False Claims Act: The New (Old) Tool in Pursuing Cybersecurity Fraud

As the world becomes more dependent on technology, there have been more and more cybersecurity attacks that leverage vulnerabilities in technology products. Cyberattacks are becoming more prevalent and have established themselves as key threats across different industries, affecting both public and private sectors. State and non-state actors across the globe will all likely engage in more dangerous cyberattacks in the years to come.[1] According to the Cybersecurity & Infrastructure Security Agency, in 2020, U.S. industry partners identified over 18,000 cybersecurity vulnerabilities, over 10,000 of which were classified as “critical” or “high severity” vulnerabilities.[2] Since the pandemic began, the FBI has reported a marked uptick in reported cybercrimes at nearly 3,000 to 4,000 cybersecurity complaints per day, a sizable leap from the 1,000 daily complaints before the COVID-19 pandemic.[3] According to the United Nations, there has been a 600% increase in malicious emails during the pandemic as well.[4] These cybercrimes have cost companies worldwide $6 trillion in 2021 and will cost companies worldwide an estimated $10.5 trillion annually by 2025, up from $3 trillion in 2015.[5] Yet in this environment of increasing cyber threats, alarmingly, the rate of detection/prosecution of cyberattacks is as low as 0.05% in the United States.[6] These cyberattacks threaten governments, companies, and ultimately the privacy and security of the American people.

In response to these alarming trends, the Biden Administration has sought to bolster the nation’s cybersecurity. On May 21, 2021, President Biden signed Executive Order 14028, “Improving the Nation’s Cybersecurity,” to support the United States’ efforts to bolster cybersecurity and to protect critical infrastructures and Government networks.[7] Among its key objectives, the Executive Order aims to implement stronger cybersecurity standards throughout the federal government and to create a standardized playbook for responding to cybersecurity vulnerabilities and incidents.[8] Following through with its intentions, federal civilian agencies are currently estimated to spend approximately $9.4 billion on cybersecurity in fiscal year 2022, marking an increase from FY2021’s $8.2 billion and FY2020’s $7.4 billion.[9] Within this budget are funds to support numerous federal initiatives such as Homeland Security’s Continuous Diagnostics and Mitigation program and funds for a new Cyber Response and Recovery Fund “to improve national critical infrastructure cybersecurity response.”[10] Beyond federal initiatives, state-level governments are also keen on bolstering its cybersecurity, with at least 45 states and Puerto Rico introducing over 250 bills or resolutions dealing with cybersecurity in 2021. These measures include attempts at establishing cybersecurity training; establishing formal security policies, standards, and practices; establishing plans and tests for responding to a security incident; regulating cybersecurity within the insurance industry; creating task forces to study/advise on cybersecurity issues; and supporting programs or incentives for cybersecurity training.[11] All of these initiatives and measures are being put in place to ensure that individuals and organizations will be held accountable for their cybersecurity practices.

Consistent with these federal and state initiatives is a focus on improving government response to cyber threats and cyberattacks. For example, in President Biden’s Executive Order, improving detection of cybersecurity incidents on federal government networks and removing barriers of information sharing between the government and private sector regarding cyber threats are primary objectives.[12] Companies that work with the government must be more forthcoming about their cybersecurity incidents from this point forward, especially considering the rise in the adoption of cloud services in government. As of early 2021, over half of federal government offices use some form of cloud-based service.[13] Further, due to the pandemic, governments will surely increase their reliance on cloud services as more individuals work from home. Therefore, more than ever before, the safety and security of sensitive Government data is in the hands of private companies, all in an age of rising cyber threats.

Ultimately, rising concerns about cybersecurity led to the Department of Justice’s (“DOJ”) creation of the new Civil Cyber-Fraud Initiative. Deputy Attorney General Lisa Monaco announced in October 2021 that the Civil Division’s Commercial Litigation Branch would lead the initiative. [14] “For too long, companies have chosen silence under the mistaken belief that it is less risky to hide a breach than to bring it forward and to report it,” said Deputy Attorney General Monaco in the press release. “We are announcing today that we will use our civil enforcement tools to pursue companies, those who are government contractors who receive federal funds, when they fail to follow required cybersecurity standards—because we know that puts all of us at risk. This is a tool that we have to ensure that taxpayer dollars are used appropriately and guard the public fisc and public trust.”

In the past, the DOJ had alluded to cybersecurity as an area where the Government can see enhanced enforcement under the False Claims Act (“FCA”).[15] Now, through the Civil Cyber-Fraud Initiative, the DOJ will enforce the FCA against contractors and grant recipients that violate cybersecurity requirements. Specifically, the DOJ commented on the FCA’s unique whistleblower provision as a mechanism to help enforce the initiative.[16] The DOJ will “hold accountable entities or individuals that put U.S. information or systems at risk by knowingly providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cybersecurity incidents and breaches.”[17]

For example, under the Federal Risk and Authorization Management Program (“FedRAMP”), authorized cloud service providers (“CSP”) for the Government have an obligation to continuously monitor their own systems to detect any attacks or potential attacks.[18] The CSPs must deploy monitoring devices; protect information obtained from unauthorized access; and to heighten the level of information system monitoring whenever there is a sign of increased risk to organizational operations and assets, individuals, other organizations, or the Nation.[19] Further, CSPs must mitigate all discovered high-risk vulnerabilities within 30 days, mitigate moderate vulnerability risks in 90 days, and mitigate low vulnerability risks in 180 days.[20] However, should the CSP misrepresent their cybersecurity practices such as failing to implement proper monitoring devices, or should the CSP fail to monitor and report cybersecurity incidents as required by FedRAMP, the DOJ will now pursue these claims against the companies for putting the safety and security of sensitive government data at risk. To do so, the government needs help from whistleblowers.

Whistleblowers provide great insight into tech companies’ cybersecurity protocols and practices, monitoring systems, reporting mechanisms, and they can provide vital information about these systems. In doing so, they can help bring transparency to the increasingly vulnerable industry and provide the necessary drive for enhanced cybersecurity to protect America. As the world grows more reliant on technology on a daily basis, companies may still manipulate the system or believe that it is less risky and costly to hide a cybersecurity breach than to come forward. To ensure that privacy and security are in the right hands, we need whistleblowers to come forward and protect the government from such companies.

If you have concerns that your company may be fraudulently covering up cyberattacks and breaches or falsely passing off its deficient cybersecurity practices as compliant, the qui tam and whistleblower lawyers at Sanford Heisler Sharp can evaluate your potential claims and help you fight to correct the injustice.

Footnotes

[1] The Global Risks Report 2021, World Economic Forum at 53 (Jan. 19, 2021), https://www3.weforum.org/docs/WEF_The_Global_Risks_Report_2021.pdf/.
[2] See Cybersecurity & Infrastructure Sec. Agency, BOD 22-01, Reducing the Significant Risk of Known Exploited Vulnerabilities (Nov. 3, 2021).
[3] Maggie Miller, FBI sees spike in cyber crime reports during coronavirus pandemic, The Hill (Apr. 16, 2020), https://thehill.com/policy/cybersecurity/493198-fbi-sees-spike-in-cyber-crime-reports-during-coronavirus-pandemic/.
[4] Edith M. Lederer, Top UN Official warns malicious emails on rise in pandemic, AP (May 23, 2020), https://apnews.com/article/virus-outbreak-europe-technology-pandemics-medical-research-c7e7fc7e582351f8f55293d0bf21d7fb/.
[5] Steve Morgan, Cybercrime to Cost the World $10.5 Trillion Annually by 2025, Cybersecurity Ventures (Nov. 13, 2020), https://cybersecurityventures.com/cybercrime-damage-costs-10-trillion-by-2025/.
[6] The Global Risks Report 2020, World Economic Forum at 63 (Jan. 15, 2020), https://www3.weforum.org/docs/WEF_Global_Risk_Report_2020.pdf.
[7] Exec. Order No. 14,028, 86 Fed. Reg. 26,633 (May 21, 2021).
[8] Id.
9] Off. of Mgmt. and Budget, Information Technology and Cybersecurity Funding (2021), https://www.whitehouse.gov/wp-content/uploads/2021/05/ap_12_it_fy22.pdf.
[10] Id.
[11] See Cybersecurity Legislation 2021, Nat’l. Conf. of State Legislatures (June 22, 2021), https://www.ncsl.org/research/telecommunications-and-information-technology/cybersecurity-legislation-2021.aspx.
[12] See supra note 7.
[13] Daniel Hein, Half of U.S. State and Federal Governments Heavily Use the Cloud, Solutions Review (Jan. 6, 2021), https://solutionsreview.com/cloud-platforms/half-of-u-s-state-and-federal-governments-heavily-use-the-cloud/.
[14] Press Release, Department of Justice, Deputy Attorney General Lisa O. Monaco Announces New Civil Cyber-Fraud Initiative (Oct. 6, 2021).
[15] See Michael Granston, Remarks at the ABA Civil False Claims Act and Qui Tam Enforcement Institute (Dec. 2, 2020).
[16] Id.
[17] Id.
[18] FedRAMP Continuous Monitoring Strategy Guide at 10, Fedramp.gov (Apr. 4, 2018), https://www.fedramp.gov/assets/resources/documents/CSP_Continuous_Monitoring_Strategy_Guide.pdf.
[19] Id.
[20] Id. at 12.

Categories