How Doing Business With the Government Can Cost Millions Under the False Claims Act
The Department of Justice (DOJ) is dusting off a Civil War-era statute, the False Claims Act, to go after organizations who are deemed to have insufficient cyber security controls, and it could cost organizations doing business with the government millions of dollars.
On October 6, 2021, the DOJ announced the launch of its Civil Cyber-Fraud Initiative. Deputy Attorney General Lisa O. Monaco said: “For too long, companies have chosen silence under the mistaken belief that it is less risky to hide a breach than to bring it forward and report it. Well, that changes today.” The Civil Cyber-Fraud Initiative will use the False Claims Act (FCA) to pursue organizations who: (a) knowingly provide deficient cyber security products or services; (b) knowingly misrepresent their cyber security practices or protocols, or (c) knowingly violate obligations to monitor and report cyber security incidents and breaches.¹
“Where those who are entrusted with government dollars, who are entrusted to work on sensitive government systems fail to follow
required cyber security standards,” Monaco said, “we’re going to go after that behavior and extract very hefty, very hefty fines.”2
Targeting Cyber Controls with a Potent (& Effective) Rifle
What is the FCA?
Historically, the FCA was known as the “Lincoln Law.” President Lincoln signed the FCA into law in 1863 to penalize suppliers who sold sick horses
, moldy rations, and defective rifles to the Union Army.
The FCA has come a long way from sick horses and has been amended many times over the past 158 years to help combat fraud against the government. At its heart, FCA liability can occur in the following ways: (i) selling a defective product to the government, (ii) inflating an invoice submitted to the government, (iii) fraudulently attempting to increase a government rebate, and now (iv) misrepresenting the cyber security preparedness of your company or failing to disclose a breach while doing or seeking business with the government.
Because uncovering fraud can be complicated, the FCA employs the old adage of “setting a rogue to catch a rogue” and empowers private citizens (yes, even non-employees of an organization who possess non-public information) to bring successful FCA cases on behalf of the government. The government pays these whistleblowers (often disgruntled former employees, subcontractors, vendors) a hefty bounty— up to 30% of any recovery.3
Now, in the wake of a slew of cyber security breaches against key U.S.
infrastructure and President Biden’s May 2021 executive order strengthening U.S. cyber security defense, the DOJ is using the FCA to go after organizations with insufficient cyber security controls who do business with the government.
How Does the FCA Apply to Cyber Security?
Several recent FCA cases concerning cyber security have driven home several sobering realities:
▪ No actual damage needed. A company does not have to suffer an actual cyber security breach, the mere potential for a breach is sufficient;
▪ Partial disclosure is not a defense. FCA liability exists even if the company disclosed some (but not all) of its cyber security noncompliance;
▪ Products & Services. The FCA applies not only to selling an allegedly defective product to the government but to a company doing business with the government despite having insufficient internal cyber security protection; and
▪ Hefty Damages. The damages for cyber security noncompliance are substantial – in one recent case, the company settled for $8.6 million with over $1 million going to the disgruntled former employee turned whistleblower.4
FCA liability goes far past government and defense contractors and can include:
What are the Government’s Cyber Security Requirements?
Remaining compliant with cyber security requirements is no easy feat as the requirements are voluminous, numerous, and complicated. Managing cyber as an enterprise risk requires continuous review, improvement and investment in cyber risk management. Depending on the type of product or service provided and the government agency involved, an organization doing business with the government or contracting with the government may need to be compliant with an alphabet soup of requirements such as the National Institute of Standards and Technology (NIST), the Cybersecurity Maturity Model Certification (CMMC), the Federal Acquisition Regulation (FAR), and the Defense Federal Acquisition Regulation Supplement (DFARS).
Protecting your organization from FCA Cyber Security Risk
Now that DOJ has turned its eye to insufficient cyber security controls and noncompliance, it is crucial for organizations doing business with the government to take proactive cyber preparedness and resilience steps to minimize any potential FCA liability. As Abraham Lincoln, the architect of the FCA, once warned: “You cannot escape the responsibility of tomorrow by evading it today.”
How We Help
When operating with a data mindset and a circular strategy, an organization can effectively strengthen its posture and help develop cyber risk resilience. At Aon’s Cyber Solutions we offer holistic cyber risk management, unsurpassed investigative skills and proprietary technologies to help clients uncover and quantify cyber risks, protect critical assets and recover from cyber incidents. Download the full piece, ‘Lincoln’s Ghost & Cyber Security,’ below to learn more.
ABOUT THE AUTHOR
Eric B. Gyasi
Vice President, Aon’s Cyber Solutions
Eric B. Gyasi is a Vice President at Aon’s Cyber Solutions, a specialized risk management firm built to help clients solve the complex challenges prevalent in today’s digital, connected, and regulated business world. In his role, Mr. Gyasi is a key advisor to clients spanning many sizes and sectors – from multinational corporations, organizations, law firms, financial services institutions, and other professional service firms – on matters of cyber security, digital forensics and incident response, and regulatory requirements regarding data privacy and information governance.
