In October of 2021, the Department of Justice launched the Civil Cyber-Fraud Initiative (the “Initiative”). The Initiative is an effort by the Biden administration to increase security over the federal government’s data and digital systems after the April 2021 security breach of government contractor SolarWinds’ software. The SolarWinds breach allowed hackers to access the Cybersecurity and Infrastructure Security Agency, an office of the Department of Homeland Security dedicated, ironically, to preventing cyberattacks.
The Initiative empowers the Department of Justice to bring claims under the False Claims Act against government contractors and grant recipients who: fail to comply with statutory, regulatory, and contractual cybersecurity requirements in providing technology services to the government; misrepresent cybersecurity practices and protocol; and fail to timely report a breach of government cybersecurity requirements.
The first settlement under the Initiative came in March 2022, when medical service provider Comprehensive Health Services LLC (“CHS”) paid $930,000.00 to resolve allegations that it violated the False Claims Act. The DOJ alleged that CHS, who was contracted to provide medical services at government facilities in Afghanistan and Iraq, falsely represented compliance with cybersecurity requirements by failing to store medical records on a secure electronic medical record (“EMR”) system, despite billing the government for the cost of such a secure EMR system. The failure to use a secure EMR system constituted a violation of government contractual requirements and posed a risk to the privacy of the confidential medical records of United States service members. The CHS settlement was the result of two lawsuits brought under the qui tam provisions of the False Claims Act by former senior IT executives at CHS.
Not long after the CHS settlement was reached, the DOJ announced another settlement under the Initiative in July 2022. Aerojet Rocketdyne Inc., an aerospace company that provides propulsion and power systems to NASA and the Department of Defense, agreed to pay $9 million to resolve allegations that it misrepresented compliance with contractual cybersecurity requirements. The settlement came after an Aerojet employee brought a qui tam lawsuit against the company.
Due to the complexity of cybersecurity issues, Tech Insiders like the Aerojet employee and CHS executives are ideal whistleblowers for actions brought under the Initiative. Such insiders not only have knowledge of the occurrence of a breach but the technical expertise to understand and explain the nature and ramifications of security breaches by tech companies. Additionally, the DOJ has issued assurances that Insiders who come forward with reports of breaches under the Initiative will be protected from retaliation by their employers.