Cybersecurity breaches cost American businesses and taxpayers close to $7 billion in losses, according to recently released FBI reports. A vast majority of phishing, hacking, and cybercriminal attacks target small to medium-sized businesses, leeching thousands out of the economy with every hit.
Because of these hefty losses, many companies now realize the importance of having an increased focus on cybersecurity initiatives. However, those businesses that contract with the federal government have even more responsibility to invest in and enact meaningful data security measures. The Department of Justice's Civil Cyber-Fraud Initiative is in place to ensure that no business that receives government funding misreports or otherwise misrepresents its compliance with cybersecurity protocols. What is more, reporting cybersecurity fraud can win cybersecurity whistleblowers significant financial rewards in exchange for their bravery and honesty.
Common Ways Government Contractors Commit Cybersecurity Fraud
Effective cybersecurity measures can be costly for a company, but they are a crucial investment. The following are common ways that government contractors may commit cybersecurity fraud. All of these are reportable in exchange for a possible reward:
- Knowingly misrepresenting internal controls and practices
- Failing to report cybersecurity incidents in a timely fashion
- Failing to meet minimal cybersecurity standards
What is the Civil Cyber-Fraud Initiative?
The Civil Cyber-Fraud Initiative was first announced in October of 2021 by Deputy Attorney General Lisa O. Monaco. This Department of Justice program is an attempt to recognize the significant financial toll that cybersecurity breaches have on the American economy. It is also designed to support whistleblowers who seek to report ineffective cybersecurity measures or similar cyber fraud committed by government contractors.
The Civil Cyber-Fraud Initiative utilizes the full force of the False Claims Act, a powerful anti-fraud statute, in order to support blowing the whistle on cyber fraud. Whistleblower cybersecurity claims will now be able to receive anywhere from 15 to 30% of the overall settlement in the event of a reported cybersecurity breach, while violators can be held liable for up to treble damages.
What is DFARS Clause 252. 204-7012?
DFARS Clause 252. 204-7012 governs minimum cybersecurity requirements for government contractors safeguarding defense information. It also covers the reporting of cyber incidents for government contractors, creating a set of standardized guidelines and best practices. DFARS Clause 252. 204-7012 covers in-house IT services and systems, as well as the use of certain cloud storage systems for contractors with the Department of Defense.
How Long Do Government Contractors Have to Report a DFARS Cyber Incident?
A DFARS cyber incident must be "rapidly reported" to the appropriate government entity by any government contractor. According to DFARS guidelines, the timeline is within 72 hours from the discovery of any cybersecurity incident. To report cyber fraud online, the Department of Defense asks that any contractor visit https://dibnet.dod.mil in order to quickly reach the correct division.
How Does Cybersecurity Fraud Violate the False Claims Act?
Fraud and cybersecurity are closely linked in today's online economy. By failing to take adequate cybersecurity measures, or failing to report existing data breaches or weaknesses, companies misrepresent their abilities to the federal government. US contractors who do not take adequate measures to protect data while contracting with the federal government can put service members and American systems at risk, like in the first-ever Civil Cyber-Fraud Initiative judgment involving Comprehensive Health Services LLC. This $930,000 settlement involved CHS storing confidential medical records on an unsecured drive while submitting false claims to the government in order to cover the cost of a secured EMR system that they were supposed to be using for storage. Meanwhile, the actual unsecured drive was accessible even to non-clinical staff and was more easily prone to hacks. This example of medical cyber fraud exposed active-duty service members as well as diplomats, government officials, and other contractors who sought medical care while in Iraq to unnecessary risks by sacrificing their privacy and endangering confidential information.
The CHS case illustrates the unique responsibility that government contractors must protect sensitive information by employing secure systems. However, data breaches can also cost the taxpayer millions simply by opening the door to preventable hacks, or by holding American information ransom by bad actors.
What Are the Penalties for Cybersecurity Fraud?
Under the False Claims Act, companies that make false claims about their cybersecurity readiness or capabilities can now be held liable for up to treble damages per false claim, as well as separate financial penalties at rates linked to inflation. These financial penalties are meant to disincentivize future false reporting, as well as penalize government contractors who seek to take advantage of government funds without ensuring that they can provide competitive services.
How Do I Report Cyber Fraud?
Many whistleblowers fear coming forward due to worries about employer retaliation or just concerns about becoming involved in an extensive government investigation. Contact a cybersecurity fraud lawyer to report cyber fraud anonymously. A qui tam lawsuit from start to finish may be a lengthy process. However, your cooperation will only be required for certain periods of the investigatory phase.
If I Report Cybersecurity Fraud, Am I Protected from Retaliation?
By reporting cyber fraud, you are stepping up and doing the right thing. As such, whistleblowers are protected against retaliation by their employers under the False Claims Act. If your employer attempts to fire you, demote you, suspend you, reduce your hours or pay, or take any other retaliatory action against you, you may be able to sue for up to double back pay and reinstatement at the same seniority level. Likewise, in cases of harassment or threats, there may be damages available to you as a protected whistleblower. In cases where reinstatement is not possible, there may be the option of receiving front pay as well as reasonable legal fees for filing your lawsuit.
Who Can Be a Cybersecurity Fraud Whistleblower?
Anyone can be a cybersecurity fraud whistleblower. The most common whistleblowers are often employees of a company that contracts with the federal government, or that receives some kind of government reimbursement, like through a public program such as Medicare or Medicaid. However, anyone with information about cybersecurity non-compliance or fraud may be able to report it and receive a reward. Non-employees and even non-citizens of the United States are still eligible to become cybersecurity whistleblowers. If you have information about cyber fraud or filing false claims concerning cybersecurity with the government, don't wait to report it.
How to File a Cybersecurity Fraud Qui Tam Case?
Filing a cybersecurity fraud qui tam case can be done through a qui tam law firm under the False Claims Act. They will be able to advise you about what kinds of evidence are admissible in order to make the strongest possible claim to the Department of Justice. Once the DOJ decides whether or not to intervene in your claim, they will be able to liaise with the appropriate officers in order to keep your own identity as anonymous as possible. If the DOJ declines to take on your case, they may even be able to represent you in the claim regardless, giving you the best possible shot at receiving the maximum award percentage possible in the event of a successful lawsuit.
If My Qui Tam Lawsuit is Successful, Am I Entitled to a Reward?
If your qui tam lawsuit for cybersecurity fraud is successful, you are entitled to a percentage of the government's overall recovery. Because False Claims Act penalties are assessed individually, per each instance of a false claim, these overall settlements can quickly climb into the hundreds of thousands, or even millions of dollars, depending on the amount of the government contract and the extent of the fraud. Depending on the value of your information, the extent of your cooperation, and your degree of innocence in perpetrating the scheme, you may be able to receive anywhere from 15 to 30% of the overall recovery. If the Department of Justice declines to intervene, you are more likely to receive a higher percentage of the overall recovery in recognition of your greater role in the case. However, cases with government intervention tend to have significantly higher recovery amounts, due to more extensive investigatory tools.
Report Cybersecurity Fraud: Talk to an Experienced Qui Tam Lawyer
Reporting cybersecurity fraud is the right thing to do in many ways. It is in your own best interests as a whistleblower, as you may be able to receive a significant financial award. It protects the taxpayer, whose funds may be invested improperly. And it protects those who rely on government services and the vital role that contractors currently play in providing those services and care.