U.S. Government Contractors Face Increased Risk of Cybersecurity Enforcement
By Robert Marasco and Elaine Harwell
The U.S. Department of Justice (DOJ) recently announced it will, yet again, use the False Claims Act as a sword instead of a shield, this time to target government contractors and grant recipients the government deems to lack sufficient cybersecurity. The False Claims Act, first passed by Congress in the wake of the Civil War to protect the U.S. government from efforts to defraud it, is now wielded by the government in an ever-expanding manner as an enforcement tool.
The Civil Cyber-Fraud Initiative, as announced, will be used to penalize those who knowingly provide inadequate cybersecurity products or services, as well as those who make misrepresentations about their cybersecurity practices or fail to monitor or report breaches. It is unclear exactly how the DOJ intends to use the False Claims Act to quell such conduct, as the government has been silent about that.
The False Claims Act requires a claim for money to be submitted to the government to be triggered. The nexus between a claim for money and cybersecurity practices is not evident. One method the government will likely rely upon is declaring that the Federal Acquisition Regulations and department-specific regulations, such as those within the Department of Defense, impose material terms on the procurement process, as those regulations do impose cybersecurity requirements on those contracting with the government. Alternatively, the government may impose terms that any claim for payment from the government inherently includes a representation by the entity that its cybersecurity practices are sound. Regardless of which method is adopted, the government will have to tie something to the claim for money in order to use the False Claims Act.
This announcement is the latest effort by the government to address cybersecurity threats. In May, President Joseph R. Biden issued an executive order aimed at establishing baselines for cybersecurity with respect to government contracts and improving coordination and sharing of information with the private sector. There are also several pending bills in Congress that would impose stricter reporting requirements around cyberattacks and more investigative power to the Cybersecurity and Infrastructure Security Agency.
This all means companies need to proactively prepare for responding to cyberattacks. Additionally, companies contracting with the government or receiving government funding must closely review their obligations in their government contracts to ensure they are adequately safeguarding data and maintaining sufficient data security. If your desire for cybersecurity compliance was lacking before, the government has put us all on notice that the threat of heightened enforcement, including the possibility of triple penalties under the False Claims Act, should motivate you to obtain and maintain cybersecurity compliance now.
Please do not hesitate to contact us should you like assistance in assessing your cybersecurity needs, incident response planning, understanding new contractual requirements and their impact on your business, or responding to governmental inquiries about the sufficiency of your cybersecurity efforts.
Robert Marasco advises on compliance with privacy laws, investigates data privacy compliance, and responds to data breaches. He uses his experience as a former federal prosecutor to effectively and efficiently defend corporate clients and individuals, in all contexts, who are working through complex internal or government investigations, responding to grand jury and administrative subpoenas, investigative demands for interviews, or facing criminal prosecution. Robert is a member of Procopio’s Privacy and Cybersecurity practice and leads its Health Care practice.
Elaine Harwell focuses on representing clients in privacy and data security matters, including litigating claims involving privacy issues, helping clients manage emerging risks and conduct privacy risk assessments, and advising on regulatory and compliance issues. She has earned the ANSI-accredited Certified Information Privacy Professional/United States (CIPP/US) and the Certified Information Privacy Manager (CIPM) credentials through the International Association of Privacy Professionals (IAPP). Elaine is the co-leader of Procopio's Privacy and Cybersecurity practice.