The Department of Justice (DOJ) recently announced the launch of the Civil Cyber-Fraud Initiative, which will utilize the False Claims Act (FCA) to pursue cybersecurity-related fraud by government contractors and grant recipients. Key features of and takeaways from this new initiative are discussed below.

Key Features

  • The initiative aims to hold accountable entities or individuals that put U.S. information or systems at risk by (1) knowingly providing deficient cybersecurity products or services, (2) knowingly misrepresenting their cybersecurity practices or protocols, or (3) knowingly violating obligations to monitor and report cybersecurity incidents and breaches.
  • The initiative will utilize the FCA — which “is the government’s primary civil tool to redress false claims for federal funds and property involving government programs and operations” — to pursue cybersecurity-related fraud by government contractors and grant recipients. The FCA includes a unique whistleblower provision that “allows private parties to assist the government in identifying and pursing fraudulent conduct and to share in any recovery and protects whistleblowers . . . from retaliation.”
  • The creation of the initiative “is a direct result of the department’s ongoing comprehensive cyber review, ordered by Deputy Attorney General Monaco this past May.” The review is “aimed at developing actionable recommendations to enhance and expand” DOJ’s efforts against cyber threats.
  • The initiative will be led by the DOJ Civil Division’s Commercial Litigation Branch, Fraud Section, but DOJ will work closely on the initiative with other federal agencies, subject matter experts and its law enforcement partners throughout the government.

Key Takeaways

In 2019, a federal district court signaled for the first time that cybersecurity compliance by government contractors could be the subject of an FCA lawsuit (see United States ex rel. Markus v. Aerojet Rocketdyne Holdings, Inc.). In December of 2020 and February of 2021, DOJ officials remarked publicly that cybersecurity-related fraud is an area where we could see enhanced FCA activity in the near future. In hindsight, these events and remarks foretold DOJ’s formation of the Civil Cyber-Fraud Initiative, which is perhaps the most significant development to date pertaining to DOJ’s increased focus on cybersecurity-related fraud.

This new initiative strongly suggests that DOJ will initiate, and intervene in, more FCA lawsuits involving allegations that government contractors and grant recipients failed to fulfill contractual and other legal requirements relating to cybersecurity. Accordingly, government contractors and grant recipients would be wise to review and strengthen their practices with respect to cybersecurity compliance, education, and reporting.