[ad_1]
Last fall, the United States Department of Justice
(“DOJ”) launched its Civil Cyber-Fraud Initiative
(“CCFI”) as part of its effort to “combat new and
emerging cyber threats to the security of sensitive information and
critical systems.” Led by the Civil Fraud Section of DOJ’s
Commercial Litigation Branch, the CCFI leverages the False Claims
Act (“FCA”) to prosecute, in part, government contractors
and federal grant recipients for cybersecurity-related fraud.
The CCFI secured its first settlement in March 2022 in the Eastern
District of New York. Comprehensive Health Services
(“CHS”) of Cape Canaveral, Florida, agreed to pay
$930,000 to resolve allegations that it violated the FCA by falsely
representing compliance with contract requirements relating to the
provision of medical services at State Department and Air Force
facilities in Iraq and Afghanistan. In the settlement agreement,
DOJ specifically alleged that CHS failed to store medical records
on a secure electronic medical record system. According to DOJ some
of the medical records were saved to an unsecured internal network
drive and improperly made accessible to non-clinical staff.
According to DOJ, this constituted a direct violation of government
contractual requirements and raised numerous privacy concerns. In
announcing the settlement, DOJ reiterated its
priority to curb cybersecurity violations that place
“confidential medical records risk.”
About four months after its resolution with CHS, DOJ announced that a defense contractor agreed
to pay $9 million to resolve allegations that it violated the FCA
by allegedly misrepresenting its compliance with cybersecurity
requirements in certain federal government contracts, including
contracts with the Department of Defense and NASA.
The CCFI aims to hold government contractors and grant
recipients accountable under the FCA for violations involving
cybersecurity-related fraud. Specifically, the CCFI is focusing its
enforcement efforts on individuals and entities that knowingly
provide deficient cybersecurity products or services, knowingly
misrepresent their cybersecurity practices or protocols, or
knowingly violate their obligations to monitor and report
cybersecurity incidents and breaches within the applicable
timelines.
Since 1986, DOJ’s Civil Fraud Section has recovered over $70
billion in FCA settlements and judgments, including over $5.6
billion in 2021 alone—the second largest annual recovery in
its history. Indeed, DOJ’s creation of the CCFI—which
drastically expands the potential liability of government
contractors, grant recipients, and other health care providers
participating in federal health care programs—signals that
the government seeks to continue enforcing the FCA by focusing on
data privacy and cybersecurity violations.
DOJ’sresolutions stemmed from actions brought by
whistleblowers under the qui tam provisions of the
FCA. These provisions allow private parties to file actions on
behalf of the United States and to receive a portion of any
settlement agreement in which the United States recovers damages,
assessments, and/or penalties. The FCA is especially forceful due
to its treble damages provision—enabling the government to
recover up to three times the amount of the alleged loss to the
federal government, in addition to attorney’s fees and costs.
Consequently, qui tam relators—who are entitled
to between 15 and 30 percent of the total damages recovered by the
federal government—will likely be highly motivated to come
forward with evidence of cybersecurity failures, especially those
placing protected health information (“PHI”) at risk. As
such, DOJ’s enforcement activity under its CCFI stands to
significantly benefit the plaintiff’s bar as employees become
increasingly motivated to report their employers to the federal
government for alleged FCA violations, including those relating to
cybersecurity and data privacy.
In promoting the work of CCFI, DOJ’s Principal Deputy
Assistant Attorney General has emphasized that whistleblowers with
“inside information and technical expertise can provide
crucial assistance in identifying knowing cybersecurity failures
and misconduct.” DOJ will likely increasingly rely on
whistleblowers to contribute to civil enforcement of cybersecurity
requirements via the FCA.
Additionally, the CCFI will likely to continue to leverage the
false certification theory of liability to
trigger FCA liability. For example, FCA liability may be imposed if
a government contractor misrepresents its cybersecurity compliance
to the federal government by knowingly or recklessly disregarding
cybersecurity requirements set forth in a federal government
contract. Furthermore, misrepresentations regarding a
contractor’s cybersecurity protocols, including those
delineating cyber threat preparedness, may expose a contractor to
FCA liability even if the misrepresentations occur outside of an
executed contract. Such contexts include contract proposals and
correspondence with federal government staff relating to
contemplated or executed contracts. Entities must therefore
strictly adhere to the Solicitation Provisions and Contract Clauses
sections of the applicable Federal Acquisition Regulations
(“FAR”). Similarly defense contractors adhere to the
certifications of compliance with cybersecurity regulations set
forth in the
Defense Federal Acquisition Supplement (“DFARS”).
See also 31 U.S.C. § 3729.
DOJ’s CCFI enforcement efforts also implicate the potential
liability of covered entities under the Health Insurance
Portability and Accountability Act of 1996 (“HIPAA”).
While the United States Department of Health and Human Services,
Office for Civil Rights (“OCR”), has traditionally
enforced compliance of the HIPAA Privacy and Security Rules, and
while alleged violations of HIPAA have not traditionally provided
bases for FCA actions or resolutions, investigations have
increasingly intersected with cybersecurity matters, including data breaches involving PHI, when privacy and
security measures are required under the applicable FAR and/or
government contracts. Consequently, coordination and cooperation
between the CCFI and OCR is likely as the FCA becomes yet another
instrument in the federal government’s HIPAA enforcement
repertoire.
Government contractors and grant recipients, as well as other
participants in federal health care programs, should expect
increased enforcement of cybersecurity-related fraud under the FCA.
Furthermore, as a result of the DOJ’s creation of CCFI, the FCA
may now be leveraged as a privacy- and security-related enforcement
tool where cybersecurity violations are involved, which may include
data breaches involving PHI and other sensitive personal
information. Participants in federal health care programs are
expected to conduct comprehensive internal audits/reviews of their
technical safeguards to ensure simultaneous compliance with
cybersecurity-related government contract provisions and the
applicable privacy- and security-related requirements.
* * * * * *
Special thanks to summer associates, Sarah Ghivizzani and
Michael J. Menconi for their contributions to this post.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
[ad_2]
Source link
