Expect More False Claims Act Cybersecurity Cases

Photo: iStock

In the federal contracting community, it has long been predicted that the government’s increased cybersecurity requirements will eventually lead to a corresponding increase in False Claims Act litigation involving cybersecurity compliance. This prediction may soon be proven true, as a December 2020 speech from Deputy Assistant Attorney General Michael Granston specifically identified “cybersecurity related fraud” as an “area where we could see enhanced False Claims Act activity.”

In recent years, the government and qui tam plaintiffs have begun using the FCA to pursue alleged noncompliance with cybersecurity regulations, and some of these efforts have gained traction. For instance, in May 2019, a federal district court in California declined to dismiss a case alleging that a government contractor had falsely asserted its compliance with cybersecurity standards when entering into Defense Department contracts. And in July 2019, the Department of Justice announced that another contractor had agreed to pay more than $8 million in connection with resolving a qui tam suit alleging failure to meet federal cybersecurity standards, marking the first settlement based on FCA allegations related to cybersecurity noncompliance.

However, in October 2020, a federal district court in the District of Columbia dismissed a qui tam suit alleging that a contractor had failed to disclose a security vulnerability in the computer systems that it sold to the United States.

The court’s dismissal was based on its conclusion that the whistleblower had failed to show that the noncompliance was “material.” As the court noted, “the technology policies referenced ... do not require defect-free products,” and that any applicable security policy could have instead been addressed by “providing the necessary assistance to eliminate or reduce vulnerabilities as they appear.”

Going forward, we expect the False Claims Act’s strict materiality requirement will continue to present a significant hurdle for plaintiffs in future cases alleging noncompliance with increasingly detailed cybersecurity regulations.

However, the federal government and qui tam plaintiffs are poised to bring suits predicated on allegations of noncompliance. There are two regulatory developments in particular that may provide ammunition to enterprising whistleblowers and pose FCA risk for unwary contractors.

First, the Defense Department is now requiring that contractors complete a pre-award self-assessment of their compliance with the 110 security controls found in NIST 800-171.

That basic assessment results in a numerical score that is provided to the government and a date by which the contractor represents it will be in full compliance with all NIST 800-171 controls. Following award, the department may decide to complete its own medium assessment (via a paper review) or high assessment (via an in-person review) of a contractor’s compliance.

This assessment process could give rise to disagreements between the contractor and the government over the extent to which the contractor is complying with the security controls. A large discrepancy between the basic assessment’s numerical score and the medium or high assessments’ numerical score could lead to allegations that the contractor failed to accurately represent its cybersecurity requirements, thereby raising the specter of FCA risk.

Second, defense contractors will soon be asked to obtain and provide a Cybersecurity Maturity Model Certification from an accredited third-party assessment organization. Contractors will be expected to show their ability to meet the NIST 800-171 security requirements as well as several additional security controls. Allegations of inconsistencies between the self-assessment of compliance and the third party CMMC assessment, may also draw the attention of would-be qui tam plaintiffs.

However, it may prove difficult for the government or qui tam plaintiffs to establish False Claims Act liability based on allegations of cybersecurity noncompliance. Liability can only be imposed where the requirement is “material,” meaning that the noncompliance would have a “natural tendency to influence, or be capable of influencing” the government’s decision to pay the contractor. However, federal contracts often contain cybersecurity requirements among a list of dozens — if not hundreds — of other regulatory obligations. In many cases it is unlikely that the government’s decision to pay a contractor would depend on strict compliance with a particular cybersecurity control or set of controls, in which case noncompliance with that control would not be “material.”

FCA liability also requires a showing that a noncompliance was “knowing,” meaning that the contractor actually knew they were not in compliance with a requirement, acted with deliberate ignorance, or acted with reckless disregard. However, many of the cybersecurity requirements are new and drafted broadly, allowing reasonable differences in technical interpretation. There is substantial case law establishing that a contractor cannot be held liable under the FCA for a reasonable, good-faith reading of unclear regulatory requirements.

Even if the predictions about an uptick in FCA cybersecurity cases come true, there are good reasons for thinking that many such matters will face significant headwinds. The standard defenses will be fully available.

Nonetheless, the likelihood of an increase in cases underscores the importance of ensuring careful attention to cybersecurity compliance and associated representations.

Susan Cassidy, Peter Hutt II and Michael Wagner are partners at Covington & Burling LLP. Andrew Guy, who also contributed to this article, is an associate at the firm.

Topics: Cybersecurity