The government has ramped up its enforcement of cybersecurity standards that are required of government contractors with the launch of its Civil Cyber-Fraud Initiative – and whistleblowers are likely to play an important role.
The US Department of Justice established the Civil Cyber-Fraud Initiative to combat new and emerging cyber threats to the security of sensitive government information and critical government systems. DOJ will use the False Claims Act to hold accountable government contractors that:
- Knowingly provide deficient cybersecurity products or services.
- Knowingly misrepresenting their cybersecurity practices or protocols.
- Knowingly violating obligations to monitor and report cybersecurity incidents and breaches.
Government contractors and federal grant recipients who fail to follow the government’s cybersecurity standards can be held liable for fraud under the False Claims Act.
Whistleblowers who know about violations of cybersecurity standards that a government contractor fails to report – whether it is software flaws, data hacks or other violations – can help improve cybersecurity by filing a “qui tam” lawsuit under the False Claims Act to launch a government investigation. The law provides whistleblowers with protection against job retaliation and rewards based on the amount that the government recovers from a contractor.
“For too long, companies have chosen silence under the mistaken belief that it is less risky to hide a breach than to bring it forward and to report it,” said Department of Justice Deputy Attorney General Lisa Monaco in a statement released Oct. 6. “Well that changes today. “
The Cisco whistleblower case – a precedent for cybersecurity cases
A qui tam complaint against Cisco Systems, which was filed by Phillips & Cohen on behalf of James Glenn, a cybersecurity consultant, settled in 2019 for $8.6 million. It was the first settlement of a whistleblower case against a government contractor involving cybersecurity issues.
[Read “Why the security industry should pay attention to the Cisco whistleblower case.” ]
The whistleblower lawsuit alleged that Cisco knowingly sold video surveillance systems used by federal and state agencies that could have been easily hacked because of critical software flaws.
Some of the software flaws were so severe that they compromised the security of any computer system connected to them.
Phillips & Cohen later partnered with Constantine Cannon on the case and, working with federal and state government teams, settled it. Out of the total settlement, Cisco paid $2.6 million to the federal government and approximately $6 million to 15 states and other government entities that purchased the product. The Cisco whistleblower’s reward totaled around $1.6 million.
Cisco eventually addressed the cybersecurity software problems that the whistleblower identified.
How whistleblowers can report cybersecurity problems with government contracts
Anyone aware of cybersecurity issues that a government contractor ignores or fails to report – such as a defective product, data breach, a ransomware attack or cybersecurity weaknesses – can blow the whistle by filing a qui tam lawsuit.
The False Claims Act gives whistleblowers the authority to sue a contractor or federal grant recipient for cheating the government. This prompts a government investigation, since the government must decide whether to join the case. If the case is successful, whistleblowers are rewarded with 15% to 30% of the recovery, depending on a number of factors.
The False Claims Act also provides redress for employment retaliation. Read more about how qui tam cases work.
Before taking any action, individuals should consult an experienced whistleblower lawyer to review their options and determine how to best protect themselves and the possibility of a whistleblower reward. Contact Phillips & Cohen for a free, confidential review of your matter.