Lincoln’s Law in the Digital Age: DOJ to Expand Use of the False Claims Act to Enforce Cybersecurity Requirements
The Department of Justice (“DOJ”) recently announced a new Civil Cyber-Fraud Initiative (the “Initiative”) that will use the False Claim Act (“FCA”) to pursue contractors and grant recipients that knowingly (1) provide deficient cybersecurity products or services, (2) misrepresent their cybersecurity practices or protocols, or (3) violate obligations to monitor and report cybersecurity incidents and breaches. The Initiative is based on the debatable premise that many contractors and recipients are misrepresenting their cybersecurity capabilities, as opposed to struggling with an evolving patchwork of security standards, the interpretation and application of which require subjective and highly technical analysis and judgment. The Initiative also appears to assume that contractors and recipients are hiding vulnerabilities and incidents, “choos[ing] silence under the mistaken belief that it’s less risky to hide a breach than to bring it forward and to report it.”1 Deputy Attorney General Lisa Monaco promised to “extract very hefty, very hefty fines” from those who “fail to follow required cybersecurity standards.”2
FCA Qui Tam Lawsuits
The FCA (known colloquially as “Lincoln’s law” because President Lincoln signed its original form into law), includes a qui tam provision which allows and incentivizes whistleblowers to file FCA claims on behalf of the Government. DOJ’s Initiative will leverage these qui tam lawsuits, which is particularly problematic given the complex and evolving cybersecurity landscape that contractors must navigate. For example, the Cybersecurity Maturity Model Certification (“CMMC”) Framework was supposed to provide “a unifying standard for the implementation of cybersecurity across the Defense Industrial Base,”3 but has been repeatedly delayed and is now the subject of an internal review at DoD.4 DoD has encouraged contractors to continue to prepare for CMMC despite the broad, all-encompassing scope of that review.5 In the meantime, DoD last year implemented the NIST SP 800-171 DoD Assessment Methodology to establish a mechanism for assessing and verifying compliance with NIST SP 800-171.6 Civilian agencies, for their part, have equivocated on whether, and to what extent, they will adopt CMMC.
Moreover, CMMC and the current cybersecurity requirements necessarily vary with the types of information and information systems that a contractor will handle or access. For many contractors that only handle “Federal contract information,” cybersecurity requirements are defined in only general terms in FAR 52.204-21, Basic Safeguarding of Covered Contractor Information Systems. Contractors that handle “controlled unclassified information,” or “CUI,” are subject to more stringent requirements based on NIST SP 800-171, but Federal agencies have themselves struggled to consistently identify what information is, and is not, CUI.7
With cybersecurity requirements such a moving target, defending against qui tam FCA suits can involve costly, discovery-intensive litigation. Indeed, the CMMC Framework envisions that CMMC certifications will be based on assessments performed by accredited CMMC Third-Party Assessment Organizations, underscoring that cybersecurity compliance is often a matter of debate by technical and professional experts rather than a binary true-or-false distinction.
Biden Administration Focus
The Initiative is part of a concerted effort by DOJ to combat cyberattacks over the last few years. In April 2021, DOJ created a Ransomware and Digital Extortion Task Force to combat criminal enterprises involved in ransomware attacks. In August, DOJ created the Cyber Fellowship Program to train future prosecutors to combat the next generation of cyber threats.
DOJ’s action follows the Biden administration’s larger effort to enhance the U.S. cybersecurity infrastructure. In May 2021, President Biden issued an executive order to “Improv[e] the Nation’s Cybersecurity” to facilitate better coordination between federal agencies and private companies and other initiatives in order to better protect America from cyber threats. The Biden administration and DOJ’s actions follow after a wave of cyberattacks against critical organizations, like the SolarWinds hack, which allowed Russian government-linked actors to compromise many federal agencies in 2020.
Federal contractors will need to stay vigilant in order to avoid facing “very hefty fines” from the DOJ’s new Initiative. DOJ frequently utilizes the FCA and in 2020 alone, collected more than $2.2 billion in settlements and judgments.8 In 2019, a whistleblower settled a multi-million dollar FCA claim against Cisco Systems, Inc. for selling video surveillance equipment to government agencies despite knowing the equipment would be susceptible to cyberattacks.9
The Bottom Line
As Lincoln’s law is expanded to reach the cybersecurity arena, government contractors and grant recipients should invest particular attention in their cybersecurity practices. Contractors and recipients should ensure they have a clear understanding of the universe of cybersecurity laws, regulations, and contractual requirements applicable to them, and should proactively and critically examine their existing cybersecurity policies and practices with a focus on robust training, careful prevention, and timely reporting.
1 Press Release, Department of Justice, Deputy Attorney General Lisa O. Monaco Announces New Civil Cyber-Fraud Initiative, Oct. 6, 2021, https://www.justice.gov/opa/pr/deputy-attorney-general-lisa-o-monaco-announces-new-civil-cyber-fraud-initiative.
2 James Rundle & Kim Nash, Justice Department to Fine Contractors for Not Reporting Cyber Incidents, Wall Street Journal, Oct. 7, 2021, https://www.wsj.com/articles/justice-department-to-fine-contractors-for-not-reporting-cyber-incidents-11633599001?page=1&mod=djemCybersecruityPro&tpl=cy.
3 See https://www.acq.osd.mil/cmmc/faq.html.
4 See https://fcw.com/articles/2021/09/14/cmmc-review-results-coming-soon.aspx.
6 See https://www.velaw.com/insights/dod-issues-interim-rule-to-supplement-cybersecurity-maturity-model-certification-cmmc-process/.
7 See Susan W. Ebner & Ronaldo R. Sanchez, Controlled Unclassified Information – The Devil is in the Details, National Defense, Apr. 7, 2021, https://www.nationaldefensemagazine.org/articles/2021/4/7/controlled-unclassified-information—the-devil-is-in-the-details.
8 Press Release, Department of Justice, Justice Department Recovers over $2.2 Billion from False Claim Act Cases in Fiscal Year 2020, Jan. 14, 2021, https://www.justice.gov/opa/pr/justice-department-recovers-over-22-billion-false-claims-act-cases-fiscal-year-2020.
This information is provided by Vinson & Elkins LLP for educational and informational purposes only and is not intended, nor should it be construed, as legal advice.