DOJ’s Civil Cyber-Fraud Initiative: A Milestone in Cybersecurity Enforcement
DOJ’s Civil Cyber-Fraud Initiative: A Milestone in Cybersecurity Enforcement
In October 2021, the Department of Justice’s (DOJ) launched its Civil Cyber-Fraud Initiative, a pioneering effort to use the False Claims Act to prosecute (1) government vendors that knowingly provide the government deficient cybersecurity products and services, and (2) government contractors that knowingly misrepresent their cybersecurity procedures and protocols, leaving critical government information and data exposed. Among other benefits, the government anticipated that the initiative would improve resilience against cybersecurity intrusions in the government and among key government partners and would reimburse taxpayers for losses resulting from a company’s failure to satisfy its cybersecurity obligations.
In three years since the DOJ launched the initiative, it has consistently used the Civil Cyber-Fraud Initiative to hold responsible those that fail to comply with cybersecurity requirements. In the initiative’s first full year, 2022, the DOJ recovered $9,930,000.00. Most of that total came when Aerojet Rocketdyne, Inc. paid $9,000,000 to resolve allegations that it had misrepresented its compliance with cybersecurity requirements in certain government contracts. The additional $930,000 resulted from claims that Comprehensive Health Services LLC failed to provide a secure electronic medical record (EMR) system, potentially exposing confidential information about United States service members working and receiving medical care in Iraq.
2023 saw continued enforcement under the Civil Cyber-Fraud Initiative, with two cases resolving for a total of $4,385,089. The Verizon Business Network Services paid $4,091,317 to settle claims that it failed to implement required cybersecurity controls in its Managed Trusted Internet Protocol Service (MTIPS) provided to federal agencies. And Jelly Roll Communications Design LLC paid $293,771 to resolve FCA claims alleging that the company failed to secure personal information of those using a Florida Medicaid enrollment website.
Now in 2024, three years since DOJ announced it, the Civil Cyber-Fraud Initiative is having its most prolific year so far with $14,000,000 already recovered. This total resulted from two cases, each initially pursued by whistleblowers . In the year’s first recovery, Insight Global, LLC paid $2,700,000 to settle claims that it did not implement sufficient cybersecurity measures to protect health information related to COVID-19 tracing. Shortly thereafter, the DOJ resolved the largest cybersecurity related FCA matter to date, when a pair of consulting companies, Guidehouse, Inc. and Nan McKay and Associates, agreed to pay a combined $11,300,000 after they failed to satisfy cybersecurity requirements for an online federal rental assistance program.
This year has also seen another first for the Civil Cyber-Fraud Initiative—a DOJ intervention in an FCA case based on deficient cybersecurity measures. U.S. ex rel. Craig v. Georgia Tech Research Corp., 1:22-cv-02698 (N.D. Ga.). The relators in that case, one of whom served as Georgia Tech’s Associate Director of Cyber Security, filed the lawsuit in July 2022 less than a year after the initiative’s launch. The matter remains ongoing, with the DOJ recently filing its complaint-in-intervention alleging numerous cybersecurity compliance failures included a lack of proper training, the use of unqualified personnel, and insufficient malware.
In just three short years, DOJ’s Civil Cyber-Fraud Initiative has led to recoveries totaling $28,315,089. And at least $5,000,000 has been paid to relators coming forward with information about cybersecurity fraud. These recoveries, sure to grow significantly as investigations of sealed cases conclude, demonstrate how the DOJ has already effectively leveraged the FCA to address and deter cybersecurity lapses. And as cyber threats continue to evolve, this initiative remains a critical tool in safeguarding the integrity of federal operations and protecting taxpayer dollars.
Cybersecurity Settlements and Developments by Year
2022
March 8, 2022 – $930,000 (CHS)
July 8, 2022 – $9,000,000 (Aerojet Rocketdyne)
2022 Total – $9,930,000
2023
March 14, 2023 – $293,772 (Jelly Bean Communications)
September 5, 2023 – $4,091,317 (Verizon Business Network)
2023 Total – $4,385,089
2024
April 23, 2024 – First Intervention U.S. ex rel. Craig v. Georgia Tech Research Corp.
May 1, 2024 – $2,700,000 (Insight Global)
June 17, 2024 – $11,300,000 (Guidehouse/Nan McKay)
2024 Total – $14,000,000
Scott Terry is a False claims Act and Employment Attorney at Florin Gray