JONES DAY PRESENTS®: What is the Department of Justice's Civil Cyber-Fraud Initiative?
Launched by the U.S. Department of Justice in October 2021, the Civil Cyber-Fraud Initiative utilizes the False Claims Act to pursue cybersecurity-related fraud by government contractors. Notably, the Initiative includes a "whistleblower" provision, which allows private parties who provide information relevant to an investigation to share in any assets recovered. Jones Day partner Jimmy Kitchen explains the Initiative's risks to companies, and talks about how it could change the DOJ's position in the federal cyber-enforcement landscape.
(See also, Beyond Data Breaches: Increasing Risks of Civil Liability for Cybersecurity Misrepresentations.)
A full transcript appears below.
Jimmy Kitchen:
The new Civil Cyber-Fraud Initiative that has been rolled out by the Department of Justice is really the latest step following an executive order that President Biden issued ordering the entire government to use the whole of its authority to strengthen the government's cyber security. Following that, we had the deputy attorney general of the United States order the Department of Justice to conduct a review to determine how the DOJ could enhance and expand its role in fighting cyber threats. And so, this is one of the outgrowths of that review. And so, what this initiative specifically does is order the DOJ's fraud unit to work with US attorney's offices and utilize the False Claims Act, which is a preexisting statute that is used in other contexts, against government contracting companies in relation to their cybersecurity.
The initiative specifically states that they're going to use the False Claims Act in three ways against companies. The first is against companies who knowingly fail to comply with cyber security standards. These standards are presumably going to exist in the contracts between the government and these companies. And so companies need to make sure that they understand what those standards are and how vague they might be interpreted.
Second, the FCA is also going to be used for knowing misrepresentations of a company's internal controls or practices. So for example, if a company in trying to procure a contract from the government represents that it encrypts certain types of data for example, or if it tells the government that it has an incident response plan that it follows in the wake of a cyber breach. Those are things that the government is going to hold those companies too under the FCA.
And thirdly, they're also going to use the FCA against companies for knowingly failing to timely report cyber incidents. And so again, this is presumably going to rely upon the terms of the contract, which companies should take a look at, and understand whether or not those terms provide for vague timeframe, such as notification within a reasonable time or without undue delay, or something that's more akin to the GDPR's hard deadline of like a 72 hour window.
The False Claims Act provides for statutory penalties that actually are adjusted for inflation. So currently they are standing at a max penalty of about $23,000 for each false claim. And what a company needs to understand is that in a particular enforcement action, there are, in many cases, many discreet false claims that are put into an enforcement action. So that number can grow quite exponentially even when the government hasn't shown that they have suffered any losses at all. In cases where the government has suffered losses, in addition to those penalties, a company can face treble damages of up to three times the government's losses. And so, the monetary penalties can be substantial.
In addition to that though, the False Claims Act also provides a whistleblower provision, which allows for private citizens who report False Claims Act violations to the government to share in whatever recovery that the government is able to get. And so, if you think about it in this context, think of an information security officer who's overstressed and overworked, and is always complaining about the fact that he or she doesn't get the resources they need to adequately protect a network and feels like they're being set up to fail. This is somebody who could legitimately turn out to be a whistleblower.
The DOJ has always been the one entity that was focused on the true bad guys, meaning the hackers, the criminals that were actually breaking the law and breaking into companies networks and stealing data. And so, they've gone to great lengths to try to get cooperation from companies in their criminal investigations, by telling these companies that they view them as victims, which they generally are. But now with this new initiative, the DOJ is kind of throwing its lot in with the other state attorney general and regulators who are using their cyber enforcement authority to turn it against those same companies who are victims or potential victims of cyber crime.