The risks faced by companies in light of new federal cybersecurity regulations are particularly acute for government contractors, who must also be aware of False Claims Act risks. Jennie VonCannon and Isabella Ordorica of Crowell & Moring break down the nuances for this subset of professionals.
The U.S. government is increasingly scrutinizing corporate cybersecurity programs, and companies face new risks of civil and criminal liability related to data breaches. These risks are particularly acute for government contractors, who face compounded exposure from the False Claims Act (FCA), 31 U.S.C. § 3729.
And the specter of criminal liability looms large since the 2022 conviction of Uber’s chief security officer for actions related to his response to data breaches. All companies — especially government contractors — should consider mitigating risk by auditing their cybersecurity protocols and updating their incident response plans.
The False Claims Act
In October 2021, the DOJ announced the launch of its civil cyber-fraud initiative to combat cyber threats by leveraging civil FCA to prosecute government contractors who knowingly: (1) provide deficient cybersecurity products or services; (2) misrepresent their cybersecurity practices or protocols; or (3) violate obligations to monitor and report cybersecurity incidents and breaches.
The Defense Federal Acquisition Regulation Supplement (DFARS) is a set of cybersecurity regulations that defense contractors and their suppliers must follow in order to be awarded new contracts from the DoD, any number of which could serve as the potential basis for a potential FCA enforcement action. These include, among many others, FAR 52.204-21, requiring protection of federal contract information residing on contractor information systems and timely identification of flaws; and DFARS 252.204.7012, requiring safeguard of covered defense information and imposing a 72-hour incident reporting period.
An FCA whistleblower — typically a former employee — would likely allege that a contractor’s cybersecurity protocols or response are out of FAR/DFAR compliance. A whistleblower can show that the company (or an individual) acted knowingly by: (1) having actual knowledge of the information; (2) acting in deliberate ignorance of the truth or falsity of the information; or (3) acting with reckless disregard of the truth of the claim.
The FCA does not require specific intent to defraud, but it does require some intent or knowledge of wrongdoing (scienter). Courts have generally held that statements made with reckless disregard, no objectively reasonable interpretation or authoritative guidance (Proctor v. Safeway Inc.) or no facts to infer good faith, (McGrath v. Microsemi Corp.), support such a finding. On June 1, the U.S. Supreme Court clarified in Schutte v. Supervalu that scienter in FCA cases turns on the defendant’s knowledge and subjective beliefs at the time the claim was made. Within the Supreme Court’s framework, the scienter standard is generally industry-specific.
The default measure of damages under the FCA is the benefit the government received under the contract less the amount paid. In addition to monetary damages, (Feldman v. van Gorp), a company may be liable for treble or multiplied damages to compensate the government for the costs, delays and inconveniences caused by the fraudulent claims, calculated before deduction fixes entitled to the defrauder, (U.S. v. Bornstein); thousands of dollars in penalties per claim, adjusted for inflation; and attorneys’ fees. An individual or company found liable under the FCA may also face suspension and debarment, preventing the organization or individual from entering into contracts with the government for a time.
In September 2023, the DOJ announced that Verizon Business Network Services agreed to pay over $4 million to settle FCA allegations regarding Verizon’s failure to satisfy certain cybersecurity controls in connection with an information technology service provided to federal agencies. Of note is Verizon’s proactive approach to the case — including conducting an independent investigation and compliance review and self-reporting — which earned Verizon cooperation credit with the DOJ, resulting in a reduction in the settlement amount.
The SEC cybersecurity rule
While the SEC cybersecurity rule applies only to publicly traded companies, private companies would benefit from heeding the new standard of reasonableness that will likely be relied upon by the plaintiffs’ bar and regulators alike.
Government contractors assessing their risk profiles should note that, among other things, the SEC cybersecurity rule now requires disclosure of any cybersecurity incident determined to be material and describe material aspects of the reported incident within four business days of that determination. This determination must be made “without unreasonable delay” and be “consistent with the standard set out in the cases addressing materiality in the securities laws”; i.e., “there is a substantial likelihood that a reasonable shareholder would consider [the information] important in making an investment decision, or if it would have ‘significantly altered the ‘total mix’ of information made available.”
Public companies must also now describe annually to their shareholders their boards’ oversight of risks arising from cybersecurity threats, as well as management’s cybersecurity expertise and role in assessing and managing such material risks.
The 2022 criminal conviction of Uber’s former CSO by a federal jury in San Francisco for obstruction of justice and failure to report knowledge of the commission of a felony for his “attempted cover-up of a 2016 hack of Uber” has further raised the stakes. Although no similar criminal prosecution related to the handling of a cybersecurity incident has occurred since then, corporate executives are acutely aware that criminal prosecution is another dimension of liability they must weigh among the other risks inherent to cybersecurity incidents.
Given the U.S. government’s increasingly complex and broad enforcement regime and increased risk of civil and criminal liability to businesses and their leadership, companies need to keep in mind their broad obligations to be transparent to myriad constituencies — including customers, investors and law enforcement and regulators. For government contractors, such obligations are heightened given the possibility of FCA liability.
Critical to safeguarding against FCA liability is implementing a robust cybersecurity compliance program, regular training and risk assessments.