Cybersecurity-related FCA cases poised to increase as FCA enforcement ramps up

On February 7, 2023, the Department of Justice (DOJ) announced that settlements and judgments under the False Claims Act exceeded $2.2 billion during the 2022 fiscal year and that the government posted its second-highest number of settlements and judgments in a single year.

While most of that enforcement activity—about 77 percent—was aimed at the healthcare industry, DOJ’s press release highlighted the Department’s Civil Cyber-Fraud Initiative as well, noting that 2022 saw DOJ’s first settlement pertaining to the initiative, when a Florida-based medical services provider paid $930,000 to resolve allegations that it falsely represented that it had complied with contract requirements relating to the provision of medical services at State Department and Air Force facilities in Iraq and Afghanistan. Among other issues, the company’s representations involved the level of security of the electronic medical records system it agreed to utilize, with the government alleging that the defendant failed to disclose that it had not consistently stored patients’ medical records on a secure system, and instead put copies of some records on an internal, unsecured, network drive.

In July 2022, a second cybersecurity FCA action reached settlement, when Aerojet Rocketdyne agreed to pay $9 million to resolve FCA allegations that it misrepresented its compliance with cybersecurity requirements in certain of its federal government contracts. While a subsequent address by Brian M. Boynton, Principal Deputy Assistant Attorney General, noted a variety of ways to run afoul of the FCA under this initiative, the aforementioned cases arose from the specific cybersecurity stipulations in the respective government contracts.

The Civil Cyber-Fraud Initiative launched in October 2021 and uses the False Claims Act (FCA) to pursue cybersecurity-related fraud by government contractors and grant recipients. According to DOJ, the initiative would hold accountable those who put U.S. information and systems at risk by “knowingly providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cybersecurity incidents and breaches.”

The initiative takes on even more significance—and likely even more compliance obstacles to navigate—given that the U.S. government has continued to install more and more reporting requirements for federal contractors. For example, in March 2022, Congress passed the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), which among other things mandates operators of critical U.S. infrastructure to report certain cyberattacks to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours. The same critical infrastructure operators must also report ransomware payments to CISA within 24 hours.

Additionally, as with many FCA cases, the aforementioned cybersecurity initiative cases were spurred by qui tam actions from whistleblowers. According to DOJ, over $1.9 billion of the $2.2 billion in 2022 FCA settlements and judgments arose from lawsuits that were filed under the FCA’s qui tam provisions and pursued by either the government or whistleblowers. During the same period, 652 qui tams were filed—an average of more than 12 new cases every week—and the government paid out over $488 million to whistleblowers. This highlights the larger necessity for companies to maintain a stringent and comprehensive compliance program, complete with periodic assessments and, when necessary, enhancements. This includes clear reporting avenues, internal investigation mechanisms, and, when necessary, self-disclosures. Indeed, the DOJ recently announced new policies to encourage both voluntary self-disclosures and employee compensation tied to compliance, among other items. While the full scope and extent of both the Civil Cyber-Fraud initiative and the CISA’s reporting requirements will take time to be known, companies should begin taking steps now to ensure they are in position to comply.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Gregg Sofer Gregg Sofer

With three decades of experience as a prosecutor, Gregg counsels businesses and individuals in connection with a range of criminal, civil and regulatory matters, including government investigations, internal investigations, litigation, export control, sanctions, trade secrets and regulatory compliance.

Gregg’s extensive background in criminal

With three decades of experience as a prosecutor, Gregg counsels businesses and individuals in connection with a range of criminal, civil and regulatory matters, including government investigations, internal investigations, litigation, export control, sanctions, trade secrets and regulatory compliance.

Gregg’s extensive background in criminal and national security law, combined with his understanding of government practices and operations, allow him to pinpoint the risks and opportunities that arise in investigatory settings, to put together efficient and effective teams of legal professionals, and to mount a vigorous defense when necessary. Gregg has a strong track record as an accomplished trial lawyer, particularly in complex, high-profile jury trials.

Prior to entering private practice, Gregg served as the United States Attorney for the Western District of Texas—one of the largest and busiest United States Attorney’s Offices in the country—where he supervised more than 300 employees handling a diverse caseload, including matters involving complex white-collar crime, contract fraud, national security, cyber crimes, public corruption, money laundering, export violations, trade secrets, tax, large-scale drug and human trafficking, immigration, child exploitation and violent crime. Gregg has also served as Counselor to the Attorney General of the United States, where he handled both criminal and national security matters, as well as crisis response. He was an Assistant United States Attorney in the U.S. Attorney’s Office for the Western District of Texas for 14 years, where he developed a reputation as an aggressive litigator and indefatigable investigator while building an impressive record handling national security, fraud, violent crime and corruption cases. Before that, he served in various roles in both the Criminal and National Security Divisions of the Department of Justice in Washington, DC. Gregg was a state prosecutor as well, handling murder, gang and other complex cases in New York County for nearly 11 years.

Throughout his career, Gregg has worked closely with the Federal Bureau of Investigation, Internal Revenue Service, Department of Commerce and other federal law enforcement and intelligence agencies. He led task forces in the Department of Justice and spearheaded the Department’s effort to improve its electronic litigation capabilities, focusing heavily on discovery. Gregg understands criminal law, national security law, the justice system, government investigations and the discovery process inside and out. His extensive and varied background means that he can provide clients with realistic and accurate expectations of how a government investigation or prosecution will proceed and where challenges may arise.

Photo of Eric Dama Eric Dama

Eric works closely with in-house counsel and foreign trade teams to help exporters navigate an increasingly complex international trade landscape.

Eric guides U.S. and international companies through export licensing and classification requests, voluntary-self disclosures, international trade due diligence, and other regulatory matters. In…

Eric works closely with in-house counsel and foreign trade teams to help exporters navigate an increasingly complex international trade landscape.

Eric guides U.S. and international companies through export licensing and classification requests, voluntary-self disclosures, international trade due diligence, and other regulatory matters. In addition, Eric helps clients navigate internal and external investigations and enforcement actions, as well as internal compliance and training programs. He works with clients in a variety of sectors and industries, including aviation, manufacturing and equipment, cybersecurity, technology, defense contracting, logistics, energy, consumer products, and healthcare.