The Department of Justice's Civil Cyber-Fraud Initiative and Its Impact on the False Claims Act.

• Author: Martin, Kim Bessiere

ON October 6, 2021, The Department of Justice ("DOJ") announced the launch of the Civil Cyber-Fraud Initiative (the "CCFI"), which is designed to combat emerging cyber threats to the security of sensitive information through the use of civil fraud enforcement tools. This initiative proposes to use civil enforcement tools to pursue government contractors who receive federal funds in the event that those contractors fail to meet required cybersecurity standards. The DOJ developed the CCFI as a result of its review of cyber threats with a focus on developing recommendations to combat those threats. At the time of its announcement, Deputy Attorney General Lisa O. Monaco stated that the use of civil enforcement tools was intended to "ensure that taxpayer dollars are used appropriately," as well as to combat the "mistaken belief that it is less risky to hide a breach than to bring it forward and to report it...." (1)

The Initiative relies on the False Claims Act ("FCA") (2) to pursue cybersecurity-related fraud by government contractors, grant recipients, and other entities which rely upon federal funding. The FCA, addressed in more detail below, is the main vehicle by which the government addresses false claims for federal funds. In its launch of the CCFI, the DOJ highlighted the FCA's whistleblower provisions, which allow for a private party who successfully brings forward instances of fraudulent conduct to share in any recovery by the government. The DOJ anticipates that the Initiative will "hold accountable entities or individuals that put U.S. information or systems at risk by knowingly providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cybersecurity incidents and breaches." The DOJ's use of the FCA as a part of its initiative to combat cyber-threats adds another layer of complexity to an already challenging landscape for companies navigating cybersecurity issues. This article provides an overview of the FCA and discusses recent use in the context of cybersecurity issues.

1. The False Claims Act

   The FCA imposes treble damages and a civil penalty from $12,537 to $25,076 per claim (3) on anyone who knowingly submits or causes the submission of a false or fraudulent claim payable by the United States government or related entities. (4) In particular, the government has a civil cause of action against any person or entity who:

   knowingly presents, or causes to be presented, a false or fraudulent claim for payment or approval; (5) knowingly makes, uses, or causes to be made or used, a false record or statement material to a false or fraudulent claim; (6) has possession, custody, or control of property or money used, or to be used, by the Government and knowingly delivers, or causes to be delivered, less than all of that money or property; (7) knowingly makes, uses, or causes to be made or used, a false record or statement material to an obligation to pay or transmit money or property to the Government, or knowingly conceals or knowingly and improperly avoids or decreases an obligation to pay or transmit money or property to the Government[;] (8) or conspires to commit [one of these violations]. (9) Claims for violation of the FCA can be brought by the government or as qui tam actions on the government's behalf by a private individual, known as a relator. (10) Suits brought by relators are often called "whistleblower" suits, and provisions applying to whistleblowers will be discussed in more detail below.

   1. Elements

   To state a claim under the FCA, the government generally must make at least four showings by a preponderance of the evidence. (11) First, the government must establish the existence of a claim actionable under the FCA. Second, the government must establish that the claim was false, either factually or legally. Third, the government must demonstrate that the falsity was material to the payment of the claim. Finally, the government must establish that the defendant acted with knowledge of the falsity. The following sections provide a brief overview of each requirement for FCA liability.

   i. Claim

   The submission of a claim is "the sine qua non of a False Claims Act violation." (12) The FCA broadly defines "claim" as "any request or demand ... for money or property whether or not the United States has title to the money or property" either (a) "presented to an officer, employee or agent of the United States" or (b) "made to a contractor, grantee or other recipient, if the money or property is to be spent or used on the Government's behalf or to advance a Government program or interest" and the government has provided or will reimburse for any portion of the money or property requested. (13) Entities that routinely receive payment through government programs or contracts--namely government contractors, health care suppliers and providers and financial services companies--are the most likely to find themselves targets of an FCA claim or investigation.

   ii. Falsity

   To establish a violation of the FCA, the government must show the existence of a "false or fraudulent claim." (14) A claim may be considered false under the FCA if it is factually or legally false. (15) The factually false claim is one "in which a contractor or other claimant submits information that is untrue on its face." (16) A factually false claim generally involves "an incorrect description of goods or services provided or a request for reimbursement for goods or services never provided." (17)

   In contrast, a legally false claim or certification is one that is "predicated upon a false representation of compliance with a federal statute or regulation or a prescribed contractual term." (18) Courts further divide legally false claims into those claims made legally false by an "express certification" and those claims made legally false by an "implied certification." (19) In an express false certification claim, the claim "falsely certifies compliance with a particular statute, regulation or contractual term, where compliance is a prerequisite to payment." (20) False certification claims based on broad and vague certifications of compliance with law may be found insufficient to give rise to FCA liability. (21)

   An implied false certification claim "is based on the notion that the act of submitting a claim for reimbursement itself implies compliance with governing federal rules that are a precondition to payment." (22) The United States Supreme Court clarified this theory of FCA liability in 2016 in Universal Health Services v. United States...