Since 2021, the Department of Justice (DOJ) has been increasingly focused on adjudicating False Claims Act (FCA) matters for deficient cybersecurity practices. As the government increases scrutiny of data privacy and cybersecurity, it is increasingly important to develop and maintain robust cybersecurity systems, educate employees, and ensure adequate risk management. Taking time now to shore up your data privacy and cybersecurity will help to avoid FCA challenges in the future.
FCA Cybersecurity Enforcement Trends
In 2021, the DOJ announced its Civil Cyber Fraud Initiative. Using the FCA, DOJ is cracking down on government contractors and grant recipients who try to hide breaches and fail to follow required cybersecurity standards. DOJ cites the following as part of its Initiative:
- Building broad resiliency against cybersecurity intrusions across the government, the public sector, and key industry partners;
- Holding contractors and grantees to their commitments to protect government information and infrastructure;
- Supporting government experts’ efforts to timely identify, create and publicize patches for vulnerabilities in commonly used information technology products and services;
- Ensuring that companies that follow the rules and invest in meeting cybersecurity requirements are not at a competitive disadvantage;
- Reimbursing the government and the taxpayers for the losses incurred when companies fail to satisfy their cybersecurity obligations;
- Improving overall cybersecurity practices will benefit the government, private users, and the American public.
The Initiative has quickly led to an uptick in enforcement actions under the FCA.
Notably, the DOJ was quick to utilize the new Initiative in claims involving Comprehensive Health Services LLC (CHS) in March 2022. CHS worked with the Departments of State and Air Force to build and maintain a secure electronic medical records system. The stored records included personal identification information of military personnel, diplomats, and contractors working in Iraq and Afghanistan. At times, CHS failed to adequately secure the records, which made them available to non-clinic staff. Despite concerns voiced by CHS employees, the company did not take any remedial action to ensure documents were only accessible to clinic staff. CHS received a relatively small FCA fine ($930,000) to resolve the matter.
Following CHS, the DOJ next turned to the prosecution of Aerojet Rocketdyne, Inc. for its cybersecurity inadequacies. Aerojet misrepresented its compliance with applicable acquisition regulations. The relator filed suit after he was terminated for refusing to sign documents stating Aerojet was compliant. Aerojet settled the qui tam claims for $9 million.
And, in March 2023, the DOJ settled FCA allegations against Jelly Bean Communications Design LLC and its owner Jeremy Spinks for $239,771. Jelly Bean provided website design and maintenance for the Florida provider of Medicaid funds. As the contractor, Jelly Bean maintained the website on which parents would apply for insurance coverage for their children. For six years, Jelly Bean failed to provide updates and patches to their software to secure the data. Their failure led to the compromise of more than 500,000 files and the FCA settlement.
Steps to Take
The settlements show several trends to avoid FCA pitfalls. First, it is important to have a dedicated team of cybersecurity and data privacy professionals to ensure systems and practices are compliant with the pertinent regulations. Relatedly, the education of all personnel is vital. Compliance is a team effort and all employees need to know the regulatory standards to remain compliant. Become familiar with the National Institute of Standards and Technology Cybersecurity Framework. The Framework is routinely used by agencies as the standard for appropriate cybersecurity practices. Taking these simple steps can go a long way to avoid FCA pitfalls.