With Civil Cyber-Fraud Initiative, government sharpens focus on cybersecurity obligations for government contractors

The US Department of Justice has announced its Civil Cyber-Fraud Initiative, which will use the False Claims Act to pursue cybersecurity-related fraud by government contractors.

In a recent publication, Cybersecurity obligations for government contractors – focus on them before the government focuses on you, we discussed how the government’s increased focus on government contractors’ compliance with cybersecurity regulations creates a heightened risk of cybersecurity-related False Claims Act liability. That trend is continuing.

At a recent Cybersecurity and Infrastructure Security Agency event, Acting Assistant Attorney General Brian Boynton discussed how the Civil Cyber-Fraud Initiative would utilize the False Claims Act to pursue cybersecurity-related fraud. AAG Boynton stated that the False Claims Act was a “natural fit” for pursuing the knowing failure to comply with cybersecurity requirements because failing to comply with the requirements “deprives the government of what it bargained for.”

He also asserted that a contractor’s knowing misrepresentation of security controls (such as password and access controls) and practices (such as monitoring for breaches) “may cause the government to choose a contractor who should not have received the contract in the first place,” and that a knowing failure to timely report suspected breaches could violate the False Claims Act. AAG Boynton encouraged whistleblowers “with inside information” to come forward and stated that the Department of Justice “expect[s] whistleblowers to play a significant role in bringing to light knowing failures and misconduct in the cyber arena.”

Implied-certification theory

These remarks indicate that the government may attempt to use an implied-certification theory of liability to pursue cybersecurity-related fraud, which generally applies when a contractor makes representations in submitting a claim but omits its violation of statutory, regulatory, or contractual requirements.

For instance, the government could argue that a contractor impliedly certified compliance with certain security controls or monitoring requirements when it submitted a claim for payment. This risk is particularly heightened in light of the recent DFARS 252.204-7020 requirement to report the results of a cybersecurity self-assessment directly to the government.

Fraud-in-the-inducement theory

AAG Boynton’s comments further indicate that the government may pursue cybersecurity-related fraud under a fraud-in-the-inducement theory, which would assert that a contractor’s knowing misrepresentation of compliance with cybersecurity requirements at the outset fraudulently induced the government into entering the contract. This theory of liability carries the threat of potentially massive damages because the government frequently argues that it has lost the “benefit of the bargain” when it enters into a contract based on a company’s misrepresentation, and damages may be trebled in certain circumstances under the False Claims Act.

While there are good reasons that such a theory should not apply in a False Claims Act context, and even better reasons that the damages in such a case do not equal the entire value of the contract, the government has, with mixed results, pursued the theory and sought such onerous damages in the past.

We will continue to monitor developments in this area. If you have any questions, please contact the authors or your DLA Piper relationship attorney.

This article originally was published as a DLA Piper alert in November 2021.