Cybersecurity breaches represent a $6 trillion problem in the United States annually. As many as 33 billion accounts are expected to be breached in 2023 alone. However, Donna Gregory, unit chief at the FBI’s IC3, shared in an interview with Time Magazine that the FBI estimates that only 10 to 12 percent of cybercrime victims ever report the incident. According to the new Civil Cyber-Fraud Initiative, when businesses that contract with the government fail to report cybercrime, overstate their cybersecurity practices, or otherwise mislead the government about their cybersecurity capabilities, they may be held liable for committing fraud.
If you have knowledge about cybersecurity fraud or an unreported data breach with a government contractor, you may be able to become a whistleblower. Cyber fraud whistleblowers can receive certain protections from the government against retaliation by their employers. Likewise, they may be eligible to receive significant financial rewards in exchange for useful information that helps the government address instances of cybercrime and unsecure data practices.
To report your information, contact the law office of Tycko & Zavareei LLP today. Our attorneys are leaders in the field, top graduates of the nation’s law schools, experienced prosecutors, as well as former officials of the United States Department of Justice. We have extensive experience in helping to uncover fraud, as well as protecting and supporting whistleblowers’ rights. Contact us today to find out how we can help you blow the whistle on cyber fraud.
What is the Civil Cyber-Fraud Initiative?
The Civil Cyber-Fraud Initiative was announced by Deputy Attorney General Lisa O. Monaco in October 2021. The program, run by the Department of Justice, launches new enforcement efforts to monitor cybersecurity protocols amongst government contractors.
“For too long, companies have chosen silence under the mistaken belief that it is less risky to hide a breach than to bring it forward and to report it,” announced Deputy Attorney General Monaco. “That changes today. We are announcing today that we will use our civil enforcement tools to pursue companies, those who are government contractors who receive federal funds, when they fail to follow required cybersecurity standards — because we know that puts all of us at risk. This is a tool that we have to ensure that taxpayer dollars are used appropriately and guard the public fisc and public trust.”
The DOJ Civil Cyber-Fraud Initiative includes a whistleblower provision which allows qui tam relators who come forward with valuable information to receive a share of the assets recovered in a successful case. Relators, also called whistleblowers, may receive anywhere from 15 to 30 percent of the government’s overall settlement if they meaningfully contribute to the recovery of defrauded funds. Cyber whistleblowing is welcomed by DOJ investigators and can be handsomely rewarded.
Cybersecurity Fraud and the False Claims Act
The False Claims Act is the nation’s most powerful qui tam law and holds violators accountable for up to treble damages as well as individual penalties assessed according to the rate of inflation. Those who submit false claims to the government while receiving government funds can be prosecuted under this federal statute. The False Claims Act also protects and rewards the whistleblowers who report fraud.
Under this cybersecurity-oriented expansion of the False Claims Act, qui tam lawsuits can now be brought against government contractors and subcontractors when they make false statements in relation to compliance with Department of Defense cybersecurity requirements. In a qui tam lawsuit, the whistleblower does not have to allege that they were personally harmed by the defendant’s actions. Instead, they file on behalf of the government, which is the wronged party. If their lawsuit is successful, they share in the proceeds.
The basis of liability in cybersecurity fraud qui tam lawsuits is not in failing to comply with basic cybersecurity rules. In general, a company is not prosecuted under the False Claims Act simply because they may have been hacked. Instead, the basis for liability stems from making false claims related to the state of the company’s cybersecurity compliance efforts. Companies that misrepresent their cyber safety practices in order to win bids, or cover up data breaches while continuing to collect on government contracts, may be pursued under the False Claims Act for these false certifications.
Cybersecurity False Claims Act Violations
Hiding a cybersecurity threat does not make it go away. Instead, contractors that seek to disguise or ignore a data breach only put their clients (i.e., the government) at further risk. Government contracts often involve an exchange of sensitive data about citizens, taxpayers, active duty service members, national security, and more. For this reason, government contractors are valuable targets for hackers, and contractor honesty is paramount.
Any time a company receives funding from the government, it may become liable under the False Claims Act if it miss-certifies or misrepresents its situation or the scope of its work. The following are examples of cybersecurity False Claims Act violations:
- Companies that knowingly fail to meet cybersecurity standards. For example, a company that fails to encrypt certain sensitive data may be considered to be in violation of the False Claims Act if they contract with the federal government.
- Companies that knowingly misrepresent their internal controls or practices. A company that continues to certify on their government contract while misrepresenting their cybersecurity practices may also be held liable under the False Claims Act.
- Companies that knowingly fail to report cyber incidents in a timely manner. Hushing up a cybersecurity breach is a clear violation of the False Claims Act and can be prosecuted under the Civil Cyber-Fraud Initiative. The Department of Justice has stated that it “will pursue misrepresentations by companies in connection with the government’s acquisition of information technology, software, cloud-based storage and related services designed to protect highly-sensitive government information from cybersecurity threats and compromises.”
Cybersecurity Fraud False Claims Act Penalties
The False Claims Act imposes statutory penalties for cybersecurity fraud violations that are adjusted regularly to account for inflation. Currently, the maximum penalty is set at $23,000 for each false claim. In instances of ongoing fraud or continued false certifications, these penalties can add up quickly.
The False Claims Act is a civil statute, not a criminal one. However, the financial penalties it assesses are even more severe in cases where the government has suffered an actual loss as a result of the cybersecurity fraud. Companies whose false certifications of cybersecurity contribute to actual losses can face liability for treble damages, or up to three times the government’s total losses.
Important Cyber Fraud Whistleblower Cases
- Aerojet Rocketdyne Inc.: This $9 million settlement was partially the result of whistleblower and former Aerojet employee Brian Markus, who received $2.61 million as part of his share of the recovery. Aerojet Rocketdyne, a contractor that provides propulsion and power systems for launch vehicles, missiles, and satellites to the Department of Defense, NASA, and other federal agencies, allegedly misrepresented its compliance with cybersecurity requirements while under government contract. “Whistleblowers with inside information and technical expertise can provide crucial assistance in identifying knowing cybersecurity failures and misconduct,” said Principal Deputy Assistant Attorney General Brian M. Boynton, head of the Justice Department’s Civil Division, about the case.
- Comprehensive Health Services (“CHS”): This first cybersecurity fraud case involved a medical services contractor providing overseas healthcare and medical record keeping for American troops, diplomats, officials, and contractors working in Iraq. CHS staff allegedly did not store the medical records in their keeping on a secure EMR system, instead leaving copies on an internal network drive accessible to almost anyone, including non-clinical staff members. “This settlement demonstrates the department’s commitment to use its civil enforcement tools to pursue government contractors that fail to follow required cybersecurity standards, particularly when they put confidential medical records at risk,” said Principal Deputy Assistant Attorney General Brian M. Boynton about the landmark case. “We will continue to ensure that those who do business with the government comply with their contractual obligations, including those requiring the protection of sensitive government information.”
How to File a Cyber Fraud Qui Tam Lawsuit
Filing a whistleblower lawsuit is an important step in recovering misappropriated taxpayer dollars, as well as insulating your own professional career against wrongdoing and holding fraudsters accountable.
In order to discuss the specifics of your case, contact one of the expert whistleblower lawyers with Tycko & Zavareei LLP. The following is a general whistleblower’s guide to the steps involved in filing a cybersecurity qui tam case:
1. Gather potential evidence: Whistleblower lawsuit evidence should always be collected under the guidance of a qualified qui tam lawyer. Certain kinds of evidence, such as recordings, are illegal to collect without the consent of all parties in some states. However, in some cases, sharing even protected documents such as health records may be permissible and may be considered as valuable items in the discovery process.
Evidence can take a variety of forms. However, it will likely include emails, messages, reports, or other data that clearly illustrates purposeful wrongdoing. Especially in a cybersecurity case, evidence may even involve seemingly innocent documents such as onboarding materials that illustrate cybersecurity best practices and promised standards.
It is important to act quickly as a whistleblower and consult a qui tam lawyer from the start, to help prevent crucial evidence from being destroyed or hidden.
2. Find an experienced cyber fraud whistleblower lawyer: Choosing the best cyber fraud whistleblower lawyer for your case can help ensure that you collect the highest possible whistleblower payout and have your privacy protected to the fullest extent possible. Having legal representation can also help convince the Department of Justice to intervene in your case, or follow up on the claim even if they decline to do so.
Fraud and cybersecurity is a complicated field, as is qui tam law. Finding an experienced whistleblower lawyer is crucial for success. When looking for a cyber fraud whistleblower lawyer, look at the firm’s success rate and the kinds of clients they have represented in the past. Assess their professional qualifications, level of education, connections in the field, and level of expertise. Securing the right whistleblower lawyer can make all the difference in your cybersecurity fraud case, especially when it comes to securing the full might of the Department of Justice to investigate any fraud and wrongdoing, and take the burden of government filing off of your plate.
3. File a qui tam lawsuit under the False Claims Act: When filing through a qui tam law firm, your complaint is made anonymously through the firm itself. Qui tam complaints are kept sealed, meaning your company will not be alerted until the defendant is served with the lawsuit.
4. Remain patient: Whistleblower cases can take months, or even years to conclude. Your law firm can take over maintenance of the case while you continue with your career. Your whistleblower lawyer will contact you for any further steps that need to occur during the Department of Justice investigation and any events that must take place pre-trial. Additionally, many cases are settled out of court, in which case, your qui tam firm will alert you as to the decision that has been made and your final settlement amount.
5. Collect your reward: Whistleblower rewards range from 15 to 30 percent of the overall settlement in a successful cybersecurity fraud case. The higher the amount that the government gets back, whether in damages, penalties, or overall recovery, the higher a whistleblower payout may be. Additionally, percentages are determined based on value of the information, willingness of the whistleblower to cooperate, timeliness of their disclosure, and lack of liability in planning the crime.
Cybersecurity Fraud: FAQs
The following are answers to some frequently asked questions involving cybersecurity and fraud:
What is DFARS clause 252. 204-7012?
DFARS Clause 252. 204-7012 governs cyber incident reporting involving unclassified defense information kept on a contractor’s internal information system. It details what must be done to safeguard sensitive information while under government contract, and how to report a breach or compromise. Under DFARS clause 252. 204-7012, a compromise is defined as “disclosure of information to unauthorized persons, or a violation of the security policy of a system, in which unauthorized intentional or unintentional disclosure, modification, destruction, or loss of an object, or the copying of information to unauthorized media may have occurred.”
What is “adequate security” under the DFARS clause?
Under the DFARS clause, adequate security must be in place in order to protect defense information. Adequate security is considered to be “protective measures that are commensurate with the consequences and probability of loss, misuse, or unauthorized access to, or modification of information.”
What is “covered defense information” under the DFARS clause?
“Covered defense information” is unclassified material but is still subject to cybersecurity safeguards. Covered defense information will fall under several qualifying categories:
- It will be marked or otherwise identified in the contract, task order, or delivery order, and/or;
- It will be provided to the contractor by or on behalf of Department of Defense in support of the contract, and/or;
- It will be collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract.
What is considered “controlled technical information” under the DFARS clause?
“Controlled technical information” involves technical military or space-related information that is not freely and publicly available without restrictions. Examples might include research and engineering data, engineering drawings, specifications, standards, process sheets, manuals, technical reports, technical orders, catalog-item identifications, data sets, studies and analyses, computer software executable code and source code.
What is “controlled unclassified information” under the DFARS clause?
“Controlled unclassified information” (CUI) is the broadest category of controlled data. Any of the aforementioned categories may be considered part of the CUI registry.
What are the NIST 800-171 requirements?
Department of Defense contractors, General Services Administration contractors, and supply chain agencies involved with NASA and other federal and state agencies must be in compliance with NIST 800-171 requirements. Your state’s Manufacturing Extension Partnership (MEP) Center can help connect you with cybersecurity experts who can help ensure your business is in compliance with NIST 800-171 guidelines. Because the guidelines are over 150 pages in length and alternative approaches are permissible, it is best to consult with a cybersecurity expert to ensure that your business has the right cybersecurity practices in place for your needs.
How long does a government contractor have to report a DFARS cyber incident?
Cybersecurity fraud detection is a time sensitive matter. A government contractor must report a DFARS cyber incident ideally within 72 hours. However, your state’s guidelines may allow for up to 30 days to complete a DFARS CDI Assessment and report any internal findings to the Department of Defense Chief Information Officer (CIO).
What is the protocol after discovering a cyber incident that affects CDI or CCIS?
If you discover an incident that affects CCIS or CDI, you must conduct an internal review to identify the extent of the compromise, in addition to reporting to the Department of Defense. You must also preserve images of all known affected information systems for at least 90 days from the submission of the Cyber Incident Report. Department of Defense analysts must also be provided with full access and all relevant information in order to conduct their own review, if necessary.
Talk to an Experienced Cybersecurity Whistleblower Attorney
An experienced cybersecurity fraud whistleblower lawyer can help you understand what to do if you have information that a government contractor is not in compliance with DOD guidelines. The team at Tycko & Zavareei LLP can help you protect your own interests as a professional while ensuring that justice is done. Contact us today for a complimentary consultation and confidential case review.