligations pertaining to cybersecurity. Relatedly, the initiative signals that the DOJ may be more willing to intervene in qui tam cases alleging FCA violations relating to cybersecurity and may embolden whistleblowers and their counsel to bring more FCA suits in this area.

  • US government contractors should continue their efforts to implement the Cybersecurity Maturity Model Certification (CMMC) framework and other cybersecurity requirements set forth in the US Department of Defense interim rule published in September 2020, emphasizing compliance and reducing the risk of FCA-liability.

  • US government contractors should review cybersecurity representations and warranties in their existing contracts with the federal government, and they should evaluate such terms in new contract proposals to evaluate FCA-enforcement risk.

  • US government contractors should conduct periodic, privileged reviews of their cybersecurity programs to ensure they comport with industry standards and government expectations.

© 2022 McDermott Will & EmeryNational Law Review, Volume XI, Number 285

About this Author

Julian André Litigation Attorney McDermott Will Emery Law Firm

Julian L. André focuses his practice on litigation with a particular emphasis on government prosecutions, enforcement actions and investigations, internal investigations, complex civil litigation and appellate matters. He is an experienced trial attorney and former federal prosecutor.


Prior to rejoining McDermott, Julian spent six years as an Assistant US Attorney in Los Angeles. While an AUSA, Julian served in the Major Frauds Section, where he investigated and prosecuted complex financial crimes, including embezzlement, securities fraud, healthcare fraud, bank fraud,...

Scott Ferber Cybersecurity Attorney McDermott Will and Emery Washington DC

Scott leverages his extensive experience as a former federal cybercrime prosecutor and in senior leadership at the US Department of Justice (DOJ) to advise clients across industries on the full range of privacy and security issues created by global data collection and usage. This includes responding to cyber incidents and managing complex privacy and cyber risk assessments. Scott often defends clients in regulatory investigations from the Federal Trade Commission (FTC), State Attorneys General and other federal, state and local regulators and criminal authorities.

Theodore Alexander, Mc Dermott Law Firm, Washington DC, Litigation Law Attorney

Theodore (Ted) Alexander focuses his practice on general litigation matters. He has experience in Americans with Disabilities Act (ADA) and white-collar cases. Ted also advises clients on federal health policy.

Prior to joining McDermott, Ted worked for various members of Congress. Most recently, he served as legislative director to a member of the House Energy and Commerce Committee, where he primarily advised on health policy. Ted has also advised on tax and trade policy and has experience drafting and...