Hogan Lovells 2024 Election Impact and Congressional Outlook Report
Over the last six months, the U.S. Department of Justice (DOJ) has remained vigilant in pursuing cybersecurity-related fraud under its Civil Cyber-Fraud Initiative first announced in October 2021. As we have previously discussed, the Civil Cyber-Fraud Initiative is a DOJ project intended to “utilize the False Claims Act (FCA) to pursue cybersecurity related fraud by government contractors and grant recipients.”[1] Since the initiative’s introduction, we have seen two settlements in 2022,[2] two settlements in 2023,[3] and another two settlements so far in 2024[4]—totaling over US$28 million in recoveries under the FCA. We have also seen the unsealing of qui tam actions against academic institutions, demonstrating that contractors and grantees alike are targets for whistleblowers under the initiative.
DOJ recently intervened in its first cybersecurity fraud qui tam case, indicating a continued emphasis on cybersecurity enforcement through the use of whistleblowers.
In July 2022, two relators brought an FCA suit against the Georgia Tech Research Corporation (GTRC) and the Georgia Institute of Technology (GA Tech), alleging that the defendants violated the cybersecurity requirements set forth in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, specifically by failing to protect Controlled Unclassified Information (CUI) under Department of Defense (DoD) contracts.[5]
The DoD contracts incorporated the provisions of Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, relating to the safeguarding of Covered Defense Information (CDI) and cyber incident reporting (as previously discussed here). This provision requires contractors to provide “adequate security” on all covered contractor information systems, i.e., at a minimum, implement all 110 of the security requirements in NIST SP 800-171. Currently, to comply with DFARS 252.204-7012, contractors are required to develop a System Security Plan (SSP) and Plan of Action and Milestones (POA&M) detailing the policies and procedures their organization has in place to comply with NIST SP 800-171. The SSP, which outlines the contractor’s plan to protect CUI, serves as a foundation for an entity’s required NIST SP 800-171 self-assessment. DFARS 252.204-7012 also requires covered DoD contractors to “rapidly report” (i.e., within 72 hours) any “cyber incident” impacting CDI/CUI.
In their lawsuit, relators have alleged that GTRC failed to adhere to the requirements of DFARS 252.204-7012, including failing to implement the 110 required security measures. Additionally, relators claim that those in charge of determining if a lab’s practices were compliant with NIST SP 800-171 were pressured to interpret the controls in a manner that would allow a finding of compliance. In addition, relators contend that those overseeing the lab’s practices were not qualified to assess or report on compliance and thus could not produce accurate reports to the DoD. Among other shortcomings, relators have also alleged that GTRC failed to ensure continuous monitoring of compliance during the entirety of contract performance.
The claims were brought by two whistleblowers, Christopher Craig, a current employee of GA Tech, and Kyle Koza, a graduate and former employee of GA Tech, both of whom previously worked in the Information Technology Department. Mr. Koza allegedly began to identify problems in July 2018, including the use of an unqualified audit team and a lack of sufficient practices to ensure continuous monitoring of compliance during contract performance. By 2021, Mr. Craig agreed that serious compliance shortcomings existed, and relators concluded that defendants’ attestations of compliance with NIST 800-171 were false. The relators contend that they first brought the cybersecurity issues to their superiors’ attention, but those efforts were unavailing.
Following a multiple-year investigation, DOJ intervened in the case in February 2024 which led to the unsealing of the original qui tam complaint. DOJ has until June 24, 2024, to file its own complaint containing allegations against the defendants.
The GA Tech case highlights the importance of implementing rigorous compliance procedures, ensuring that personnel overseeing cybersecurity compliance functions are qualified, and taking appropriate measures to investigate and address employee complaints where appropriate.
On May 1, 2024, DOJ announced a US$2.7 million dollar settlement with Insight Global LLC (Insight Global) to resolve allegations that it violated the FCA by failing to implement adequate cybersecurity measures to protect health information obtained during COVID-19 contact tracing.
The Pennsylvania Department of Health, using funds from the U.S. Centers for Disease Control and Prevention, contracted with Insight Global for the provision of staffing for COVID-19 contact tracing. Insight Global was required to keep personal health information (PHI) and personally identifiable information (PII) of contact tracing subjects confidential and secure, but it failed to do so. Specifically, DOJ alleged that Insight Global (1) transmitted certain PHI and/or PII of contact tracing subjects in the body of unencrypted emails, (2) allowed certain staff to use shared passwords to access PHI/PII, and (3) stored and transmitted PHI/PII using Google files that were not password protected and were potentially accessible to the public via internet links. DOJ also alleged that Insight Global managers received complaints from multiple staff between November 2020 and January 2021 revealing that such information was unsecure and potentially accessible to the public, but failed to take any remedial measures until April 2021.
This is the second settlement under DOJ’s Civil Cyber-Fraud Initiative that was initiated by a qui tam complaint. Terralyn Williams Seilkop, a former staff member who worked on a contact tracing initiative, filed the qui tam lawsuit against Insight Global.[6] Under the FCA’s qui tam provisions, private citizens (called “relators”) may file suit on behalf of the United States if they have information supporting a belief that an individual or company is defrauding the government. Relators can receive between 15-30% of the proceeds of the action or settlement of the claims made in a successful qui tam suit. In this case, Seilkop will receive an award of US$499,500, nearly 19% of the settlement value.
On June 17, 2024, DOJ announced an US$11.3 million dollar settlement with two consulting companies to resolve allegations that they violated the FCA by failing to meet cybersecurity requirements in contracts intended to ensure a secure environment for low-income New Yorkers to apply online for federal rental assistance during the COVID-19 pandemic. Congress established the Emergency Rental Assistance Program (ERAP) to assist low-income households with the cost of rent and other housing-related expenses during the pandemic. New York entered into a contract with one of the consulting companies to act as the prime contractor and establish a program to distribute the federal funds. That consulting company subcontracted the work to a second consulting company which was responsible for delivering and maintaining the ERAP application portal that individuals would use to complete and submit applications for assistance.
New York’s ERAP application portal went live on June 1, 2021, but it was shut down by the state after only 12 hours when the state determined that the PII of some applicants had been compromised and made available on the Internet. Both companies shared responsibility for ensuring the ERAP application portal underwent sufficient pre-launch cybersecurity testing, but both admitted that neither company had completed the required testing. Both companies also acknowledged that, had they actually conducted the contractually required pre-launch testing, the conditions that resulted in the disclosure of PII may have been detected, preventing the incident.
In addition to being the largest recovery yet by DOJ under the Civil Cyber-Fraud Initiative, the ERAP case is another example of enforcement under the Initiative that started with the filing of a qui tam complaint. The complaint here was filed by a former employee of the prime contractor. Elevation 33 LLC, an entity owned by the former employee, will receive an award of more than US$1.9 million as part of the settlement.
This case also represents the third public FCA Civil Cyber-Fraud settlement based on a state-level contract that received federal funding (the first being the settlement with Jelly Bean Communications Design LLC, announced by DOJ in March 2023, and the second being the settlement with Insight Global LLC, announced by DOJ in May 2024). Both settlements by DOJ so far this year have been qui tam actions involving federally-funded state contracts, emphasizing the need for companies contracting with state agencies to ensure their compliance with cybersecurity requirements, particularly where federal funding supports the state-level program.
These developments can help inform your organization’s compliance, internal investigation, and potential defense posture relating to FCA risk moving forward. Hogan Lovells stands ready to help you with our market-leading lawyers who have deep experience in FCA investigations and litigation and a deep understanding of cybersecurity requirements impacting contractors and grantees.
Authored by Stacy Hadeka, Jasmeet K. Ahuja, Michael Theis, Taylor Hillman, and Alex Ervin.