June 26, 2022

Volume XII, Number 177

Advertisement
Advertisement

June 24, 2022

Subscribe to Latest Legal News and Analysis

June 23, 2022

Subscribe to Latest Legal News and Analysis

DOJ’s Cyber-Fraud Initiative: Increased False Claims Act Scrutiny of Contractor Cybersecurity Compliance

Accuracy in contractor proposal representations and cybersecurity compliance remains pressing, as demonstrated by an April 2021 settlement under the False Claims Act (FCA). In a previous alert, we noted that contractor representations of cybersecurity compliance/capabilities represent a fertile ground for bid protests. In this GT Alert, we highlight how the Department of Justice (DOJ) Cyber Fraud Initiative and qui tam actions under the FCA represent significant enforcement mechanisms that raise the stakes for non-compliance with evolving cybersecurity requirements applicable to contractors and grant recipients.

On Oct. 6, 2021, DOJ announced its Civil Cyber-Fraud Initiative. This initiative uses the FCA to hold contractors and grantees accountable for knowingly furnishing deficient cybersecurity products/services, misrepresenting cybersecurity practices, or knowingly violating obligations to report cybersecurity incidents. DOJ, acting on behalf of the United States, entered into its first settlement to resolve two False Claims Act cases under the Civil Cyber-Fraud InitiativeUnited States ex rel. Watkins et al. v. CHS Middle East, LLC, No. 17-cv-4319 (E.D.N.Y. Feb. 28, 2022); United States ex rel. Lawler v. Comprehensive Health Servs., Inc. et al., No. 20-cv-698 (E.D.N.Y. Feb. 28, 2022).

Comprehensive Health Services LLC (CHS), a global medical services provider, contracted to service government-run facilities in Iraq and Afghanistan. Under one such contract with the State Department, CHS submitted claims for the cost of a secure electronic medical record (EMR) system to store patient medical records, including the confidential identifying information of U.S. service members, diplomats, officials, and contractors working and receiving medical care in Iraq. Among the allegations, spanning the performance period from 2011 through 2021, the United States alleged that CHS had not securely stored patient medical records, left scanned copies of records on an internal network drive (accessible to non-clinical staff presumably without a need to know), and failed to take adequate steps to remedy raised concerns from staff about the safe storage of such information. While the settlement is not an admission of liability by the contractor, the parties agreed to settle for $930,000 in the interest of avoiding the expense of litigation.

Although the CHS case represented the first settlement under DOJ’s Civil Cyber-Fraud Initiative, it is not the first time a contractor has been hit with FCA claims based on non-compliance with cybersecurity requirements. In a case filed in 2015, United States ex rel. Markus v. Aerojet Rocketdyne Holdings, Inc., a former employee alleged that his previous employer, Aerojet Rocketdyne Holdings, Inc. (ARH), violated the FCA by failing to safeguard unclassified controlled technical information from cybersecurity threats as required. The relator claimed that ARH knew its computer systems failed to meet the cybersecurity requirements of applicable agency regulations and that ARH received its contract award based on misleading statements by not fully disclosing the extent of its noncompliance. In a blow to the defense, the district judge ruled in a February 2022 decision that genuine issues of material fact existed as to whether the defendant federal contractor had made misrepresentations to the government concerning its cybersecurity capabilities and so denied ARH’s motion for summary judgement. On April 27, 2022, ARH agreed to pay roughly $9 million to settle the relator’s False Claims Act claims.

Key Takeaways

The recent settlements of FCA claims in United States v. Comprehensive Health Services, Inc. and United States v. Aerojet Rocketdyne Holdings, Inc. are reminders that misrepresentations regarding cybersecurity compliance may give rise to qui tam suits and liability under the FCA. DOJ’s Civil Cyber-Fraud Initiative may result in an increased number of actions alleging noncompliance with evolving contractor cybersecurity requirements.

©2022 Greenberg Traurig, LLP. All rights reserved. National Law Review, Volume XII, Number 144
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Scott A. Schipma Government Contracts Attorney Greenberg Traurig Washington, DC
Shareholder

Scott A. Schipma focuses his practice on government contracts, public and private construction disputes, and related insurance matters. He counsels and represents clients on a wide range of publicly-funded contract issues, including award decisions, subcontracting, regulatory compliance, data rights, cybersecurity, cooperative agreements, contract terminations, mergers and acquisitions, lender financing, and the preparation and litigation of complex claims related to contract changes. Scott represents clients in bid protests before various state and federal agencies, boards, and forums,...

202.331.3141
Aaron Levin Govt Contracts Attorney Greenberg Traurig Law Firm
Associate

Aaron M. Levin focuses his practice on government contracts litigation before the Government Accountability Office (GAO), U.S. Court of Federal Claims, Armed Services Board of Contract Appeals, and Small Business Administration. Bringing a wide range of experience working for government agencies, he advises companies on all stages of federal acquisitions and government procurements, from solicitation to contract administration, to claims and litigation.

Serving as Assistant General Counsel in the Contracts Group of the Office of General Counsel for the United States Department of...

202.533.2316
Advertisement
Advertisement
Advertisement