Complying with information security and data privacy requirements is a fundamental duty of government contractors and grantees and is vital for the protection of government data. Cybersecurity professionals are oftent the first to identify non-compliance with these requirements.
Federal whistleblower laws protect cybersecurity whistleblowers at government contractors and grantees, including the Defense Contractor Whistleblower Protection Act, False Claims Act, and NDAA Whistleblower Protection Law.
To schedule a confidential consultation with our cybsersecurity whistleblower lawyers, call us at 202-262-8959.
2021 Civil Cyber-Fraud Initiative and Cybersecurity False Claims Act Whistleblowing
On October 6, 2021, the Department of Justice launched a Civil Cyber-Fraud Initiative, to combat new and emerging cyber threats to the security of sensitive information and critical systems. Deputy Attorney General Monaco announced the purpose of the initiative: “We are announcing today that we will use our civil enforcement tools to pursue companies, those who are government contractors who receive federal funds, when they fail to follow required cybersecurity standards — because we know that puts all of us at risk. This is a tool that we have to ensure that taxpayer dollars are used appropriately and guard the public fisc and public trust.”
The Civil Cyber-Fraud Initiative will utilize the False Claims Act to pursue cybersecurity-related fraud by government contractors and grant recipients. The benefits of the initiative will include:
- Building broad resiliency against cybersecurity intrusions across the government, the public sector and key industry partners.
- Holding contractors and grantees to their commitments to protect government information and infrastructure.
- Supporting government experts’ efforts to timely identify, create and publicize patches for vulnerabilities in commonly-used information technology products and services.
- Ensuring that companies that follow the rules and invest in meeting cybersecurity requirements are not at a competitive disadvantage.
- Reimbursing the government and the taxpayers for the losses incurred when companies fail to satisfy their cybersecurity obligations.
- Improving overall cybersecurity practices that will benefit the government, private users and the American public.
What cybersecurity requirements apply to federal contractors?
Federal contractors are subject to data privacy and information security requirements.
The FY 2022 appropriations law includes a cyber reporting provision that requires companies in critical infrastructure (as defined in Presidential Policy Directive 21) to report a covered cyber incident within 72 hours to the Cybersecurity and Infrastructure Security Agency.
The Federal Information Security Management Act (“FISMA”) creates information security requirements for federal agencies to minimize risk to the U.S. government’s data. FISMA also applies these requirements to state agencies administering federal programs and private businesses contracting with the federal government. Federal acquisition regulations codify the cybersecurity and data privacy requirements applicable to federal contractors. E.g., 48 C.F.R. §§ 252.204-7008, 7012 (providing for cybersecurity standards in contracts with the U.S. Department of Defense); 48 C.F.R. § 52.204-21 (outlining basic procedures for contractors to safeguard information processed, stored, or transmitted under a federal contract).
Pursuant to the FISMA Implementation Project, the National Institute of Standards and Technology (“NIST”) produces security standards and guidelines to ensure compliance with FISMA. Key principles of FISMA compliance include a systemic approach to the data that results in baseline controls, a risk assessment procedure to refine controls, and implementation of controls. A security plan must document the controls. Those managing the information must also assess the controls’ effectiveness. NIST also focuses its standards on determining enterprise risk, information system authorization, and ongoing monitoring of security controls.
Essential standards established by NIST include FIPS 199, FIPS 200, and the NIST 800 series. Core FISMA requirements include:
- Federal contractors must keep an inventory of all of an organization’s information systems.
- Contractors must identify the integration between information systems and other systems in the network.
- Contractors must categorize information and information systems according to risk. This prioritizes security for the most sensitive information and systems. See “Standards for Security Categorization of Federal Information and Information Systems” FIPS 199.
- Contractors must have a current information security plan that covers controls, cybersecurity policies, and planned improvements.
- Contractors must consider an organization’s particular needs and systems and then identify, implement, and document adequate information security controls. See NIST SP 800-53 (identifying suggested cybersecurity controls).
- Contractors must assess information security risks. See NIST SP 800-30 (recommending that an organization assess risks at the organizational level, the business process level, and the information system level).
- Contractors must conduct annual reviews to ensure that information security risks are minimal.
The NIST Framework includes “a set of cybersecurity activities, outcomes and informative references that are common across sectors and critical infrastructure” and is designed to “help an organization align and prioritize cybersecurity activities with its business/mission requirements, risk tolerances and resources.” NIST Special Publication 800-53 Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations (NIST 800-53).
In addition to generally-applicable standards, individual contracts may create other cybersecurity or data privacy requirements for a government contractor. Such requirements are prevalent when the contractor provides information security products or services for the government.
What protections exist for cybersecurity whistleblowers employed at federal contractors?
Federal law contains whistleblower protection provisions that may prohibit employers from retaliating against whistleblowers who report cybersecurity or data privacy concerns. See Defense Contractor Whistleblower Protection Act, 10 U.S.C. § 4701; False Claims Act, 31 U.S.C. § 3730(h); NDAA Whistleblower Protection Law, 41 U.S.C. § 4712. These laws protect a broad range of conduct.
Protected conduct under these laws includes:
- Efforts to stop false claims to the government;
- Lawful acts in furtherance of an action alleging false claims to the government; and
- Disclosures of gross mismanagement, gross waste, abuse of authority, or a violation of law, rule, or regulation related to a federal contract or grant. Id.
These provisions have wide coverage. They protect any employee of any private sector employer that is a contractor or grantee of the federal government. In some cases, even the employer’s contractors and agents are protected.
An employer’s non-compliance with information security requirements could breach the employer’s contractual obligations to the federal government and violate federal law and regulation. Thus, whistleblowers who report cybersecurity or data privacy concerns related to a federal contract or grant may be protected from employment retaliation.
What is the burden to establish unlawful retaliation for reporting cybersecurity concerns?
Exact requirements vary, but an employee typically establishes unlawful retaliation by proving that (1) the employee engaged in conduct that is protected by statute, and (2) the protected conduct to some degree caused a negative employment action. See, e.g., 10 U.S.C. § 4701 (incorporating burden of proof from 5 U.S.C. § 1221(e)); 41 U.S.C. § 4712(c)(6) (same); 31 U.S.C. § 3730(h)(1).
Under some of the applicable protections, an employee need prove only that the protected conduct played any role whatsoever in the employer’s decision to take the challenged employment action. See 10 U.S.C. § 4701; 41 U.S.C. § 4712.
What damages or remedies can a cybersecurity whistleblower recover for retaliation?
The relief available depends on which laws apply to the particular case. Remedies may include an amount equal to double an employee’s lost wages, as well as reinstatement or front pay. In some cases, a whistleblower may also recover uncapped compensatory damages for harms like emotional distress and reputational damage. Additionally, a prevailing plaintiff can recover reasonable attorneys’ fees and costs.
Recently, a jury awarded a defense contractor whistleblower $1 million in compensatory damages. The whistleblower proved that the employer more than likely retaliated by demoting him after he reported issues with tests related to a federal contract, according to the jury. Specifically, the whistleblower alleged he reported and opposed management’s directive to misrepresent the completion status of testing procedures.
In a recent case under the False Claims Act, a whistleblower received more than $2.5 million for retaliation she suffered after internally reporting off-label promotion for a drug outside its FDA-approved use. The False Claims Act protects employees from retaliation who blow the whistle on fraud against the government, including those who blow the whistle internally to a government contractor or grantee.
Tips for Cybersecurity Whistleblowerscybersecurity whistleblowing
Have Qui Tam Whistleblowers Obtained Awards for Reporting Cyberfraud?
|Qui Tam Award|
|Violations||Date||DOJ Press Release or Media Coverage|
|$8.6M||Qui tam relator Glenn alleged that Cisco sold flawed video surveillance gear to government agencies. According to the complaint, the video surveillance product was "riddled with serious security defects."||July 31, 2019||Cisco whistleblower cybersecurity case brought by Phillips & Cohen settles for $8.6M|
|$930,000||Comprehensive Health Services, LLC agreed to pay $930,000 to resolve allegations that it violated the False Claims Act by falsely representing to the State Department and the Air Force that it complied with contract requirements relating to the provision of medical services at State Department and Air Force facilities in Iraq and Afghanistan. The United States alleged that, between 2012 and 2019, CHS failed to disclose to the State Department that it had not consistently stored patients’ medical records on a secure EMR system.||March 8, 2022||Contractor Pays $930,000 to Settle False Claims Act Allegations Relating to Medical Services Contracts at State Department and Air Force Facilities in Iraq and Afghanistan|
Do any court cases address whether cybersecurity whistleblowers are protected?
Yes. Judges and juries have applied these laws to protect cybersecurity whistleblowers.
For example, in United States ex rel. Glenn v. Cisco Systems, Inc., defendant Cisco Systems settled for $8.6 million in what is likely the first successful cybersecurity case brought under the False Claims Act. The plaintiff/relator James Glenn worked for Cisco and internally reported serious cybersecurity deficiencies in a video surveillance system, soon after which he was fired. Cisco had sold the surveillance systems to various federal government entities, including the Department of Homeland Security, FEMA, the Secret Service, NASA, and all branches of the military. After monitoring Cisco’s public pronouncements regarding the system and confirming the company had not solved the problems or reported vulnerabilities to customers, Glenn contacted the FBI. Multiple states joined in the complaint and brought claims under state laws.
While the case did not proceed to litigation, Glenn received nearly $2 million of the settlement, and the federal government’s attention to the issue proves that cybersecurity and data privacy are of utmost importance.
Surely, as more of our lives and businesses move online, the government will place increased importance on contractors and grantees following data security and privacy requirements and disclosing known vulnerabilities. Cybersecurity whistleblowers working for government contractors play an important part in revealing these vulnerabilities and keeping the federal government secure. Still, these whistleblowers may experience retaliation after blowing the whistle internally at their place of work.
How can employees enforce these protections from retaliation?
Employees generally have the right to bring claims of unlawful retaliation for cybersecurity or data privacy whistleblowing in federal court. However, some claims limit that right to whistleblowers who first exhaust all their administrative remedies. For example, in some cases, whistleblowers will first need to pursue relief from the Office of Inspector General of the relevant federal agency. Additionally, cybersecurity whistleblower claims are subject to strict deadlines. See, e.g., 31 U.S. Code § 3730; 10 U.S.C. § 4701; 41 U.S.C. § 4712.
Cybersecurity Violations are Material Under the False Claims Act
As discussed in a Department of Justice Statement of Interest in United States ex rel. Brian Markus v. Aerojet Rocketdyne Holdings, Inc., “[i]t is well settled that when a contract is obtained through false statements or fraudulent conduct, FCA liability attaches to each claim submitted to the government under the contract.” See United States ex rel. Hendow v. Univ. of Phoenix, 461 F.3d 1166, 1173 (9th Cir. 2006) (citing United States ex rel. Marcus v. Hess, 317 U.S. 537, 542 (1943)). “Each claim submitted to the government under a contract which was procured by such fraud is false even if false representations were not made on the claim itself.” United States ex rel. Campie v. Gilead Scis., Inc., 862 F.3d 890, 904 (9th Cir. 2017); United States ex rel. Bettis v. Odebrecht Contractors of Cal., Inc., 393 F.3d 1321, 1326 (D.C. Cir. 2005) (a contractor is liable “for each claim submitted to the Government under a contract which was procured by fraud, even in the absence of evidence that the claims were fraudulent in themselves.”). Therefore, false representations about cybersecurity compliance are material and can give rise to FCA liability.DOJ Statement of Interest in Aerojet
Tips for Cybersecurity Whistleblowerscybersecurity whistleblowing
Cybersecurity Whistleblower Lawyers’ Guide for Cybersecurity Whistleblowers
To schedule a consultation, call us at 202-262-8959.
- Practitioners Guide to Cybersecurity Whistleblowing
- Federal Law Should Protect Data Privacy Whistleblowers
- Protections and Rewards for Cybersecurity Whistleblowers
- The Rise of Cybersecurity Whistleblowing, NYU Law Compliance & Enforcement Blog (December 2016)
- Cybersecurity Whistleblowing: What Employees at Public Companies Should Know Before Reporting Information Security Concerns, ISSA Journal (June 2016)
- Effective Cybersecurity and Data Protection Legislation Should Protect Whistleblowers, NYU Law Compliance & Enforcement Blog (May 2019)
- Cybersecurity Whistleblowers Are Growing Corporate Challenge, Wall Street Journal (May 15, 2018)
- Sarbanes-Oxley Whistleblower Protection: Robust Protection for Corporate Whistleblowers
False Claims Act Whistleblower Awards for Cybersecurity Whistleblowers
A cybersecurity qui tam whistleblower can be eligible for a large recovery when they report a government contractor that fails to follow required cybersecurity standards. But there are many pitfalls and obstacles to proving liability, and there are unique rules and procedures that govern qui tam whistleblower cases.
Therefore, it is critical to retain an experienced cybersecurity False Claims Act whistleblower lawyer to maximize your recovery. This FAQ provides an overview of some of the key aspects of False Claims Act claims.
- What is a qui tam whistleblower lawsuit?
- What types of false claims are prohibited by the False Claims Act?
- What is the first-to-file bar in False Claims Act qui tam cases?
- What is the requirement to file a False Claims Act qui tam action under seal?
- Are False Claims Act whistleblowers protected against retaliation?
- What is a reverse false claim?
- What is the statute of limitations for a False Claims Act qui tam action?
- What is the public disclosure bar in the False Claims Act?
- What is the original source exception to the public disclosure bar?
- What is materiality under the False Claims Act?
- What is “Scienter” Under the False Claims Act?
- Is a Violation of the Anti-Kickback Law Also a Violation of the False Claims Act?
- Does the False Claims Act Prohibit Bid-Rigging?
- Does the False Claims Act Prohibit Fraudulent Inducement of a Contract?
- Can a violation of Good Manufacturing Practices give rise to False Claims Act Liability?
- Is there a heightened pleading requirement for False Claims Act qui tam cases?
- Does the False Claims Act authorize treble damages?
- Must a False Claims Act qui tam relator have firsthand knowledge of all aspects of the fraud?
Cybersecurity False Claims Act Whistleblower ProtectionFalse Claims Act Whistleblower Protection Law
Whistleblower Retaliation Laws Protecting
Cybersecurity Whistleblowers at Government Contractors and Grantees
Courageous whistleblowers that come forward to report fraud deserve robust protection against retaliation. Below is a list of common questions about key aspects of the anti-retaliation provisions of the False Claims Act and the Defense Contractor Whistleblower Protection Act.
- How does the NDAA whistleblower retaliation law protect whistleblowers at federal contractors and grantees?
- Must an NDAA Whistleblower Retaliation Plaintiff Prove a Subjective Belief of a Violation?
- What whistleblowing is protected under the False Claims Act anti-retaliation provision?
- Does the False Claims Act protect whistleblowers against retaliation?
- Is whistleblowing in the course of performing job duties protected under the False Claims Act?
- Is False Claims Act Whistleblower Protection Limited to Disclosures About the Whistleblower’s Employer?
- Does the participation of a supervisor with knowledge of protected whistleblowing in the decision to take an adverse personnel action prove knowledge under the False Claims Act whistleblower protection provision?
- Can a False Claims Act whistleblower retaliation plaintiff obtain double back pay (two times lost wages and benefits)?
- Are employees whose jobs require investigating fraud against the government required to meet a higher pleading standard?
- Are “duty speech” disclosures protected under the False Claims Act?
- What protections are available to federal contractor whistleblowers under the NDAA whistleblower protection law?
- Can False Claims Act whistleblowers use confidential documents to report fraud to the government?
- What is the purpose of the False Claims Act whistleblower protection provision?
- Does the False Claims Act protect a whistleblower who refuses to violate the Act?
- What laws prohibit defense contractors from retaliating against whistleblowers?
Cybersecurity False Claims Act Qui Tam Whistleblower Attorneys Representing Cybersecurity Whistleblowers Nationwide
The experienced whistleblower attorneys at leading whistleblower law firm Zuckerman Law have substantial experience representing whistleblowers disclosing fraud and other wrongdoing at government contractors and grantees. To schedule a confidential consultation, click here or call us at 202-262-8959.
Our experience includes:
- Representing whistleblowers in NDAA retaliation claims before the Department of Defense, and Department of Homeland Security, Department of Justice Offices of Inspectors General.
- Litigating False Claims Act retaliation cases.
- Representing qui tam relators in False Claims Act cases.
- Representing whistleblowers disclosing fraud on the government in Congressional investigations.
- Training judges, senior Office of Inspector General officials, and federal law enforcement about whistleblower protections.
In addition, we have substantial experience representing whistleblowers under the Whistleblower Protection Act (WPA) and enforcing the WPA, the law that the NDAA whistleblower provisions are based upon. Two of the attorneys on our team served in senior positions at the U.S. Office of Special Counsel overseeing investigations of whistleblower retaliation claims and whistleblower disclosures.
Jason Zuckerman served as Senior Legal Advisor to the Special Counsel at OSC, where he worked on the implementation of the Whistleblower Protection Enhancement Act and several high-profile investigations, including a matter resulting in the removal of an Inspector General.
Before hiring a lawyer for a high-stakes whistleblower case, assess the lawyer’s reputation, prior experience representing whistleblowers, knowledge of whistleblower laws and prior results. And consider the experience of other whistleblowers working with that attorney. See our client testimonials by clicking here.
- U.S. News and Best Lawyers® have named Zuckerman Law a Tier 1 firm in Litigation – Labor and Employment in the Washington DC metropolitan area.
- Described by the National Law Journal as a “leading whistleblower attorney,” founding Principal Jason Zuckerman has established precedent under a wide range of whistleblower protection laws and obtained substantial compensation for his clients and recoveries for the government in whistleblower rewards and whistleblower retaliation cases. He served on the Department of Labor’s Whistleblower Protection Advisory Committee, which makes recommendations to the Secretary of Labor to improve OSHA’s administration of federal whistleblower protection laws. Zuckerman also served as Senior Legal Advisor to the Special Counsel at the U.S. Office of Special Counsel, the federal agency charged with protecting whistleblowers in the federal government. At OSC, he oversaw investigations of whistleblower claims and obtained corrective action or relief for whistleblowers.
- Matt Stock is a Certified Public Accountant, Certified Fraud Examiner and former KPMG external auditor. As an auditor, Stock developed an expertise in financial statement analysis and internal controls testing and fraud recognition. He uses his auditing experience to help whistleblowers investigate and disclose complex financial frauds to the government.
- Zuckerman was recognized by Washingtonian magazine as a “Top Whistleblower Lawyer” (2020, 2018, 2017, 2015, 2009, and 2007), selected by his peers to be included in The Best Lawyers in America® in the category of employment law (2011-2021) and in SuperLawyers in the category of labor and employment law (2012 and 2015-2021), is rated 10 out of 10 by Avvo, based largely on client reviews, and is rated AV Preeminent® by Martindale-Hubbell based on peer reviews
- We have published extensively on whistleblower rights and protections, and speak nationwide at seminars and continuing legal education conferences. We blog about new developments under whistleblower retaliation and rewards laws at the Whistleblower Protection Law and SEC Awards Blog, and in 2019, the National Law Review awarded Zuckerman its “Go-To Thought Leadership Award” for his analysis of developments in whistleblower law.
- Our attorneys have been quoted by and published articles in leading business, accounting, and legal periodicals, including The Wall Street Journal, Forbes, CNBC, MarketWatch, Vox, Accounting Today, Going Concern, Law360 – Expert Analysis, Investopedia, The National Law Review, inSecurities, Government Accountability Project, S&P Global Market Intelligence, Risk & Compliance Magazine, The D&O Diary, The Compliance and Ethics Blog, Compliance Week and other printed and electronic media.