Heightened Cyber False Claims Risk: New DOJ Approach To US Government Contractor And Federal Grantee Cybersecurity Enforcement - Government Contracts, Procurement & PPP

On October 6, 2021, the US Department of Justice (DOJ) announced a new initiative to address cyber-fraud and that focuses on government contractors. Specifically, DOJ has launched a "Civil Cyber-Fraud Initiative" (Initiative), which will combine DOJ's "expertise in civil fraud enforcement, government procurement and cybersecurity to combat new and emerging cyber threats to the security of sensitive information and critical systems." The Initiative will impact US government contractors and participants in similar agreements, e.g., Other Transactions, as well as grant recipients across the country.

What Happened and Why

DOJ formed the Civil Cyber-Fraud Initiative to address a concern that contractors may be failing to give required notice of cyber breaches. Based on its press release announcing the Initiative, DOJ appears to be of the view that some companies are electing to remain silent regarding known breaches even though the incidents should be reported according to the contract terms.

The Civil Cyber-Fraud Initiative will utilize the civil False Claims Act (FCA) to pursue cybersecurity-related fraud by government contractors and grant recipients. The FCA is the government's primary civil tool to redress false claims for federal funds and property involving government programs and operations. The FCA permits the government to obtain treble damages and penalties for "knowingly" submitting false claims for payment. The statutory definition of "knowingly" includes deliberate ignorance and reckless disregard. The FCA also includes a whistleblower provision that allows private parties (known as "relators") to pursue fraudulent conduct and to share in any recovery.

DOJ stated that the Initiative "will hold accountable entities or individuals that put U.S. information or systems at risk by knowingly providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cybersecurity incidents and breaches."

What to Expect

Many government contracts include clauses that require contractors to provide prompt notice of any cybersecurity breach. For example, DoD contracts that require contractors or subcontractors to safeguard covered defense information contain DFARS 252.204-7012. That clause requires a contractor (or subcontractor) to report a cyber incident within 72 hours of discovery. This timing may require the company to report an incident before the full extent of the breach has been determined.

DOJ emphasized that it expects the Initiative to, among other things, "hold[] contractors and grantees to their commitments to protect government information and infrastructure"; "ensure[] that companies that follow the rules and invest in meeting cybersecurity requirements are not at a competitive disadvantage"; and "support[] government experts' efforts to timely identify, create and publicize patches for vulnerabilities in commonly-used information technology products and services." The heightened scrutiny of US government contractor cybersecurity indicates that DOJ will allocate greater resources to identifying and pursuing FCA actions with regard to cybersecurity products and practices. The increased attention also may draw additional interest from the counsel who represent relators.

Visit us at mayerbrown.com

Mayer Brown is a global legal services provider comprising legal practices that are separate entities (the "Mayer Brown Practices"). The Mayer Brown Practices are: Mayer Brown LLP and Mayer Brown Europe - Brussels LLP, both limited liability partnerships established in Illinois USA; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales (authorized and regulated by the Solicitors Regulation Authority and registered in England and Wales number OC 303359); Mayer Brown, a SELAS established in France; Mayer Brown JSM, a Hong Kong partnership and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.

This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.