The Department of Justice’s (DOJ) Civil Cyber-Fraud Initiative will target government contractors and grant recipients’ security procedures in order to limit future cybersecurity problems. With cybersecurity attacks and data breaches at an all-time high, the new initiative will limit future incidents by enforcing stricter security practices. The initiative will use the False Claims Act, or FCA, to force organizations that work with the government to be more forthcoming about cybersecurity incidents. Below we review what you should know about the new civil cyber-fraud initiative, what might lead to infractions, and how to avoid hefty fines.

The False Claims Act is the most important tool used by the United States government to identify and combat fraud in federal programs and operations. Those who are convicted of making “calculated lies” to the government face steep fines.

One of the most important features of the FCA that will have an impact on the Civil Cyber-Fraud Initiative is the whistleblower provision. This section of the legislation enables employees and contractors to disclose information about their employers (government contractors or grant recipients) who may be engaged in fraudulent cybersecurity activities. Whistleblowers are immune from retaliation by named organizations.

The following are examples of circumstances that may lead to an investigation by the DOJ:

• Knowingly offering inadequate cybersecurity goods or services
• Knowingly misrepresenting your cybersecurity procedures or protocols
• Unknowingly violating your monitoring and reporting obligations

With any of these types of allegations, “knowingly” appears to be the crucial word. In any case, there are a few routine administrative activities that, if not kept track of or set up properly, might result in unintentional violations.

Some of the common practices/failures that could result in violations include:

• Not having an incident response plan in place
• Failing to properly train employees on cybersecurity policies and procedures
• Not conducting adequate risk assessments
• Failing to determine what data is subject to a cybersecurity incident

Organizations must be diligent about their own cybersecurity efforts. With new regulations emerging every year, it’s important for companies to set up a proper compliance program that ensures they are complying with new cybersecurity legislation.

There are a few things you can do to make the process of maintaining your cybersecurity compliance easier, whether it’s documentation or reporting.

• Understand what you’re being asked to follow
• Read your contracts thoroughly
• Keep track of paperwork
• Maintain strict cybersecurity hygiene

If your organization is working with the government, it’s important to be aware of the new Civil Cyber-Fraud Initiative and what may lead to infractions. By being proactive and explaining your security practices to the government, you can limit (or avoid) fines for compliance issues.

Have a question specific to your company? Contact the PBMares Government Contracting Team.