By Myriah Jaworski and Brian Myers of Beckage
Published November 2, 2021
The Department of Justice has announced a new “Civil Cyber-Fraud Initiative” in which the Department will pursue civil actions for damages against federal contractors that fail to maintain cybersecurity standards and fail to report cybersecurity incidents and breaches.
What Is the Civil Cyber-Fraud Initiative?
On October 6, 2021, Deputy Attorney General Lisa Monaco declared that the DOJ will use its existing authority under the False Claims Act to bring civil litigation against entities or individuals that put U.S. information or systems at risk by either:
- Knowingly providing deficient cybersecurity products or services;
- Knowingly misrepresenting their cybersecurity practices or protocols; or
- Knowingly violating obligations to monitor and report cybersecurity incidents and breaches.
Monaco explained that “for too long, companies have chosen silence under the mistaken belief that it is less risky to hide a breach than to bring it forward and to report it. Well that changes today … because we know that puts all of us at risk.”
How Will Enforcement Work?
Under the False Claims Act, the government can recover treble damages, plus a penalty amount that is linked to inflation, against companies that make false statements in connection with work that is funded by the government. The new initiative will apply to federal government contractors, federal grant recipients, and other recipients of federal funding. The statute of limitations for False Claims Act litigation is three years.
The Cyber-Fraud Initiative will be conducted by the Civil Division’s Commercial Litigation Branch, Fraud Section. The False Claims Act also authorizes Qui Tam litigation, a type of whistleblower activity in which private parties can initiate litigation on behalf of the government and receive a percentage of the government’s recovery if the claim is successful. The DOJ’s press release announcing the Cyber-Fraud Initiative indicated that qui tam litigation would apply to the new initiative.
The new initiative is part of the DOJ’s ongoing comprehensive cyber review, which was ordered by Deputy Attorney General Monaco in May 2021 and follows a recent series of cybersecurity attacks that has motivated the Biden administration to bolster cybersecurity resiliency and pursue threat actors.
What Should Federal Contractors Do Next?
While cybersecurity incidents and breaches always exposed companies to considerable litigation risk, and the DOJ’s new initiative only increases that risk. The DOJ’s new initiative demonstrates the increasing importance of developing and maintaining resilient cybersecurity protocols.