The False Claims Act (FCA), otherwise known as the “Lincoln Law,” can cost companies that supply goods or services to the federal government millions of dollars if they fail to provide the digital security protections they promise, as two recent cases illustrate. In one of the cases, Cisco Systems was forced to pay millions of dollars to the federal and state governments.
First passed in 1863 during the Lincoln Administration, the FCA was aimed at fraudulent contractors who sold bad horses, provisions and munitions to the Union Army. One of the law’s provisions allows for citizen “relators” or whistleblowers to be paid a percentage of what can be recovered from those who are proved to have made false claims to the federal government in the sale of goods or services.
Between the Civil War and the mid-1980s, the FCA was little used until it was given a shot in the arm by Congress in 1986 to deal with rampant problems involving defense contractors. The FCA was revised again by Congress in 2009 and 2010.
Two fundamental changes were made to the statute in 2009. The first is that the false claim must be “material,” however that’s defined. The second change provided greater protection for the whistleblowers, extending safeguards beyond company employees, who have served as the traditional relators, to go further and encompass contractors and agents.
Today, an estimated 72% of all FCA cases are brought by the relator-whistleblowers, with the federal government recovering an estimated $62.1 billion under FCA action between 1987 and 2019, according to Justice Department statistics.
The process for filing false claim actions is detailed and rigorous, with all complaints required to be filed in federal court and under seal. The federal court has to keep the lawsuit secret for at least 60 days, but in practice, these cases are kept under wraps far longer, often for years. It’s then up to the Justice Department to proceed with the action.
First security-related FCA cases came in 2019
Two recent cases brought under the False Claims Act highlight how cybersecurity compliance failures are now fertile territory under a law originally envisioned to punish purveyors of bad muskets. “I think we’ve been expecting to see false claims act activity in this space for a while, and then in 2019, it started to happen,” Michael Vernick partner at Hogan Lovells, a specialist on FCA cases, tells CSO.
One case, the United States v. Aerojet Rocketdyne Holdings, Inc., 381 F. Supp. 3d 1240 (E.D. Cal. 2019), should serve as a cautionary tale “for contractors that 'self-certify' that their own IT systems provide adequate security for sensitive federal information they store, process, or transmit in performance of a federal contract,” Vernick wrote in a recent alert issued by Hogan Lovells.
In the Aerojet case, a California District Court ruled that the company couldn’t dismiss a complaint by its former senior director of cybersecurity, compliance and controls about the company’s inability to safeguard unclassified controlled technical information from cybersecurity threats. The case hinged on whether Aerojet was making the grade under a Department of Defense rule requiring federal contractors to implement specific security controls.
The former employee claims that Aerojet “fraudulently entered into contracts with the federal government despite knowing that they did not meet the minimum standards required to be awarded a government contract.” He further claims he was fired from his job when he refused to certify that the company was compliant with the contracted cybersecurity requirements.
The Aerojet case, although still in its early days, is interesting because it’s a “complaint that's filed for a contract that does not involve selling products or services to the government,” Vernick said. Instead, it focuses on the contractor's own systems and their ability to safeguard controlled unclassified information (CUI). “It's not the classic situation of ‘we sell something to the government, and it doesn't meet the requirements.’”
The other recent case involving FCA claims and cybersecurity does involve the security of products directly sold to the federal government. In this case, the United States ex rel. Glenn v. Cisco Systems, Inc., No. 1:11-cv-00400- RJA (W.D.N.Y. July 31, 2019) became unsealed in 2019 and involved a relator or whistleblower James Glenn, a former employee of Cisco’s Danish distributor NetDesign.
Glenn alleged that Cisco’s Video Surveillance Manager (VSM) product did not comply with government cybersecurity requirements. Glenn claimed he identified security vulnerabilities in Cisco’s VSM that could allow an attacker to exploit the system and even gain “administrator” rights, flaws he alleged could also potentially compromise the security of other systems connected to the VSM, placing the entire information management system at risk.
Glenn claimed he informed relevant management that the vulnerabilities violated a host of federal requirements, including the Federal Information Security Management Act of 2002 (FISMA) and procurement regulations related to Federal Information Processing Standards (FIPS). FIPS, in turn, incorporated several standards spelled out in the National Institute of Standards and Technology (NIST) publications, particularly access control, authentication management, and transmission integrity specifications, among others, contained in NIST’s widely used SP 800-53.
According to a press release, Cisco agreed to pay $8.6 million to resolve the allegations brought by Glenn, with $2.6 million paid to the federal government and $6 million to state government purchasers. This resolution highlights the real monetary risks to companies that don’t materially meet implied or explicit promises of providing adequate security.
More security FCA cases likely
“In False Claims Act cases, if the government wins, they get trebled damages plus penalties, which are a big deal,” Vernick says. Vernick, like other lawyers who have examined these cases, believes that other big-ticket FCA cases involving cybersecurity failures are in the pipeline. “If we were betting, there are probably other cases that are in progress, but a lot of them are probably still under seal” because these cases can remain under seal for years while they’re being investigated.
Moving forward, companies can take steps to avoid FCA lawsuits. First, “I think that the best thing for companies to do is to recognize what they're agreeing to in a contract,” Vernick says. “It's not uncommon for companies, particularly companies that are new to the government market, to not realize what they're agreeing to.”
Step two is for companies to make sure they comply with all the relevant federal requirements and to monitor their systems for that compliance continually. Companies should also call in outside expertise to the extent they believe it’s necessary, Vernick says. Finally, companies should pay attention to concerns raised by employees or any other party about the weaknesses in their security protocols.
“Whether it's in the cyberspace or any other space, I think it's important to make sure that someone who raises a concern is heard,” Vernick says. “If their concerns are something that needs to be addressed,” you should address them, he advises. “What's important is to allow people to bring forward concerns that they have and take them seriously and respond to them appropriately.”