In the twenty-first century, wars aren’t fought with just guns and bombs, but also—perhaps primarily—with computers. More and more domestic and international “hacks” are committed against public agencies and private companies, many of which contract with the Government to store sensitive data. As just one example, the SolarWinds hack, thought to be executed by Russian hackers, spread a virus that created vulnerabilities in systems operated by the Pentagon, the Department of Homeland Security, the State Department, the Department of Energy, the National Nuclear Security Administration, and the Treasury.

For this reason, it comes as no surprise that cybersecurity is an increasingly critical issue for consumers and national security. The False Claims Act and other qui tam statutes provide ways for whistleblowers to protect our country and potentially to be rewarded for their patriotism.

The Federal Government Prioritizes Cyber-Fraud Cases

In response to the increasing number of hacks and data breaches, the Biden administration issued Executive Order 14028 declaring cybersecurity to be a top priority for the federal government. On October 6, 2021, the DOJ announced its new Civil Cyber-Fraud Initiative, which includes not only internal investigations and penalties but also served as a call to arms for whistleblowers to identify and report inadequate cybersecurity measures by government contractors.

Said the Acting Assistant Attorney General: “With the growing threat of cyberattacks, federal agencies are relying heavily on robust cybersecurity protections to safeguard our vital governmental data and information. To the extent that the government pays for systems or services that purport to comply with required cybersecurity standards but fail to do so, it is not difficult to imagine a situation where False Claims Act liability may arise.”

Types of Cybersecurity Fraud

            Government contracts often include provisions that require contractors to engage in specific cybersecurity measures. Cyber-fraud cases under the False Claims Act generally fall into one of five categories:

Contractors running Government systems that fail to meet cybersecurity standards

            Every Government agency has its own IT system, and often more than one. Consequently, the Government routinely pays contractors to operate its IT systems, including contracts to maintain and store Government data. There is an expectation (and generally a contractual provision) that as part of running these systems, the contractor will keep the information in those systems safe. Failure to maintain adequate cybersecurity of Government systems can make these contractors liable under the False Claims Act.

Contractors housing Government information on its own systems that fail to meet cybersecurity standards

Some contractors need to use Government data in order to perform other functions for the Government. This differs from the category above in that the main purpose of the contract is not to store data or run an system, but rather to perform some other function that requires access to or maintenance of sensitive Government information. In such cases, the contract will likely also contain an express provision, requiring that the contractor maintain specific controls on Government data, and further requiring that the contractor certify it has done so. In these instances, the contractor who falsely certifies compliance may also be liable under the FCA.

Under an interim rule that took effect in September 2020 and which is expected to be applied almost universally by late 2025, as a condition of receiving a contract with the Department of Defense, defense contractors must carry out Basic Assessments of their compliance with NIST SP 800-171—standards for safeguarding sensitive information on federal contractors’ IT systems and networks—and submit their scores to the DOD. Falsifying these assessments in order to receive government contracts would likely constitute a violation of the False Claims Act.

It is especially vital when the contracts are tied to national security that these requirements are met. Certainly, the United States does not want foreign operatives to have access to blueprints for military equipment, for example, which they can then use to build their own weapons or find weaknesses in our weapons.

In one exemplary case, the former senior director of Cyber Security, Compliance and Controls for Aerojet Rocketdyne—a rocket manufacturer—alleged that his company fraudulently induced the Government into federal contracts when it never intended to be compliant with the cybersecurity requirements.

In another, the first settlement under the DOJ’s Civil Cyber-Fraud Initiative involved a global medical services provider that contracted with the State Department to provide a secure electronic medical records system for facilities in Iraq and Afghanistan. The company routinely left patient records on an internal network drive accessible to non-clinical staff, even after employees raised concerns about this practice, and failed to disclose this practice to the State Department. Unlike the Aerojet case, where the company never intended to comply, this settlement shows that a False Claims Act case can arise where a contractor simply disregards its cybersecurity obligations.

Contractors providing insufficient cybersecurity for cloud-based applications

            Something of a hybrid of the two previous buckets of cybersecurity fraud, many companies offer cloud-based storage, both for data and running applications. These cloud systems generally include certifications of certain cybersecurity measures, which the Government may rely on when choosing to use its products.

As an example, a False Claims Act case could arise if a cloud-based videoconferencing application could be hacked and viewed by foreign nationals, an issue that was so prevalent at the beginning of the Covid pandemic that the Government had to instruct its employees to cease using certain applications and contracted with a software provider to provide a more secure process.

Contractors providing products with inadequate cybersecurity measures

            On a basic level, the Government purchases a lot of hardware and software from private companies. Obviously, the Government is paying not just for the product to be functional, but for it to also be free of malicious code. If these products have viruses or other known defects, the seller could be liable under the False Claims Act. The SolarWinds software—which had malware inserted into various systems via its own updates—is a prime example of this.

            As another example, in 2018, the city of Atlanta was the subject of a ransomware attack. The city spent over $2.6 million to recover from the attack. If a whistleblower knew and could show that a contractor had misled the city about the cybersecurity suite it was supposedly providing, they could have a potential False Claims Act case.

More indirectly, the Government purchases large scale projects that include components with technology that requires a measure of cybersecurity. For example, the Department of Defense might pay a defense contractor to build a new helicopter. While the contract is more generally for the delivery of a fully functioning helicopter, it is likely to be a material term of the contract that the navigation and missile-targeting systems are resistant to hacking.

Failing to timely report suspected breaches

            Data breaches are big news, as banks, hotel chains, retailers, and social media companies have all been hit by hackers. And subsequently, many were hit with lawsuits for failing to protect their customers’ information. (You can go to haveibeenpwned.com to see if your information has been previously hacked.)

            In many of these cases, the companies attempted to engage in internal damage control before word of the hack got out, and in some instances, it was only after their customers’ information became publicly available that they admitted to the hack.

            Needless to say, the Government is not happy when one of its contractors withholds information about even a suspected breach. The Department of Defense, for example, requires contractors and subcontractors to provide notice of certain cyber incidents within 72 hours. Timely reporting is crucial for the affected agency to respond, remediate any vulnerabilities, and limit the resulting harm.

“For too long, companies have chosen silence under the mistaken belief that it’s less risky to hide a breach than to bring it forward and to report it. Well, that changes today,” said the Deputy Attorney General.

            If you are a whistleblower working for one of these contractors and have been asking “shouldn’t we tell the Government about this?”—well, you are probably right! And even if the contractor eventually does report the breach, evidence that it knew about the breach and knowingly failed to tell the Government about it right away could subject it to damages under the False Claims Act.

Not Every Data Breach is a False Claims Act Case

            The basis for a cybersecurity False Claims Act case is that the contractor agreed to provide a level of security or reporting that it did not actually provide. The reality is that not every product can be perfect, especially when it comes to out-thinking hackers and even foreign governments. This is why our computers and phones have frequent updates to address vulnerabilities in the software, and even so, hackers still find ways to access private information or spread computer viruses.

            The mere discovery of a vulnerability is not likely to be a False Claims Act violation. If that vulnerability is brought to the attention of the company and it chooses not to address it or to inform the Government about it, that could be a viable claim, depending on the contractual requirements and whether the company is still submitting claims for payment to the Government. If the contract has concluded, the product has been delivered, and a flaw is discovered years later, unless the contract had ongoing reporting requirements with associated penalties, it would be difficult to tie a failure to report the vulnerability to a specific “false claim” or obligation to repay funds.

            Another commonly raised question is whether a breach of a private healthcare practice’s patient data or non-compliance with HIPAA requirements can be a False Claims Act case? While it is not impossible, it is unlikely. Unlike cases where the contractor has an obligation to the Government, and there are claims for payment tied to that obligation, the mere fact that a healthcare provider submits claims to Medicare or Medicaid does not mean that their obligations to protect patient information create a viable case under the False Claims Act.

What are the Potential Damages for Cybersecurity Fraud?

            As each case is different, there is no set formula for calculating damages for cybersecurity fraud, but the DOJ’s position is clear: there does not have to be a hack—i.e., actual damages to the Government—for there to be FCA damages. In the Aerojet case, for example, the defendant argued that the Government received the full economic value of the goods and services in its contract. The DOJ responded that “the government did not just contract [with Aerojet] for rocket engines,” but also “to store the government’s technical data on a computer system that met certain cybersecurity requirements.” Thus, the government contended there can be damages even where a perfect product is ultimately delivered and even if there is no breach of the Government’s data.

            One possible way to calculate damages is the cost of the cybersecurity program that was not actually provided. This is likely to be on the lower end of the damages spectrum.

            Another method would be to have an expert explain the value of the services, which would factor in the costs of providing the cybersecurity, the risks of the information being unprotected, the potential damages if unknown hacks occurred, and other factors.

            In the case of an actual hack, like with the city of Atlanta, damages can easily include all of the costs of the remediation efforts, which are likely to be substantial, since but for the defective software, the Government would never have had to undertake those efforts.

Whistleblowers have Protections from Retaliation

            As detailed on our Whistleblower Retaliation page, an employer may not retaliate against an employee, contractor, or agent for engaging in lawful acts performed in furtherance of a False Claims Act case (i.e., investigating, gathering evidence) or efforts to stop False Claims Act violations (i.e., internal or external reporting of the wrongdoing).

            In addition to the standard protections for whistleblowers offered by the anti-retaliation provision of the False Claims Act, most of these cases are likely to arise against Government contractors, which means that the National Defense Authorization Act (NDAA), 41 U.S.C. § 4712, and various federal government agency-specific statutes are also likely to apply. These protections are even broader than under the False Claims Act, as they apply to not just fraud, but also gross mismanagement, waste, or abuse of authority relating to government funding, or violations of law, rule, or regulation related to the contract, or substantial and specific dangers to public health or safety. Moreover, these regulations generally begin with an agency investigation where the Government can order the contractor to pay retaliation-related damages without the need for litigation and a trial.

Case Results