False Claims Act And Cybersecurity: A Survival Guide For Federal Contractors Facing New Frontiers

“FEDERAL NEWS NETWORK” By Ji Won Kim

“Since the Civil Cyber-Fraud Initiative inception, the DoJ pursued and settled several cybersecurity fraud cases against organizations across a wide range of industries, often resulting in multi-million dollar resolutions.” 

_________________________________________________________________________________

“As the sea of cybersecurity laws and regulations expands and the enforcers remain on high alert, the False Claims Act (FCA) presents yet another formidable cybersecurity challenge to navigate. A creation from the American Civil War era, the FCA provides a mechanism for the United States to pursue claims against any person who knowingly submits, or causes to submit, false claims to the government. Many states have equivalent counterparts as well. In addition to the government itself, private citizens can file qui tam suits on behalf of the government and receive a portion of the government’s recovery if successful. As a result, the Justice Department boasts FCA enforcement numbers shattering records year after year. In the fiscal year ending in September 2024, DoJ saw over $2.9 billion in FCA settlements and judgments and a record-setting 979 quit tam lawsuits filed by whistleblowers.

What is happening

Such robust enforcement is possible due to the availability of treble damages under the FCA as well as the ever-expanding sphere of frauds investigated and litigated under the FCA. The better-known examples include alleged violations involving federal healthcare programs, military procurement and pandemic financial assistance programs. The newest additions to the list are the Cross-Agency Trade Fraud Task Force announced in August 2025 to bring actions under the FCA for violation of custom laws and the DoJ’s establishment of the Civil Rights Fraud Initiative in May 2025 to use the FCA to pursue claims involving violation of federal civil rights laws. These come after the Biden administration’s Civil Cyber-Fraud Initiative from October 2021, which sought to hold government contractors and grant recipients accountable for making false claims or misrepresentations to the government about their cybersecurity practices.

Since the Civil Cyber-Fraud Initiative’s inception, the DoJ pursued and settled several cybersecurity fraud cases against organizations across a wide range of industries, often resulting in multi-million dollar resolutions. Based on the enforcement actions to date, failure to adhere to cybersecurity protocols set forth by government contracts, industry standards (e.g., the National Institute of Standards and Technology or the International Organization for Standards), and/or applicable regulations expose organizations to the FCA risks. The types of cybersecurity practices in question are broad and could even include the lack of adequate product security design and development. Although a data breach involving sensitive health information makes frequent appearances, a data breach is not a necessary trigger of FCA investigations.

Scrutiny is not limited to the industries traditionally associated with the FCA activities like healthcare and defense either. In fact, a series of higher education and research institutions, consulting and technology companies, and even a private equity firm (albeit one investing in a defense contractor) have all faced FCA enforcement actions in recent years.

Despite the administration change, the trend to broadly utilize the FCA across disciplines, including cybersecurity, appears set for a smooth sail. Notably, the DoJ, along with various federal and state regulators, continue to impose additional cybersecurity requirements and build up their cybersecurity expert bench. Its criminal division has expressed its focus on “[w]aste, fraud, and abuse, including health care fraud and federal program and procurement fraud that harm the public fiscal” as priority in May 2025. The current administration’s general emphasis on national security also increases the likelihood that the government will continue relying on FCA enforcement actions as a tool to advance cybersecurity.

What to do

Traversing the latest cybersecurity risk landscape is no easy feat, especially without a close collaboration among pertinent stakeholders. The stakeholders here may include the usual suspects — cybersecurity, IT, legal and executive leaders — alongside other relevant subject matter experts, such as human resources and marketing, just to name a few. For instance, coordination between cybersecurity and legal is key to help ensure that existing cybersecurity controls are accurately reflected in applicable certification materials or contracts. Other stakeholders may be brought in as the organization considers additional internal and external communication making representations about the cybersecurity posture of the organization. Where implementation of additional cybersecurity measures might be required, alignment across stakeholders to clearly establish the precise obligations and timeline and allocate appropriate resources enables the whole organization to succeed.

The first step on that alignment path is to open a line of communication for regular updates and to develop a repeatable process for identifying and managing cybersecurity action items identified from onboarding to offboarding a contractual relationship. This process is applicable not only for the initiation of a new government contract (with the government entity itself or its contractors who may impose flow-down requirements), but also for the continuous monitoring and maintenance of the arrangement. Furthermore, the same coordination strategy applies in managing thirty party providers that contribute to the organization’s performance of government contracts/subcontracts. Engagement of external advisors can provide additional support to bridge the gap and translate observations into action items for each party.

Improved visibility over potential cybersecurity risks also fosters a transparent environment, creating a culture where employees are empowered to raise cybersecurity concerns confidently. Facilitating escalation of cybersecurity issues through established procedures and investing in resources to properly investigate those issues reduce the likelihood of surprise whistleblower complaints and subsequent government investigations. Having an up-to-date understanding of the current cybersecurity practices and areas for improvement with plans to remediate equip each organization to readily address potential complaints and accompanying risks. Organizations with a thorough understanding of the latest cybersecurity challenges inside and outside the organization can promptly respond to government requests for information and seek cooperation credit as appropriate. External advisors (especially those with intimate knowledge of the organization’s cybersecurity posture through proactive assessments and incident response processes and experiences) can offer guidance on prioritizing key risks based on the existing cybersecurity threat landscape and the applicable enforcement climate as complaints may arise.”

ABOUT THE AUTHOR:

Ji Won Kim is a partner at Norton Rose Fulbright.