Case Study: Another Cybersecurity False Claims Act Press Release

On Monday, the Department of Justice announced a $11.3 million settlement of a False Claims Act case for a failure to meet contractual cybersecurity requirements.  This is just the latest in a series of settlements announced by the Department of Justice’ s Civil Cyber-Fraud Initiative.

In this case, the relevant contractor (Guidehouse Inc.) and its subcontractor (Nan McKay and Associates) did not conduct required cybersecurity testing of the platform they were providing to the government, and as night follows day, there was a data breach.  They also used unauthorized software in deploying the platform.  In fact, the platform was shut down twelve hours after it opened because personally identifiable information entered into the platform was already available on the internet.  The platform was designed to assist folks that needed emergency rental assistance, so the victims were particularly vulnerable.

The whistleblower in this case was a corporation (Elevation 33 LLC) owned by a former employee of the prime contractor.  As part of the settlement, the whistleblower received $1.9 million.

There are a lot of interesting points in this settlement.  First, the subcontractor was brought into the suit and settlement agreement.  Typically, the government does not like getting involved with subcontractors due to the lack of privity, but here the subcontractor was identified and separately fined.

Second, both the prime and sub attempted to conduct the security testing and were unable to do so with industry standard scanning tools.  This shows knowledge of the requirement and an attempt to comply.  The requirements were not extensive as these things go, and completely in keeping with the industry standard.

Third, the investigation of the breach revealed that “no Personally Identifiable Information (‘PII’) was viewed or used by unauthorized parties, the ‘Information Security Breach’ protocol was triggered under the ERAP Prime Contract because PII was accessed by commercial search engines for a limited group of individuals.”  These terms map to most state data breach notification laws, which is why they were used and italicized, but it appears the parties recognized that once a search engine saw the information, sufficient harm was done.

Fourth, the settlement agreement does not allege a “but for” relationship between the lack of testing and the breach.  It merely says that the required scanning may have detected the problems.  This was sufficient for the parties to settle.

There are a number of lessons here for government contractors, especially those providing platforms to the government.  First, not all cybersecurity requirements are in the standard FAR clauses.  Many agencies put cybersecurity requirements in the deliverables or other sections of a contract.  Second, there can be a kind of strict liability for cybersecurity issues.  Although the data breach was not tied definitively to the noncompliance, the contractors still paid more than $10 million to resolve the issue.  Third, internal whistleblowers create significant risk for companies that are non-compliant with cybersecurity requirements.  The government is highlighting the rewards for whistleblowing, which will serve to encourage potential whistleblowers to sue.  Fourth, this example and most of the past publicized settlements have been egregious.  The Department of Justice is not going after victims of sophisticated foreign intelligence operations.  But when a whistleblower comes forward, it is critical for government contractors to be able to prove that they’ve done what is expected of them.

If you are unsure about whether you are meeting those requirements, if your documentation is sufficient to show you are meeting those requirements, or how your organization would hold up in the case of a breach (either data or contract), we can assist.  A lot of clients have found a basic table top exercise to be a useful tool for quickly and efficiently identifying deficiencies in their compliance program and developing a plan of action.  We also have experience building complete compliance programs from the ground floor.