For CIOs, CISOs, BISOs and other cybersecurity professionals, your gaze is trained to look outward. Whether it is penetration testing, vulnerability assessments or SOC 2 or NIST audits, you scan the horizon in anticipation of an external threat, hostile actor and unauthorized system activity. But what if the threat instead comes from within, for example, from your organization’s failure to comply with its customers’ contractual cybersecurity requirements? In this article, we will take a closer look at the five enforcement actions the U.S. Department of Justice has taken to date against private companies under the False Claims Act for failing to meet cybersecurity requirements in their provision of services to various federal agencies. By examining the types of cyber failures that DOJ has found actionable and noting the trends, we hope to help your organization, to borrow the words of former U.S. Supreme Court Justice Oliver Wendell Holmes, Jr., to “turn square corners when they deal with the Government.”
Prosecuting new and emerging cyber threats has become a top enforcement priority of the U.S. Justice Department. In October 2021, the Department launched its Civil Cyber-Fraud Initiative dedicated to using the False Claims Act to combat cyber fraud by government contractors and grant recipients. Announcing the initiative, Deputy Attorney General Lisa Monaco said, “we will use our civil enforcement tools to pursue companies, those who are government contractors who receive federal funds, when they fail to follow required cybersecurity standards — because we know that puts all of us at risk.”
Before discussing the specifics of the five successful cases individually, let us first explore some of the overarching trends and noteworthy themes emerging from the cases as a whole:
- Three of the five cases were initiated by whistleblowers who, under the qui tam provisions of the False Claims Act, are allowed to assist the Government in identifying and pursuing fraudulent conduct and receive a share of the Government’s financial recovery.
- Two of the whistleblowers were seasoned cybersecurity professionals, including one who held the job title of Senior Director of Cybersecurity, Compliance and Controls, while four of the whistleblowers were medical professionals. One of the whistleblowers was a European who reported while working for a vendor for the target company based in Denmark.
- Only one of the cases appears to have involved an actual cybersecurity incident/hack/breach where information was compromised.
- Two of the cases involve government contractors’ failure to safeguard patients’ healthcare information and two of the cases involve government contractors’ failure to safeguard sensitive unclassified and technical information belonging to agencies charged with protecting national security, including the Department of Defense (DOD) and NASA.
- One of the cases included both the individual owner of the government contractor as well as the company itself as the parties responsible for paying the settlement amount.
- In two of the cases, state and local governments as well as the federal government jointly prosecuted the cases.
- While three of the five cases are in line with or attributable to the Civil Cyber-Fraud Initiative, two appear to predate the Initiative.
Now for a whistle-stop tour, in chronological order from date of settlement, of the five successful enforcement actions involving False Claims Act allegations of cybersecurity fraud.
- United States ex rel. James Glenn v. Cisco Systems, Case No. 1:11-cv-00400 (Western District of New York).
In July 2019, in the first cybersecurity whistleblower case ever successfully litigated under the False Claims Act, Cisco Systems, Inc. agreed to an $8.6 million settlement to resolve allegations it knowingly sold vulnerable video surveillance software to federal, state and local government agencies, exposing government systems to the risk of unauthorized access and the manipulation of vital information. The settlement resolved claims under the False Claims Acts of the United States and other jurisdictions arising from Cisco’s sale of defective video surveillance software to the federal government, 15 plaintiff states, and the District of Columbia.
James Glenn, the whistleblower who initiated the case and received a $1 million whistleblower reward, alerted the government that, beginning in 2008, Cisco allegedly concealed critical security vulnerabilities in the video surveillance software it was selling to government entities, including the Department of Homeland Security, the Secret Service, the Army, the Navy, the Air Force, the Marine Corps and the Federal Emergency Management Agency. Glenn was working for a Cisco distribution partner in Denmark when he first discovered and reported to Cisco that anyone with a moderate grasp of network security could exploit this software to gain unauthorized access to stored data, bypass physical security systems, and gain “administrative” access to the entire network of a government agency, all without detection. Despite the repeated internal warnings of VSM’s flaws, Cisco allegedly continued to sell the vulnerable software to high-profile infrastructure targets.
- United States ex rel. Brian Markus v. Aerojet Rocketdyne, Case No. 2:15-cv-2245 (Eastern District of California).
On July 8, 2022, DOJ announced that Aerojet Rocketdyne had agreed to pay $9 million to resolve allegations that it had signed Government contracts with the Department of Defense and NASA falsely representing it was compliant with DFARS, NASA FARS and other required cyber security controls. According to whistleblower Brian Markus, who was Aerojet’s Senior Director of Cybersecurity, Compliance and Controls and received a $2.61 million whistleblower reward, Aerojet concealed from the Government critical information about its noncompliance, including deficiencies noted on multiple audits by the same third-party vendor that were not corrected over the course of multiple years. Among the deficiencies the third-party auditor noted was the fact that Aerojet allegedly was less than 25% compliant on items requiring 100% compliance.
- United States ex rel. M. Sean Lawler, DDS v. Comprehensive Health Services et al., Case No. 1:20-cv-00698 (Eastern District of New York) & United States ex rel. James Watkins, M.D., et al. v. CHS Middle East LLC, Case No. 1:17-cv-04319 (Eastern District of New York).
On March 8, 2022, DOJ announced its first settlement under the Civil Cyber-Fraud Initiative. Comprehensive Health Services LLC (CHS), located in Cape Canaveral, Florida, paid a $930,000 settlement to resolve allegations that it had violated the False Claims Act by making false statements in connection with its provision of medical services to members of the State Department and Air Force stationed in Iraq and Afghanistan. The allegations were made in two separate lawsuits each initiated by discrete whistleblowers who had worked as medical providers for CHS.
The gravamen of the allegations was that instead of adhering to the contract terms and providing the U.S. Government with a secure electronic medical records system to store medical records of U.S. service members, diplomats, officials and contractors working in Iraq and Afghanistan, CHS failed to disclose that it had put some of the records on an internal, unsecured network drive.
- United States v. Jelly Bean Communications Design (Middle District of Florida).
On March 14, 2023, DOJ announced that it had settled with Jelly Bean Communications Design, a Florida website design firm, and its Owner and Manager Jeremy Spinks for $293,771 to resolve allegations that it had failed to secure personal information on a website that it had created, hosted and maintained for Florida Healthy Kids Corporation (FHKC), a Florida-state entity that receives federal and state funds to provide children’s health insurance. Among the allegations described in the Settlement Agreement as being resolved included ones that 500,000 applications containing personal information submitted on the website had been hacked by a third party and that Jelly Bean was running outdated and vulnerable applications, many of which had not been patched since 2014. The case was brought solely by the U.S. Government and was not initiated by a whistleblower.
- United States v. Verizon Business Network Services LLC.
On September 5, 2023, DOJ announced another win under its Civil Cyber-Fraud Initiative. This time Verizon Business Network Services LLC agreed to pay $4 million to settle claims that it had failed to completely satisfy certain cybersecurity controls in connection with an information technology service called MTIPS (Managed Trusted Internet Protocol Service) provided to federal agencies under TIC, the Government’s 2008 Trusted Internet Connections Initiative. The case is notable because it was not initiated by the Government or a whistleblower. Instead, Verizon self-disclosed its violations under a provision of the False Claims Act, 31 U.S.C. section 3729(a)(2) whereby an entity violating the False Claims Act can receive reduced damages if it furnishes information about its violation to government officials within 30 days of discovering it.
Although it is still being actively litigated and has not yet been resolved, another False Claims Act cybersecurity case to keep an eye on is United States ex rel. Matthew Decker v. Penn State University, Case No. 22-cv-03895 (Eastern District of Pennsylvania). Whistleblower Matthew Decker, the former Chief Information Office at Penn State University’s Applied Research Lab, initiated the case which alleges that PSU falsely certified compliance with the Department of Defense’s cybersecurity requirements, including DFARS and a number of requirements under NIST SP 800-171, “Protecting Controlled Unclassified Information (CUI) in Nonfederal Information Systems and Organizations,” despite obvious and repeated noncompliance. Among the compliance failures Decker alleges that PSU failed to disclose to the Government in seeking payment under its DOD and NASA contracts are the knowing submission of false risk assessment scores and incomplete records into the Supplier Performance Risk System, movement of cloud services from Box to Microsoft 365 commercial, which is not FedRAMP certified, and failure to create required System Security Plans.
Although it has declined to intervene in whistleblower Decker’s case thus far, the Government made clear in its declination notice that it continues to actively investigate the case and is analyzing documents the University is producing pursuant to the Government’s pre-litigation subpoena and reserves the right to join the case once its investigation has concluded.
We leave you with this final word of advice. It is easy for CIOs, CISOs, BISOs and other cybersecurity professionals to see whistleblowers as threats. From childhood, we are told some form of the old trope that “snitches get stitches and wind up in ditches.” Unfortunately, when dealing with whistleblowers, companies all too often act reflexively and retaliate against them for speaking up, typically by firing them. Fortunately, new research dispels this myth of whistleblowers as disloyal employees and instead firmly establishes them as among a company’s most loyal employees – a CIO’s best friend, “forward indicator of risk” (coined by British social behavioral scientist Christian Hunt), vital risk management tool. See Evidence on the Use and Efficacy of Internal Whistleblowing Systems by Professors Kyle Welch and Stephen Stubbens finding that companies with internal whistleblowing systems that are actively used by employees are more profitable than companies with inactive systems, resulting in fewer government investigations and smaller settlements.
So next time an employee has the courage and fortitude to speak up and illuminate potential cybersecurity breaches, listen up. It is high time we dump the medieval mindset and stop shooting the messenger to divert attention from the message. As the recent spate of False Claims Act cases demonstrate, heeding the whistleblower’s whistle may just keep you out of the DOJ’s crosshairs.