Complying with information security and data privacy requirements is a fundamental duty of government contractors and grantees and is vital for the protection of government data. Cybersecurity professionals are oftent the first to identify non-compliance with these requirements.
Federal whistleblower laws protect cybersecurity whistleblowers at government contractors and grantees, including the Defense Contractor Whistleblower Protection Act, False Claims Act, and NDAA Whistleblower Protection Law.
To schedule a confidential consultation with our cybsersecurity whistleblower lawyers, call us at 202-262-8959.
On October 6, 2021, the Department of Justice launched a Civil Cyber-Fraud Initiative, to combat new and emerging cyber threats to the security of sensitive information and critical systems. Deputy Attorney General Monaco announced the purpose of the initiative: “We are announcing today that we will use our civil enforcement tools to pursue companies, those who are government contractors who receive federal funds, when they fail to follow required cybersecurity standards — because we know that puts all of us at risk. This is a tool that we have to ensure that taxpayer dollars are used appropriately and guard the public fisc and public trust.”
The Civil Cyber-Fraud Initiative will utilize the False Claims Act to pursue cybersecurity-related fraud by government contractors and grant recipients. The benefits of the initiative will include:
The FY 2022 appropriations law includes a cyber reporting provision that requires companies in critical infrastructure (as defined in Presidential Policy Directive 21) to report a covered cyber incident within 72 hours to the Cybersecurity and Infrastructure Security Agency.
The Federal Information Security Management Act (“FISMA”) creates information security requirements for federal agencies to minimize risk to the U.S. government’s data. FISMA also applies these requirements to state agencies administering federal programs and private businesses contracting with the federal government. Federal acquisition regulations codify the cybersecurity and data privacy requirements applicable to federal contractors. E.g., 48 C.F.R. §§ 252.204-7008, 7012 (providing for cybersecurity standards in contracts with the U.S. Department of Defense); 48 C.F.R. § 52.204-21 (outlining basic procedures for contractors to safeguard information processed, stored, or transmitted under a federal contract).
Pursuant to the FISMA Implementation Project, the National Institute of Standards and Technology (“NIST”) produces security standards and guidelines to ensure compliance with FISMA. Key principles of FISMA compliance include a systemic approach to the data that results in baseline controls, a risk assessment procedure to refine controls, and implementation of controls. A security plan must document the controls. Those managing the information must also assess the controls’ effectiveness. NIST also focuses its standards on determining enterprise risk, information system authorization, and ongoing monitoring of security controls.
Essential standards established by NIST include FIPS 199, FIPS 200, and the NIST 800 series. Core FISMA requirements include:
The NIST Framework includes “a set of cybersecurity activities, outcomes and informative references that are common across sectors and critical infrastructure” and is designed to “help an organization align and prioritize cybersecurity activities with its business/mission requirements, risk tolerances and resources.” NIST Special Publication 800-53 Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations (NIST 800-53).
In addition to generally-applicable standards, individual contracts may create other cybersecurity or data privacy requirements for a government contractor. Such requirements are prevalent when the contractor provides information security products or services for the government.
Federal law contains whistleblower protection provisions that may prohibit employers from retaliating against whistleblowers who report cybersecurity or data privacy concerns. See Defense Contractor Whistleblower Protection Act, 10 U.S.C. § 4701; False Claims Act, 31 U.S.C. § 3730(h); NDAA Whistleblower Protection Law, 41 U.S.C. § 4712. These laws protect a broad range of conduct.
Protected conduct under these laws includes:
These provisions have wide coverage. They protect any employee of any private sector employer that is a contractor or grantee of the federal government. In some cases, even the employer’s contractors and agents are protected.
An employer’s non-compliance with information security requirements could breach the employer’s contractual obligations to the federal government and violate federal law and regulation. Thus, whistleblowers who report cybersecurity or data privacy concerns related to a federal contract or grant may be protected from employment retaliation.
Exact requirements vary, but an employee typically establishes unlawful retaliation by proving that (1) the employee engaged in conduct that is protected by statute, and (2) the protected conduct to some degree caused a negative employment action. See, e.g., 10 U.S.C. § 4701 (incorporating burden of proof from 5 U.S.C. § 1221(e)); 41 U.S.C. § 4712(c)(6) (same); 31 U.S.C. § 3730(h)(1).
Under some of the applicable protections, an employee need prove only that the protected conduct played any role whatsoever in the employer’s decision to take the challenged employment action. See 10 U.S.C. § 4701; 41 U.S.C. § 4712.
Recently, a jury awarded a defense contractor whistleblower $1 million in compensatory damages. The whistleblower proved that the employer more than likely retaliated by demoting him after he reported issues with tests related to a federal contract, according to the jury. Specifically, the whistleblower alleged he reported and opposed management’s directive to misrepresent the completion status of testing procedures.
In a recent case under the False Claims Act, a whistleblower received more than $2.5 million for retaliation she suffered after internally reporting off-label promotion for a drug outside its FDA-approved use. The False Claims Act protects employees from retaliation who blow the whistle on fraud against the government, including those who blow the whistle internally to a government contractor or grantee.
Qui Tam Award Amount | Violations | Date | DOJ Press Release or Media Coverage |
---|---|---|---|
$8.6M | Qui tam relator Glenn alleged that Cisco sold flawed video surveillance gear to government agencies. According to the complaint, the video surveillance product was "riddled with serious security defects." | July 31, 2019 | Cisco whistleblower cybersecurity case brought by Phillips & Cohen settles for $8.6M |
$930,000 | Comprehensive Health Services, LLC agreed to pay $930,000 to resolve allegations that it violated the False Claims Act by falsely representing to the State Department and the Air Force that it complied with contract requirements relating to the provision of medical services at State Department and Air Force facilities in Iraq and Afghanistan. The United States alleged that, between 2012 and 2019, CHS failed to disclose to the State Department that it had not consistently stored patients’ medical records on a secure EMR system. | March 8, 2022 | Contractor Pays $930,000 to Settle False Claims Act Allegations Relating to Medical Services Contracts at State Department and Air Force Facilities in Iraq and Afghanistan |
Yes. Judges and juries have applied these laws to protect cybersecurity whistleblowers.
For example, in United States ex rel. Glenn v. Cisco Systems, Inc., defendant Cisco Systems settled for $8.6 million in what is likely the first successful cybersecurity case brought under the False Claims Act. The plaintiff/relator James Glenn worked for Cisco and internally reported serious cybersecurity deficiencies in a video surveillance system, soon after which he was fired. Cisco had sold the surveillance systems to various federal government entities, including the Department of Homeland Security, FEMA, the Secret Service, NASA, and all branches of the military. After monitoring Cisco’s public pronouncements regarding the system and confirming the company had not solved the problems or reported vulnerabilities to customers, Glenn contacted the FBI. Multiple states joined in the complaint and brought claims under state laws.
While the case did not proceed to litigation, Glenn received nearly $2 million of the settlement, and the federal government’s attention to the issue proves that cybersecurity and data privacy are of utmost importance.
Surely, as more of our lives and businesses move online, the government will place increased importance on contractors and grantees following data security and privacy requirements and disclosing known vulnerabilities. Cybersecurity whistleblowers working for government contractors play an important part in revealing these vulnerabilities and keeping the federal government secure. Still, these whistleblowers may experience retaliation after blowing the whistle internally at their place of work.
As discussed in a Department of Justice Statement of Interest in United States ex rel. Brian Markus v. Aerojet Rocketdyne Holdings, Inc., “[i]t is well settled that when a contract is obtained through false statements or fraudulent conduct, FCA liability attaches to each claim submitted to the government under the contract.” See United States ex rel. Hendow v. Univ. of Phoenix, 461 F.3d 1166, 1173 (9th Cir. 2006) (citing United States ex rel. Marcus v. Hess, 317 U.S. 537, 542 (1943)). “Each claim submitted to the government under a contract which was procured by such fraud is false even if false representations were not made on the claim itself.” United States ex rel. Campie v. Gilead Scis., Inc., 862 F.3d 890, 904 (9th Cir. 2017); United States ex rel. Bettis v. Odebrecht Contractors of Cal., Inc., 393 F.3d 1321, 1326 (D.C. Cir. 2005) (a contractor is liable “for each claim submitted to the Government under a contract which was procured by fraud, even in the absence of evidence that the claims were fraudulent in themselves.”). Therefore, false representations about cybersecurity compliance are material and can give rise to FCA liability.
DOJ Statement of Interest in AerojetTo schedule a consultation, call us at 202-262-8959.
Therefore, it is critical to retain an experienced cybersecurity False Claims Act whistleblower lawyer to maximize your recovery. This FAQ provides an overview of some of the key aspects of False Claims Act claims.
Courageous whistleblowers that come forward to report fraud deserve robust protection against retaliation. Below is a list of common questions about key aspects of the anti-retaliation provisions of the False Claims Act and the Defense Contractor Whistleblower Protection Act.
The experienced whistleblower attorneys at leading whistleblower law firm Zuckerman Law have substantial experience representing whistleblowers disclosing fraud and other wrongdoing at government contractors and grantees. To schedule a confidential consultation, click here or call us at 202-262-8959.
Our experience includes:
In addition, we have substantial experience representing whistleblowers under the Whistleblower Protection Act (WPA) and enforcing the WPA, the law that the NDAA whistleblower provisions are based upon. Two of the attorneys on our team served in senior positions at the U.S. Office of Special Counsel overseeing investigations of whistleblower retaliation claims and whistleblower disclosures.
Jason Zuckerman served as Senior Legal Advisor to the Special Counsel at OSC, where he worked on the implementation of the Whistleblower Protection Enhancement Act and several high-profile investigations, including a matter resulting in the removal of an Inspector General.
Before hiring a lawyer for a high-stakes whistleblower case, assess the lawyer’s reputation, prior experience representing whistleblowers, knowledge of whistleblower laws and prior results. And consider the experience of other whistleblowers working with that attorney. See our client testimonials by clicking here.
cybersecurity whistleblower