Have you heard of the False Claims Act?
It is the U.S. government’s primary tool for addressing the knowing misuse of taxpayer funds, and it’s about to apply to cybersecurity.
Brian Boynton just explained how. He is Acting Assistant Attorney General for the Civil Division at the U.S. Department of Justice.
The False Claims Act was enacted during the Civil War to address fraud involving contractors selling defective goods to the Union Army.
It prohibits “knowingly submitting or causing the submission of false claims to the government.” And it permits the government to recover three times its losses, plus a penalty for each false claim.
This will soon be applied through an information security lens if your organization does business with the government as part of a new Civil Cyber-Fraud Initiative.
The Acting Assistant Attorney General just outlined three specific ways the DOJ plans to pursue civil action for cybersecurity vendor failures—or misrepresentations of cybersecurity:
You can probably guess why the U.S. government is doing this, but Boynton also spells it out:
“At bottom, the department’s Civil Cyber-Fraud Initiative will hold accountable entities or individuals that put U.S. information or systems at risk.”
Does this mean if your organization is breached while doing business with the government you will face federal litigation? Perhaps.
Were you negligent? Were you misleading about the actual state of your cybersecurity? These are the types of questions the DOJ will consider.
“We also recognize that cyber incidents and breaches may result even when a contractor has a robust monitoring, detection, and reporting system.
But when contractors or grantees knowingly fail to implement and follow required cybersecurity requirements or misrepresent their compliance with those requirements, False Claims Act enforcement is an important part of the federal response.”
Brian Boynton says this new Civil Cyber-Fraud Initiative came about following the Biden Administration’s Executive Order on cybersecurity.
[RELATED: 5 Top Themes from Biden’s Executive Order on Cybersecurity]
That order directed the federal government to use the full scope of its authorities and resources to protect its systems, and part of that, he says, is enforcement.
Boynton says there are a number of hoped for outcomes that will mitigate cyber risk:
“The initiative will improve overall cybersecurity practices and help prevent cybersecurity intrusions across the government, the public sector and key industry partners.
The federal government is one of the largest purchasers of cyber products and services. Federal agencies spend billions of dollars each year on contracts and grants relating to cybersecurity. The cybersecurity requirements that the federal government sets for companies that it does business with can raise the bar for the industry as a whole—benefiting both the government and the public generally.”
He believes the Civil Cyber-Fraud Initiative will hold contractors and grantees to their commitments to protect government information and infrastructure.
And there are three additional things the Department of Justice is hoping for from this new effort:
“The initiative will ensure a level playing field. Companies that follow the rules and invest in meeting cybersecurity requirements will have assurance that they will not be at a competitive disadvantage for doing so.”
“The initiative will support the work of government experts to timely identify, create and publicize patches for vulnerabilities in commonly-used information technology products and services.”
“The initiative will reimburse the taxpayers for the losses incurred when entities or individuals fail to satisfy their cybersecurity obligations.”
Boynton added that there are a couple of key things that could lead to civil action besides having a data breach potentially trigger it.
This includes the DOJ partnering on this initiative with Inspector General Offices across numerous federal agencies. The IGs regularly examine compliance and cyber risk.
Also, the DOJ says whistleblowers are protected under the False Claims Act and they could play a key part in alerting the government to problems as they do in other civil cases.
How vigorously will the enforcement be around cybersecurity? That remains to be seen. But they have the muscle to do it. The Civil Division at the DOJ is the largest litigating division in the department, with more than a thousand lawyers across six different branches.
[RESOURCE] Keep your team’s professional development on track through SecureWorld’s conferences, webinars, and online training. This includes the one day course, Developing a Comprehensive Ransomware Plan.
Have you heard of the False Claims Act?