Aaron Nicodemus* If your firm does business with the U.S. government—through a contract or receiving grant funds—your cybersecurity defenses had better be up to snuff.
Recent pronouncements from the Department of Justice (DOJ) and White House make it clear the government will be far less tolerant of excuses from companies who don’t report breaches in a timely manner, whose cybersecurity protocols are lax, or who misrepresent the controls they claim to have in place.
The government is enlisting the aid of insiders—whistleblowers—to point out where these lapses are happening. That means False Claims Act (FCA) cases are likely to be brought, even without a triggering breach or hacking event.
The DOJ unveiled its Civil Cyber-Fraud Initiative last week, warning entities that do business with the government that the promises they make regarding the strength of their cybersecurity defenses must hold up to scrutiny. Failure to do so could result in expensive FCA litigation, where the government would attempt to claw back money paid to entities that delivered inadequate cybersecurity systems or misled the government about the quality of their defenses.
The initiative piggybacks on an executive order issued by President Joe Biden in May requiring federal agencies to “improve … efforts to identify, deter, protect against, detect, and respond to these actions and actors. The federal government must also carefully examine what occurred during any major cyber incident and apply lessons learned.”
Common cybersecurity problem areas
On Wednesday, the DOJ’s acting assistant attorney general for the Civil Division, Brian Boynton, detailed in a speech at a Cybersecurity and Infrastructure Security Agency summit the three cybersecurity failures most likely to result in FCA enforcement through the agency’s new initiative:
- Failure to comply with cybersecurity standards.
- Misrepresenting the strength and breadth of security controls and practices.
- Failure to report breaches in a timely manner.
“This enforcement program is a very effective way to ensure companies’ systems are hardened against intrusions, breaches, and cyberattacks,” said Michael Theis, partner at Hogan Lovells who worked in the DOJ’s Civil Division for nine years. “Even the threat of whistleblower suits could lead to reforms and improvements in cybersecurity defenses, just as it has done in other areas.”
Theis cited sectors as diverse as defense procurement, healthcare, hospitals, clinical laboratories, and higher education that have seen tremendous improvement in regulatory compliance after the threat of FCA litigation became reality.
He emphasized, “The DOJ has made it clear it is not necessary that there be a successful breach. Noncompliance with contractual or regulatory cybersecurity requirements—if material—is enough to trigger FCA enforcement.”
One area with perhaps the most direct correlation is in “meaningful use” of electronic health records, which was encouraged by federal financial incentives in the HITECH Act. That area has seen recent FCA settlements at Athenahealth ($18.25 million in January) and Practice Fusion ($145 million in January 2020).
Michael Bahar, partner at Eversheds Sutherland and co-lead of the firm’s Global Cybersecurity and Data Privacy practice, said the new DOJ initiative is the government’s way of “leveraging the buying power of the federal government to raise the bar on cybersecurity,” with the hope that what becomes the cybersecurity standard for contractors and grant recipients will eventually be matched by the private industry. With Congress virtually gridlocked, Bahar predicted the Biden administration will seek to set more of its priorities in motion in a similar manner.
Further, the inevitable increase in reporting of breaches and cyberattacks will help the government see patterns and trends, information it can use to improve the country’s overall cyber defenses, he said.
How to respond to Cybersecurity
What does this new emphasis on cybersecurity mean for government contractors and grant recipients, as well as their vendors and suppliers?
“This is a national security issue, as big as anything that developed from 9/11,” said Monica Reagor, vice chair of the Privacy & Data Security Industry Group with the National Association of Black Compliance & Risk Management Professionals. “You can’t just skate around and do the bare minimum. We all need to do better, and if you can do better, then you should do better.”
“This demonstrates a priority shift by government in terms of examining these types of cases,” said Tina Reynolds, co-chair of Morrison & Foerster’s Government Contracts & Public Procurement practice. “It signals the need to pay much closer attention to what your obligations are in terms of cybersecurity.”
Experts say there are three main areas of focus where compliance officers can tighten up their firm’s cyber defenses that do not involve technological changes while also limiting exposure to FCA litigation.
“This (cyberattacks) is a national security issue, as big as anything that developed from 9/11. You can’t just skate around and do the bare minimum. We all need to do better, and if you can do better, then you should do better.”
Monica Reagor, Vice Chair, Privacy & Data Security, NABCRMP
First, read and understand all documentation that refers to cybersecurity in contracts, including any clauses that cite rules, regulations, or a particular agency’s standards. Often the details of what is required in terms of cybersecurity is listed in those clauses, and you can’t know what’s required without reading them, Reynolds said.
Second, communicate those requirements to all stakeholders, inside and outside the company. Relaying these requirements inside the company involves more than IT; the executive team must be alerted to the cost of complying, training employees about how the requirements affect their day-to-day work.
This communication also should involve examining whether company vendors and suppliers (and their suppliers) are potentially violating the government’s cybersecurity requirements. Breaches have commonly occurred through vulnerabilities in third parties, and the government has made it clear protection of data is the grant recipient’s or contractor’s responsibility—not the third party.
“Third parties need to be screened appropriately to ensure they are properly storing and handling data,” Reynolds said. Employees of these third parties may also need training about how to adhere to cybersecurity protocols.
The Cybersecurity ‘Air Gaps’
Bahar said another area of concern is a continued reliance on perceived “air gaps,” which describes infrastructure or networks that are not connected in any way to the public internet. With the proliferation of devices that have internet accessibility built into them, some networks thought to be in a closed loop might, in fact, have a back door entrance to the internet.
“Are offline systems really offline, or is there a way to penetrate them from the public internet?” he asked.
Third, document your decision-making. “This is a painstaking component of compliance, but it can be what saves the day,” said Reagor, who is the program manager, government compliance and cybersecurity at Crestron Electronics, a New Jersey-based manufacturer and distributor of audiovisual automation and integration equipment. “Put your thought processes on paper. Document why you made certain decisions. You may have a perfectly legitimate reason not to require third-party risk assessment, for example, but you’ve got to have the reason documented.”