U.S. Government to Sue for False Cybersecurity Claims

Have you heard of the False Claims Act?

It is the U.S. government's primary tool for addressing the knowing misuse of taxpayer funds, and it's about to apply to cybersecurity.

Brian Boynton just explained how. He is Acting Assistant Attorney General for the Civil Division at the U.S. Department of Justice. 

Justice Department to sue over false cybersecurity claims 

The False Claims Act was enacted during the Civil War to address fraud involving contractors selling defective goods to the Union Army.

It prohibits "knowingly submitting or causing the submission of false claims to the government." And it permits the government to recover three times its losses, plus a penalty for each false claim.  

This will soon be applied through an information security lens if your organization does business with the government as part of a new Civil Cyber-Fraud Initiative.

The Acting Assistant Attorney General just outlined three specific ways the DOJ plans to pursue civil action for cybersecurity vendor failures—or misrepresentations of cybersecurity:

1. "The False Claims Act is a natural fit to pursue knowing failures to comply with cybersecurity standards.
   
   When government agencies acquire cyber products and services, they often require contractors and grantees to meet specific contract terms, which are often based on uniform contracting language or agency-specific requirements.
   
   For example, cybersecurity standards may require contractors to take measures to protect government data, to restrict non-U.S. citizen employees from accessing systems or to avoid using components from certain foreign countries. The knowing failure to meet these cybersecurity standards deprives the government of what it bargained for."
2. "False Claims Act liability may be based on the knowing misrepresentation of security controls and practices.
   
   In seeking a government contract, or performing under it, companies often make representations to the government about their products, services, and cybersecurity practices. These representations may be about a system security plan detailing the security controls it has in place, the company's practices for monitoring its systems for breaches, or password and access requirements.
   
   Misreporting about these practices may cause the government to choose a contractor who should not have received the contract in the first place. Or it could cause the government to structure a contract differently than it otherwise would have. Knowing misrepresentations of this kind also deprive the government of what it paid for and violate the False Claims Act. "
3. "The knowing failure to timely report suspected breaches is another way a company may run afoul of the Act.
   
   Government contracts for cyber products, as well as for other goods and services, often require the timely reporting of cyber incidents that could threaten the security of agency information and systems. Prompt reporting by contractors often is crucial for agencies to respond to a breach, remediate the vulnerability and limit the resulting harm."

You can probably guess why the U.S. government is doing this, but Boynton also spells it out:

"At bottom, the department's Civil Cyber-Fraud Initiative will hold accountable entities or individuals that put U.S. information or systems at risk."  

Does this mean if your organization is breached while doing business with the government you will face federal litigation? Perhaps.

Were you negligent? Were you misleading about the actual state of your cybersecurity? These are the types of questions the DOJ will consider. 

"We also recognize that cyber incidents and breaches may result even when a contractor has a robust monitoring, detection, and reporting system.

But when contractors or grantees knowingly fail to implement and follow required cybersecurity requirements or misrepresent their compliance with those requirements, False Claims Act enforcement is an important part of the federal response."

False Claims Act applied to cybersecurity: hoped for outcomes

Brian Boynton says this new Civil Cyber-Fraud Initiative came about following the Biden Administration's Executive Order on cybersecurity.

[RELATED: 5 Top Themes from Biden's Executive Order on Cybersecurity]

That order directed the federal government to use the full scope of its authorities and resources to protect its systems, and part of that, he says, is enforcement.

Boynton says there are a number of hoped for outcomes that will mitigate cyber risk:

"The initiative will improve overall cybersecurity practices and help prevent cybersecurity intrusions across the government, the public sector and key industry partners.

The federal government is one of the largest purchasers of cyber products and services. Federal agencies spend billions of dollars each year on contracts and grants relating to cybersecurity. The cybersecurity requirements that the federal government sets for companies that it does business with can raise the bar for the industry as a whole—benefiting both the government and the public generally."

He believes the Civil Cyber-Fraud Initiative will hold contractors and grantees to their commitments to protect government information and infrastructure.

And there are three additional things the Department of Justice is hoping for from this new effort:

• "The initiative will ensure a level playing field. Companies that follow the rules and invest in meeting cybersecurity requirements will have assurance that they will not be at a competitive disadvantage for doing so."

• "The initiative will support the work of government experts to timely identify, create and publicize patches for vulnerabilities in commonly-used information technology products and services."

• "The initiative will reimburse the taxpayers for the losses incurred when entities or individuals fail to satisfy their cybersecurity obligations."

Boynton added that there are a couple of key things that could lead to civil action besides having a data breach potentially trigger it.

This includes the DOJ partnering on this initiative with Inspector General Offices across numerous federal agencies. The IGs regularly examine compliance and cyber risk. 

Also, the DOJ says whistleblowers are protected under the False Claims Act and they could play a key part in alerting the government to problems as they do in other civil cases.

How vigorously will the enforcement be around cybersecurity? That remains to be seen. But they have the muscle to do it. The Civil Division at the DOJ is the largest litigating division in the department, with more than a thousand lawyers across six different branches. 

[RESOURCE] Keep your team's professional development on track through SecureWorld's conferences, webinars, and online training. This includes the one day course, Developing a Comprehensive Ransomware Plan.