We have been tracking and reporting on the U.S. Department of Justice’s Civil Cyber-Fraud Initiative (“CCF Initiative”), which U.S. Deputy Attorney General Lisa O. Monaco announced in October 2021. The CCF Initiative employs the powerful False Claims Act (“FCA”) in an effort to “hold accountable entities or individuals that put U.S. information or systems at risk by knowingly providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity practices or protocols or knowingly violating obligations to monitor and report cybersecurity incidents and breaches.” We previously offered insight into the first two FCA enforcement actions brought under this initiative. There was a third. And now, there’s a fourth.
The DOJ recently announced a settlement with Verizon Business Network Services LLC (“Verizon”), a wholly owned subsidiary of Verizon Communications, Inc., whereby Verizon agreed to pay $4,091,317 to resolve cybersecurity related FCA claims. Of that amount, $2,727,545 constituted restitution, and thus, the company paid a multiplier penalty as well (the FCA allows for treble damages plus substantial additional civil penalties for each false claim; impacted agencies have separate suspension and debarment authority as well). Verizon clearly earned a significant reduction in the multiplier penalty (which amounted to less than 2x here) because of its disclosure, cooperation and remediation efforts. Indeed, the settlement agreement contained conspicuous provisions spelling out Verizon’s disclosure, cooperation and remediation efforts, no doubt purposeful inserts to promote the incentive provisions contained in the Federal Acquisition Regulations and the FCA (see 31 U.S.C. § 3729(a)(2)), all consistent with DOJ’s well-publicized and related efforts to entice corporate cooperation in criminal matters as well.
The claims mirror DOJ’s prior enforcement actions, in that they focus on alleged shortcomings in cybersecurity. Verizon had been awarded contracts with the U.S. General Services Administration (“GSA”) to provide various telecommunications services, including Managed Trusted Protocol Service (“MTIPS”), to federal agencies. MTIPS is designed to provide federal agencies with a secure means to connect to the internet. Verizon’s contracts with GSA obligated Verizon to comply with all Critical Capabilities specified in the then-applicable version of the U.S. Department of Homeland Security’s Trusted Internet Connections Reference Architecture Document, v2.2 (the current version is v3.0). DOJ alleged that for the period October 2017 to August 2021, Verizon “failed to completely satisfy for its MTIPS solution the following three TIC 2.2 critical controls required by the GSA Contracts:”
- TIC 2.2 architecture critical requirement TS.CS.13: DNS Security Extension;
- TIC 2.2 architecture critical requirement TM.DS.01: Performing real-time header and content capture of all inbound and outbound traffic with the storage capacity to retain at least 24 hours of data generated at full TIC operating capacity (Full Packet Capture); and
- TIC 2.2 architecture critical requirement TS.RA.01: Certain encryption requirements to Federal Information Processing Standards, 140-2 standards (Customer Edge).
What may have been viewed as a breach of contract action in the past has now shifted to the FCA realm. In announcing the settlement, which was handled out of DOJ’s Commercial Litigation Branch, DOJ reiterated the CCF Initiative’s objectives, stating “[w]e will continue to pursue knowing cybersecurity related violations under the Department’s Civil Cyber-Fraud Initiative.” In a nod to its broader enticement of corporate cooperation efforts, DOJ added that it will “provide credit in settlements to government contractors that disclose misconduct, cooperate with pending investigations and take remedial measures…”
As mentioned above, this is now the fourth known FCA enforcement settlement as part of the CCF Initiative. These cases highlight the increased FCA risk that cybersecurity compliance poses for U.S. government contractors and subcontractors, including claims arising out of the failure to deter and prevent even criminal data intrusion and theft. In other words, even victims of crime and their contractors are potentially exposed.
Now is the time, if not already, for contractors to engage with counsel to understand their cybersecurity obligations on existing and future U.S. government contracts and subcontracts (e.g. rapid reporting (currently within 72 hours of discovery) of any cyber incident under U.S. Department of Defense contracts or subcontracts), train employees, implement information security controls such as access and network restrictions, invest in and ensure regular compliance with upgrades, patches and maintenance, devise incident response plans and ransom strategies and operationalize internal whistleblowing. And, when a cyber incident occurs, companies need to consider any FAR and/or agency FAR supplemental clause disclosure requirements in addition to any other Federal and state cyber incident reporting requirements. As previously stated, “more are expected.”