Government Contracts: How Cybersecurity Threats Increase Civil and Criminal Liability
Publication | 05.14.24
The risks faced by companies in light of new federal cybersecurity regulations are particularly acute for government contractors, who must also be aware of compounded exposure from the False Claims Act (FCA). The U.S. government is increasingly scrutinizing corporate cybersecurity programs, and companies are vulnerable to new risks of civil and criminal liability related to data breaches. The specter of individual criminal liability looms large since the 2022 conviction of the chief security officer at a leading rideshare company for actions related to his response to data breaches. And now, the SEC has charged the CISO of SolarWinds in his individual capacity with securities fraud related to the company’s cybersecurity regime. All companies—especially government contractors—should consider mitigating risk by auditing their cybersecurity protocols and updating their incident response plans.
In October 2021, the DOJ announced the launch of its civil cyber-fraud initiative to combat cyber threats by leveraging the FCA to civilly prosecute government contractors who knowingly: (1) provide deficient cybersecurity products or services; (2) misrepresent their cybersecurity practices or protocols; or (3) violate obligations to monitor and report cybersecurity incidents and breaches.
The Defense Federal Acquisition Regulation Supplement (DFARS) is a set of cybersecurity regulations that defense contractors and their suppliers must follow in order to be awarded new contracts from the DoD, any number of which could serve as the basis for a potential FCA enforcement action. These include, among many others, FAR 52.204-21, requiring protection of federal contract information residing on contractor information systems and timely identification of flaws; and DFARS 252.204.7012, requiring safeguard of covered defense information and imposing a 72-hour incident reporting period.
An FCA whistleblower—typically a former employee—would likely allege that a contractor’s cybersecurity protocols or responses are out of FAR/DFAR compliance. A whistleblower can show that the company (or an individual) acted knowingly by: (1) having actual knowledge of the information; (2) acting in deliberate ignorance of the truth or falsity of the information; or (3) acting with reckless disregard of the truth of the claim.
The FCA does not require specific intent to defraud, but it does require some intent or knowledge of wrongdoing (scienter). Courts have generally held that statements made with reckless disregard, no objectively reasonable interpretation or authoritative guidance (Proctor v. Safeway Inc.), or no facts to infer good faith (McGrath v. Microsemi Corp.) support such a finding. On June 1, 2023, the U.S. Supreme Court clarified in Schutte v. Supervalu that scienter in FCA cases turns on the defendant’s knowledge and subjective beliefs at the time the claim was made. Within the Supreme Court’s framework, the scienter standard is generally industry-specific.
The default measure of damages under the FCA is the benefit the government received under the contract less the amount paid. In addition to monetary damages (Feldman v. van Gorp), a company may be liable for treble or multiplied damages to compensate the government for the costs, delays, and inconveniences caused by the fraudulent claims calculated before deduction fixes entitled to the defrauder (U.S. v. Bornstein), thousands of dollars in penalties per claim, adjusted for inflation, and attorneys’ fees. An individual or company found liable under the FCA may also face suspension and debarment, preventing the organization or individual from entering into contracts with the government for a time.
In September 2023, the DOJ announced that a large telecommunications company agreed to pay over $4 million to settle FCA allegations regarding the company’s failure to satisfy certain cybersecurity controls in connection with an information technology service provided to federal agencies. Of note is the company’s proactive approach to the case—including conducting an independent investigation and compliance review and self-reporting—which earned the company cooperation credit with the DOJ, resulting in a reduction in the settlement amount.
The actions of law enforcement and regulators in the past several years show that the U.S. government is focused on cybersecurity—especially when it comes to transparency about security vulnerabilities and breaches—and will continue to use myriad arrows in its quiver to hold companies, government contractors, and individuals accountable.