The U.S. Department of Justice (DOJ) usually releases its annual statistics on the official number of cases opened for investigation under the False Claims Act, 31 U.S.C. §§ 3729 et seq. (FCA), for a given fiscal year in January of the following year. So until January 2022, it’s difficult to accurately gauge the number of FCA cases opened in 2021, particularly given the requirement that new whistleblower cases must be filed under seal. What we do know, however, is that there were more overall cases opened in 2020 than in any other year since the enactment of the FCA (922 cases), and the number of government-initiated (non-whistleblower) FCA actions (250) was a 69 percent increase over the previous year.
The vast majority of FCA cases involve the healthcare and government procurement industries, but in 2020, we saw DOJ expanding into additional business sectors and under different theories. With what’s happening at the DOJ, in Congress, and under the Biden Administration regarding cybersecurity, we expect that increase in new FCA matters will continue into 2022 at breakneck speed.
In the wake of the Solar Winds cyber incident and Colonial Pipeline ransomware cyber-attack in 2020 and 2021, the Biden Administration issued Executive Order 14028, “Improving the Nation’s Cybersecurity”(EO) in May 2021. The EO requires that Executive agencies recommend and develop guidance on best practices regarding cybersecurity and cyber incident reporting. It sets aggressive timelines for new regulations to be issued for notice and comment. With an EO in place, more enforcement action in the cybersecurity area is likely.
DOJ has also been pursuing its course to use the FCA for cybersecurity matters. In July 2019, DOJ entered into the first cybersecurity-related FCA whistleblower settlement based on Cisco Systems Inc. selling government agencies video surveillance products with known vulnerabilities that hackers could have exploited.
In December 2020, DOJ Deputy Assistant Attorney General Michael D. Granston laid out key upcoming FCA enforcement areas for DOJ and expressly identified potential FCA liability for failure to comply with cybersecurity “protections [that] are a material requirement of payment or participation under a government program or contract.” This message was reiterated at the February 2021 Federal Bar Association’s annual Qui Tam Conference by DOJ Acting Assistant Attorney General (AAG) Brian Boynton.
More recently, on October 6, 2021, Deputy Attorney General (DAG) Lisa Monaco announced that DOJ is launching a Civil Cyber Fraud Initiative. Under the Initiative, DOJ intends to use the authority of the FCA to investigate, prosecute, and fine government contractors that “fail to follow required cybersecurity standards.” The kinds of actions that DOJ has publicly announced that it expects to address under this initiative include situations where a government contractor “hides” and fails to report “a breach.”
On October 13, 2021, at the Cybersecurity and Infrastructure Security Agency Fourth Annual National Cybersecurity Summit, Acting AAG Boynton expanded on DAG Monaco’s announcement, commenting that DOJ’s collaboration with various agency Inspector General Offices “will promote information sharing and technical expertise, generate referrals for investigations and multiply the number of experienced federal agents and attorneys dedicated to combatting knowing cybersecurity failures.”
In addition to the Executive branch, Congress is focusing on cybersecurity protections and enforcement. In July 2021, a bipartisan group of senators, led by Sen. Chuck Grassley (R-Iowa), introduced amendments to clarify and expand certain FCA provisions. In October, the Senate Judiciary Committee voted to advance the “False Claims Amendments Act of 2021,” which, among other things, would ease the statutory definition of “materiality” and heighten the standard for government dismissal of an FCA action.
Cyber threats to the government and its supply chain are increasing. There is no question that DOJ, the Biden Administration, and Congress intend to turn up the heat on cybersecurity and other matters. Based on their actions in 2021 and the increased number of government-initiated FCA actions last year, we can almost guarantee that the number of FCA actions and settlements involving cybersecurity violations will increase. The only remaining question is not whether it will happen, but by how much.