Law360 (February 23, 2022, 8:52 PM EST) — The U.S. Department of Justice’s recent announcement of a crackdown on cybersecurity-related fraud was designed to get more whistleblowers to come forward, as well as to get more contractors to self-report cybersecurity breaches, a senior DOJ attorney said Wednesday.
The civil initiative is intended to improve the DOJ’s internal capabilities to address fraud related to federal cybersecurity requirements, and to put the department “in a better position to bring more successful cases,” said Colleen Kennedy, deputy chief in the Civil Division at the U.S. Attorney’s Office for the Eastern District of California, at a panel as part of the Federal Bar Association’s annual Qui Tam Conference, held virtually this year as it was in 2021.
The initiative is also an attempt by the DOJ “to conduct outreach and training to encourage folks like the relators’ counsel, who are in attendance today, to bring us good cases that DOJ can pursue,” said Kennedy, who pointed out that she was speaking only in a personal capacity and not on behalf of the DOJ.
In line with that, the DOJ will probably pay more attention in that future to suits that qui tam relators label as cybersecurity fraud cases, she said.
When announcing the initiative in October, Deputy Attorney General Lisa Monaco said the DOJ would use the False Claims Act to pursue cybersecurity-related fraud claims against federal contractors for putting “U.S. information or systems at risk.”
Monaco did not specifically say that the initiative was intended to get whistleblowers to bring more cybersecurity-related cases, but made allusions to that effect, said Renée Brooker, a partner in Tycko & Zavareei LLP’s whistleblower practice, a former assistant director for civil fraud issues at the DOJ, and moderator of the panel.
“There have certainly been other DOJ initiatives, but I’ve never seen DOJ put out a missive on its website basically looking for whistleblowers,” Brooker said.
In addition to encouraging whistleblowers, the initiative is aimed at getting companies and their counsel to self-report any cybersecurity issues, “to try to deter bad actors from taking advantage of vulnerabilities that may exist,” Kennedy said.
Despite the initiative, however, it is likely to be tough for the DOJ and potential whistleblowers to find good cybersecurity-related False Claims Act cases to pursue, at least over the next few years, said Blank Rome LLP partner Jennifer Short, a former assistant U.S. attorney who represents government contractors and health care providers in matters involving government and internal investigations, including False Claims Act cases.
There is currently a “patchwork” of cybersecurity-related regulations across federal agencies, many of which are in flux, so proving a violation of the False Claims Act could be difficult on the government side, particularly given requirements such as providing scienter — intent, or knowledge of wrongdoing — and relevance of an alleged false claim, according to Short.
“Where’s the actual statutory, regulatory or contractual violation that will give you that in, where you can relate the misconduct to a claim for payment by the government?” she said. “I think those are going to be harder cases in the near term, because the agencies are still struggling with ‘what are our regulations, our contract provisions, what are the standards by which we are measuring people?’ ”
Michael Ronickher, a partner at whistleblower firm Constantine Cannon LLP, suggested that within that initial “transitional period,” only the most obvious cybersecurity-related cases were likely to be pursued; “low-hanging fruit” such as a contractor failing to report the theft of sensitive government data by a foreign power while continuing to tout its high security standards.
“Those would succeed right now,” he said. “The marginal ones about, ‘are you meeting the ever-changing certification requirements?’ That was described to me by an expert in this space recently as looking to see if a high school junior had met the graduation requirements, right? It feels a little premature.”
Kennedy pushed back against Short’s view, saying that she believed that the initiative “really is just trying to increase our focus and ability to bring the cases that, as [Ronickher] said, are there to be brought … it’s always going to come back to, ‘What does the contract say?'” and the specific facts of a case.
“And so the initiative is not imposing anything new on industry; it’s simply trying to improve our ability to bring these cases that are there,” she said.
By Daniel Wilson
Read more at: https://www.law360.com/governmentcontracts/articles/1467843/doj-atty-says-cybersecurity-plan-is-a-call-to-whistleblowers?nl_pk=548bbe39-2227-4704-b142-d9d54d6e48b0&utm_source=newsletter&utm_medium=email&utm_campaign=governmentcontracts?copied=1