As has been widely reported, the Department of Justice (DOJ) launched its new Civil Cyber-Fraud Initiative on October 6, targeting entities that fail to follow cybersecurity-related contract requirements. Despite these widespread reports, an entire category of prime enforcement targets—universities and research institutions—remains oblivious to the rising danger they face.
Under the Initiative, DOJ will aggressively enforce cybersecurity compliance using the False Claims Act (“FCA”), and will hold entities accountable for knowingly (1) providing deficient cybersecurity products or services; (2) misrepresenting cybersecurity practices; or (3) violating obligations to monitor and report cybersecurity incidents and breaches. In short, this regulation requires entities contracting with the federal government to maintain certain security controls to protect covered information systems. The government has used the FCA to prosecute cybersecurity breaches in the past; however, under this new initiative, many unsuspecting entities will find themselves in the crosshairs—most notably, universities and other research institutions, who cannot afford to turn a blind eye to the risks associated with partnering with the government and/or using protected data to further research goals.
This new initiative and its implications come as little surprise to defense contractors and technology firms that maintain protected government information, as these entities are familiar targets for DOJ’s cybersecurity policing efforts. For instance, in 2019, Cisco Systems agreed to pay $8.6 million to resolve federal and state government claims related to purported misrepresentations regarding compliance with government cybersecurity requirements. The whistleblower suit alleged that Cisco knowingly sold video monitoring technology to the Federal Government, eighteen states, and the District of Columbia, which contained security flaws enabling a potential user to gain unauthorized access to federal agencies’ entire networks, among other serious issues. The suit also alleged that Cisco withheld information regarding the cybersecurity flaw from several federal and state agencies that purchased the technology at issue.
Also in 2019, a qui tam suit alleged that Aerojet Rocketdyne Holdings made false certifications to the government about compliance with DFARS provisions requiring certain minimum cybersecurity standards. The court denied a motion to dismiss, finding that the relator had plausibly pled that Aerojet’s failure to disclose its noncompliance with applicable regulations was material to the federal government’s decision to award Aerojet the contract.
While defense contractors may be aware of the applicable Federal Acquisition Regulation provision (FAR 52.204-21) and the related enhanced requirements set out in DFARS 252.204-7012, other entities—particularly academic institutions receiving federal grant funds—may be less familiar with the regulatory landscape. Under the Cyber-Fraud Initiative, however, lack of compliance could have staggering consequences for universities or other institutions that have not implemented adequate cybersecurity controls and reporting protocols. Any institution that maintains sensitive or protected information should carefully consider the kinds of data it maintains and/or accesses, and the efficacy of its related security processes and protocols in light of federal regulations.
Academic and research institutions are often repositories of myriad types of sensitive information and confidential data that could represent an enforcement risk if inadequately safeguarded or mishandled. Protected health information and medical data, intellectual property, and sensitive national security information are all maintained by public and private institutions engaging in various kinds of research for, or in partnership with, the federal government.
Traditionally, “hackers” are viewed as the primary cybersecurity threat. However, security breaches, and their associated civil and criminal exposure under the FCA, are not solely the province of external malicious actors. Threats may also come from within an institution. For example, earlier this year, private-sector researcher and Ph.D chemist Xiaorong You was convicted of possession of stolen trade secrets and economic espionage, among other charges, after she stole valuable trade secrets related to chemical formulations with the intention of creating similar products at a new company in China. She received millions of dollars in Chinese government grants to support the new company.
While the above instance is an individual criminal case, institutions associated with these rogue or careless actors are implicated in situations wherein they have contracted with the federal government and or received federal funds supporting the research. A professor may steal trade secrets in the form of governmental intellectual property or other data maintained in an academic institution’s online systems, and, under this new enforcement initiative, the institution may be civilly liable under the FCA if its cybersecurity systems were not compliant with applicable regulations or if it failed to timely report the breach. A massive data breach at a university exposes not only student and faculty personal identifiable information, but also data related to federal grants. Moreover, because the FCA is DOJ’s enforcement sledgehammer, if the university’s cybersecurity systems were non-compliant or it failed to timely report the breach, the university is not simply in breach of contract; rather, it now faces treble damages and penalties of up to $23,331 per violation.
Liability under the FCA is serious business, but there are ways to reduce potential exposure if and when a cybersecurity issue arises. Institutions should ensure that they have robust internal controls in place, as well as documentation of those controls and any associated certifications. Awareness of cybersecurity threats should not be siloed within the information technology department or limited to key personnel. Cybersecurity guidance should be widely distributed and training mandated for anyone at an institution who has, or could have, access to sensitive information. Furthermore, institutions should consider creating or strengthening internal reporting protocols to ensure that any relevant concerns are appropriately elevated and addressed.
Awareness and preparation are key; nevertheless, cybersecurity incidents are becoming more common every year. All institutions that maintain sensitive information and contract with the government should ensure that they have a clear external reporting protocol in place so that any cybersecurity issues are reported in a timely manner to the appropriate authority.
With the costs of non-compliance rising ever higher, institutions should consider engaging outside counsel with any questions regarding compliance with applicable federal regulations.
Michael Shaheen “ Michael Shaheen is a partner in the White Collar & Regulatory Enforcement and Health Care groups in the Washington, D.C. office of Crowell & Moring. His practice focuses on federal litigation, investigations, and enforcement actions. Before joining Crowell & Moring, Michael served as a Trial Attorney with the Fraud Section of the Department of Justice (DOJ), where his work primarily involved investigating and prosecuting False Claims Act matters.
Sarah Bartle “ Sarah Bartle is a counsel in Crowell & Moring’s White Collar & Regulatory Enforcement Group and a member of the firm’s Investigations Practice. Sarah represents a wide variety of corporate clients and individuals in all phases of high-profile criminal matters and regulatory enforcement actions, including Department of Justice and Inspector General investigations and litigation related to alleged fraud and violations of the Foreign Corrupt Practices Act and the False Claims Act.
Gabrielle Trujillo “ Gabrielle Trujillo is an associate in Crowell & Moring’s Los Angeles office and is a member of the firm’s Government Contracts and White Collar and Regulatory Enforcement groups.
More from UB