Technology contractors that fail to disclose cybersecurity breaches could face hefty fines of up to three times the amount their failure costs the government, under a prosecution push by the Department of Justice (DOJ).
The DOJ last week announced a new Cyber-Civil Fraud Initiative, under which it intends to use the False Claims Act (FCA) to pursue contractors working with federal government agencies — as well as recipients of federal grants — that fail to report incidents in which their systems are compromised.
The FCA was first enacted in 1863 in response to defense contractor fraud during the American Civil War. It was amended in 1986 to increase incentives for whistleblowers to come forward with allegations of fraud.
Under the FCA any person that submits false records to the government can be forced to pay triple the damages caused to the government from fraudulent contract submissions. The offending entity can also be hit with a civil penalty of up to $10,000.
Technology companies working with certain government departments are already subject to strict disclosure requirements around cybersecurity breaches. For example, Section 204.7302 of the Defense Federal Acquisition Supplement requires companies to “rapidly report cyber incidents directly to the Department of Defense (DOD).” The DOD defines “rapidly report” as within 72 hours of discovery.
In a press release announcing the new initiative last week, the DOJ said it would seek to hold “contractors and grantees to their commitments to protect government information and infrastructure.” The initiative comes as lawmakers consider new measures to ramp up pressure on private sector companies and government agencies to ensure timely disclosure of cyber breaches.
Legal sources speaking to FedScoop said it remains unclear just how aggressive the DOJ’s new enforcement campaign will be and precisely how penalties for a company’s failure to notify would be assessed.
The False Claims Act imposes a separate penalty for each violation of the statute, which can add up to tens of thousands – or in some cases millions – of dollars.
In March this year a federal appeals court affirmed a $111 million award to the government and a whistleblower in a case brought against BlueWave Healthcare Consultants. The complaint alleged that the defendants paid kickbacks to induce physicians to order medically unnecessary tests, which were ultimately paid for by Medicare and Tricare.
The Cyber-Civil Fraud Initiative is being led by the Civil Division’s Commercial Litigation Branch, Fraud Section, at the DOJ. It is a direct result of the department’s ongoing comprehensive cyber review, which was ordered by Deputy Attorney General Lisa Monaco in May.
Congress is currently considering the Cyber Incident Reporting Act and the Federal Information Security Modernization Act of 2021.