The U.S. Department of Justice (DOJ) recently announced it will, yet again, use the False Claims Act as a sword instead of a shield, this time to target government contractors and grant recipients the government deems to lack sufficient cybersecurity. The False Claims Act, first passed by Congress in the wake of the Civil War to protect the U.S. government from efforts to defraud it, is now wielded by the government in an ever-expanding manner as an enforcement tool.
The Civil Cyber-Fraud Initiative, as announced, will be used to penalize those who knowingly provide inadequate cybersecurity products or services, as well as those who make misrepresentations about their cybersecurity practices or fail to monitor or report breaches. It is unclear exactly how the DOJ intends to use the False Claims Act to quell such conduct, as the government has been silent about that.
The False Claims Act requires a claim for money to be submitted to the government to be triggered. The nexus between a claim for money and cybersecurity practices is not evident. One method the government will likely rely upon is declaring that the Federal Acquisition Regulations and department-specific regulations, such as those within the Department of Defense, impose material terms on the procurement process, as those regulations do impose cybersecurity requirements on those contracting with the government. Alternatively, the government may impose terms that any claim for payment from the government inherently includes a representation by the entity that its cybersecurity practices are sound. Regardless of which method is adopted, the government will have to tie something to the claim for money in order to use the False Claims Act.
This announcement is the latest effort by the government to address cybersecurity threats. In May, President Joseph R. Biden issued an executive order aimed at establishing baselines for cybersecurity with respect to government contracts and improving coordination and sharing of information with the private sector. There are also several pending bills in Congress that would impose stricter reporting requirements around cyberattacks and more investigative power to the Cybersecurity and Infrastructure Security Agency.
This all means companies need to proactively prepare for responding to cyberattacks. Additionally, companies contracting with the government or receiving government funding must closely review their obligations in their government contracts to ensure they are adequately safeguarding data and maintaining sufficient data security. If your desire for cybersecurity compliance was lacking before, the government has put us all on notice that the threat of heightened enforcement, including the possibility of triple penalties under the False Claims Act, should motivate you to obtain and maintain cybersecurity compliance now.