On September 5, 2023, the U.S. Department of Justice settled False Claims Act (FCA) allegations with Verizon Business Network Services for over $4 million. The settlement signals an ongoing effort by the Department of Justice to pursue government contractors who receive federal funds and fail to follow proper cybersecurity standards.
The Verizon settlement stems from allegations that the company’s Managed Trust Internet Protocol Service (MTIPS) provided to federal agencies from 2017 to 2021 did not meet cybersecurity controls for trusted internet connections as required by General Service Administration (GSA) contracts. According to DOJ, Verizon self-disclosed the problems to the GSA after an internal investigation.
Launched in 2021, the U.S. Department of Justice announced its Civil Cyber-Fraud Initiative (CCFI) designed to combat new and emerging cyber threats using the department’s expertise in civil fraud enforcement, government procurement, and cybersecurity to ensure the security of sensitive information and critical government systems. The Initiative was designed to hold accountable entities or individuals that put U.S. information or systems at risk by knowingly providing deficient cybersecurity products or services, knowingly misrepresenting cybersecurity practices or protocols or knowingly violating obligations to monitor and report cybersecurity incidents and breaches.
The DOJ announced its first settlement as part of the Initiative in March 2022 with Comprehensive Health Services (CHS) agreeing to pay $930,000 to resolve allegations in qui tam suits that it violated the FCA. The government and whistleblower alleged that CHS failed to disclose to the State Department that it had not stored patients’ medical records on a secure electronic medical record system, in compliance with contract requirements relating to providing medical services at State Department and Air Force facilities in Iraq and Afghanistan.
In March 2023, the DOJ announced another case from the Civil Cyber-Fraud Initiative against Jelly Bean Communications Design LLC and its co-owner who agreed to pay $293,771 to settle False Claims Act allegations that the company failed to secure personal information on a federally funded children’s health insurance website which Jelly Bean created, hosted, and maintained.
Whistleblowers play an important role in enforcing cybersecurity rules and bringing to light failures to provide adequate cybersecurity safeguards.
In 2019, Phillips & Cohen had a cybersecurity case settle against Cisco Systems for $8.6 million. The whistleblower client alleged Cisco knowingly sold video surveillance systems used by federal and state agencies that could have been easily hacked because of critical software flaws. The case is believed to be one of the first False Claims Act cases that settled involving cybersecurity issues.
The Securities and Exchange Commission (SEC) is also ramping up its oversight of cybersecurity issues. In July, the SEC adopted rules requiring registrants to disclose material cybersecurity incidents they experience and to disclose on an annual basis material information regarding cybersecurity risk management, strategy, and governance.
SEC Chair Gary Gensler said of the new rules, “Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors… Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way. Through helping to ensure that companies disclose material cybersecurity information, today’s rules will benefit investors, companies, and the markets connecting them.”
Whistleblowers have had a major impact in stopping fraud – returning billions to the U.S. Treasury and reporting waste and abuse in countless industries, including healthcare, pharma, defense, and cybersecurity. Both DOJ’s Civil Cyber-Fraud Initiative and the SEC’s new cybersecurity rules present opportunities for whistleblowers to come forward to report non-compliance.
If you have information about violations of cybersecurity rules and regulations and are considering blowing the whistle, get in touch for a free, confidential consultation.