The Department of Justice recently launched a new Civil Cyber-Fraud initiative. Led by the Civil Division’s Commercial Litigation Branch, Fraud Section, the initiative will seek to “utilize the False Claims Act (“FCA”) to pursue cybersecurity related fraud by government contractors and grant recipients.”
In its official press release, DOJ outlined three types of allegations it may pursue against federal contractors or grant recipients under the FCA:
- knowingly providing deficient cybersecurity products or services;
- knowingly misrepresenting their cybersecurity practices or protocols; or
- knowingly violating obligations to monitor and report cybersecurity incidents and breaches.
(Side note: MSPs and MSSPs certainly fit that "contractor" definition -- editor, MSSP Alert.)
DOJ’s use of the FCA will be in conjunction with other potential sources of liability for companies that are victims of a data breach. These sources of liability may include enforcement actions by:
- The SEC for violations of the Safeguards Rule;
- FTC actions for violations of Section 5 of the FTC Act;
- HHS actions for violations of HIPAA;
- class actions brought by individuals; and
- actions brought by state attorneys general.
The FCA allows the government to recover treble damages and per-claim monetary penalties from federal contractors and grant recipients who knowingly submit false claims for payment. Under the Act, “any person” who fails to comply with contractual, statutory or regulatory obligations, and then submits a false claim for payment, may be found liable for damages or penalized.
In addition, the FCA allows for whistleblowers – often employees of contractors – to file qui tam suits on behalf of the government and receive a percentage of the money recovered. The Act also protects these whistleblowers from retaliation.
In remarks on the new Cyber-Fraud Initiative, Acting Assistant Attorney General Brian M. Boynton said that “False Claims Act enforcement and whistleblower reporting will help spur compliance by contractors and grantees.”
Blog courtesy of Hunton Andrews Kurth, a U.S.-based law firm with a Global Privacy and Cybersecurity practice that’s known throughout the world for its deep experience, breadth of knowledge and outstanding client service. Read the company’s privacy blog here.