The False Claims Act (“FCA”) continues to be a significant tool for the government to ensure compliance with companies that contract with the United States.  The FCA prohibits any person from knowingly presenting, or causing to be presented, a false or fraudulent claim for payment to the federal government.  It prohibits the possession, custody, or control of property or money used, or to be used, by the government and knowingly delivering, or causing to be delivered, less than all of that money or property.  31 U.S.C. § 3729(a)(1)(D).  The FCA also prohibits any person from knowingly making, using, or causing to be made or used, a false record or statement material to a false or fraudulent claim.  

In announcing the Civil Cyber-Fraud Initiative in October 2021, Deputy Attorney General Lisa O. Monaco explained that “[t]he Civil Cyber-Fraud Initiative will utilize the False Claims Act to pursue cybersecurity-related fraud by government contractors and grant recipients.”  The Civil Cyber-Fraud Initiative aims to stop companies from underreporting or hiding breaches.  The initiative also aims to hold accountable individuals, government contractors, entities, and grant recipients who receive federal funds and put “U.S. information or systems at risk by knowingly providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cybersecurity incidents and breaches.”

Nearly one year after announcing the Civil Cyber-Fraud Initiative, the DOJ has recovered at least $9.9 million in settlements.  In March 2022, the DOJ announced its first settlement under the Civil Cyber-Fraud Initiative.  The March 2022 press release noted that Comprehensive Health Services LLC (“CHS”) had agreed to pay $930,000 to resolve allegations it violated the FCA. According to the government, CHS provided global medical services and contracted with the government to provide medical support services at government-run facilities in Iraq and Afghanistan.  The settlement would resolve allegations that CHS falsely represented to the government that it complied with contract requirements relating to the provision of medical services.

Four months after announcing its first settlement, the DOJ announced its second settlement, which Chilivis Grubman has previously discussed.  The second settlement involved Aerojet Rocketdyne, Inc. (“Aerojet”), an aerospace and defense company headquartered in California, which agreed to pay $9 million to resolve allegations it misrepresented its compliance with cybersecurity requirements in violation of the FCA.

With the growing trend of cyber-incidents and breaches, companies doing business with the federal government should consider the Civil Cyber-Fraud Initiative and the use of the FCA to enforce compliance.  The potential damages or financial penalties in FCA cases can be significant (e.g., treble damages and statutory penalties for each claim).  And like other FCA cases, whistleblowers can be a source of the initial claims – which occurred in the first two settlements in the Civil Cyber-Fraud Initiative.  The Civil Cyber-Fraud Initiative will continue, especially considering the government’s open call for whistleblowers.  Principal Deputy Assistant Attorney General Brian M. Boynton, head of the Justice Department’s Civil Division, noted: “[w]histleblowers with inside information and technical expertise can provide crucial assistance in identifying knowing cybersecurity failures and misconduct.” And U.S. Attorney Phillip A. Talbert for the Eastern District of California also noted that “whistleblowers can contribute to civil enforcement of cybersecurity requirements through the False Claims Act.”

The attorneys at Chilivis Grubman represent clients of all types and sizes in connection to False Claims Act litigation, government investigations, and cybersecurity fraud investigations.  If you need assistance with such a matter, please contact us today.