Office Hours Question: What is Cyber-Fraud?
The Department of Justice’s Civil Cyber-Fraud Initiative
One thing that we think is really interesting is the Department of Justice’s [DOJ] new Civil Cyber-Fraud Initiative. What we think is so interesting about it is that DOJ often has initiatives. When I [Renée] was at DOJ, I headed up the Big Lender Initiative which was part of the Financial Fraud Enforcement Task Force after the big financial crisis, and we investigated and litigated against most major banks for making bad mortgages, put simply.
That was a huge initiative. Eva worked on the Big Pharma initiative that DOJ had for a number of years involving kickback schemes and “off-label” marketing. An initiative entails the DOJ putting a lot of focus, money, resources, efforts on that particular area or business sector. At that particular time after the financial crisis, there really was an effort to hold banks accountable and also to recover misspent federal dollars in different housing insurance programs. In the financial initiative it was really an effort to make sure that the mutual mortgage insurance fund was solvent for the first time in history. It was at risk of insolvency. There have been initiatives before, but it is the first time that even I have ever seen DOJ start an initiative and put out a huge call for whistleblowers. It’s just not something that they do. Of course, DOJ is often driven by whistleblower cases. In this instance, in October of last year, DOJ made several press announcements and has been very vocal.
One of the assistant directors at Main Justice spoke on a podcast about cyber-fraud. I’ve posted something on LinkedIn with a picture of Uncle Sam saying, “Uncle Sam wants you.” And that’s exactly what DOJ is out there doing. They are talking it up. They are looking for people who worked in the government contracting space, particularly, who are aware of cybersecurity violations.
Cyber-Fraud Bucket 1: Providing Inadequate Cybersecurity to the Government
There are two big buckets of cyber-fraud. One is if anyone who works for a company that has a cybersecurity government contract, in other words, that is the purpose of the government contract to provide cybersecurity actions for the government. They are interested and want whistleblowers to come out of the woodwork and report that their employer either knew that they weren’t complying with those contract terms or weren’t complying with other government regulatory requirements. And there are many cybersecurity requirements. I recently spoke on a panel with three other attorneys, and we got deep in the weeds on what the new cybersecurity requirements are. Sometimes fraudsters take the money for cybersecurity protections and do not use the funds as intended. That is one bucket, but a whole other bucket, which is much broader, is many, many, many government contracts require cybersecurity protection of government information.
Cyber-Fraud Bucket 2: Not Meeting a Contract’s Cybersecurity Requirements
In other words, every single contract does not always involve a contract for cybersecurity. It is implicit in many of the contracts that you’re going to have government data. If you’re contracting with the government, you could be sitting in a government facility, working side by side with somebody at the Pentagon, or you are given access to government information because it’s part of what you’re doing as part of the contract.
Of course, you are required to ensure that while you have government information or whatever project you are working on for the government, that you have good cybersecurity protections in place. If you violate any of those cybersecurity rules which are part of most government contracts, you can also be liable under the False Claims Act.
How Does an Initiative Affect Whistleblowers’ Claims?
While a cyber-fraud initiative is in place, if you are a whistleblower and you have inside information about cyber-fraud, what can you expect if you go to DOJ?
You will go to the top of the pile. You literally are the primary case on that DOJ line attorney’s desk. They’ve cleared everything else off. We’re aware of this from the podcast that Renée was just speaking of, that the DOJ has a committed unit. They have a committed assistant director and committed other persons who are going to prioritize investigating and enforcing cybersecurity violations.
It’s a bit unprecedented, but in terms of DOJ initiatives, whether internal or externally announced, you can assume that your case is going to get the attention that it needs in real time. And that speaks volumes because when you think about these whistleblower programs, there are hundreds of cases that are being filed every year, and there’s already a docket of hundreds and hundreds and hundreds of cases that are filed and outstanding.
Cybersecurity Also Encompasses Healthcare Companies
Just to break that down briefly, when we’re talking cybersecurity, it’s not just about companies that provide security services. It’s really the protection of any and all information that you’re handling on behalf of the government, most of which now is being stored electronically. And so even health records now are being required to be stored in what’s known as an electronic health record or EHR format. There are a number of vendors who are transitioning health records to an electronic format in the government contracting space. Most of that work is now being done and has been done electronically. Then the question becomes what is that government contractor doing to protect that information that’s on an electronic network? And how are they keeping that information confidential and secure?
What we’re seeing in this space is a combination of things. On the one hand, it can be a deficient cybersecurity system. Basically, the system has flaws and deficiencies in it. Easy example, you can log into your computer without a password at work, which is kind of obvious—anybody could access my desktop and access the information that’s stored there. That would be a deficient cybersecurity protection for government information.
Another way to think of it is misrepresentations of their cybersecurity sophistication. Government contractors are now being required to represent to the government before they are awarded any kind of a contract, whether it’s building submarine parts or providing national security services or manufacturing bulletproof glass, they’re required to make certain representations to the government that they have the necessary cybersecurity infrastructure, they have allocated the necessary money and personnel and resources and will spend the necessary time to provide those protections.
If they make a misrepresentation about their capabilities in that regard, that could rise to a False Claims Act violation. In fact, that’s what the deputy attorney general specifically called out as a possible False Claims Act violation.
Reverse False Claims
The final type of cyber-fraud, and this actually applies to everything we’ve been talking about: the company is aware that they’re doing something wrong and they failed to do anything to correct it. That also can rise to a False Claims Act violation; it’s called a reverse false claim. In a reverse false claim, a company is holding onto government funds that they otherwise know they’re not entitled to, because they can’t perform on the contract, or they can’t provide the service or the product that they promised the government that they would provide. There are so many different layers, which again, brings this full circle back to it is why there’s a lot of efficiencies and importance in seeking False Claims Act and other whistleblower program expertise from an attorney.