Government contractors and subcontractors could be hit with False Claims Act (FCA) violations if they are not complying with the strict cybersecurity requirements listed in the Federal Acquisition Regulations (FAR) and Defense FAR Supplement (DFARS).

In 2011, the Department of Defense (DOD) first proposed the regulation of sensitive national security information to protect it from hacking. These provisions have now been implemented and the Defense FAR Supplement requires contractors or subcontractors to provide security for sensitive, including unclassified, information they store, process, or transmit on their computers related to federal contracts.

The cybersecurity requirements also have expanded to civilian agency contracts beyond DOD. A cybersecurity clause added to the widely used FAR in 2016 obligates contractors to limit access to authorized users, update malicious code protection, conduct real-time scans of external files, and more.

Contractors must maintain compliance with the federal cybersecurity requirements or risk FCA lawsuits. So far, there have been two prominent FCA cases related to cybersecurity violations.

What is the False Claims Act (FCA)?

The FCA was established during the Civil War to prevent the sale of defective products to the Union army. The Act was revised in the 1980s and again in 2009-10. The revisions focused on the many problems involving government contractors. One provision of the FCA allows for citizens to come forward as whistleblowers with information about false claims made to the federal government in the sale of products or services. Whistleblowers are also afforded certain protections by the FCA and may be able to share in a portion of any government recovery

FCA Cybersecurity Cases

In May 2019, an FCA case was filed against Aerojet Rocketdyne after a whistleblower, who was a former employee, came forward with information alleging that Aerojet fraudulently obtained government contracts because the company knowingly did not meet the cybersecurity standards required to be granted a government contract, but continued to do business anyway.

Another FCA violation involves a different type of cybersecurity violation. In July 2019, Cisco Systems paid $8.6 million to resolve allegations that it sold video surveillance software to federal, state, and local governments that had several security flaws and easily allowed unauthorized access to the system. The lawsuit was also brought forward by a whistleblower former employee.

These cybersecurity related FCA cases are likely just the beginning of a new wave of cases and litigation against government contractors. Employees working for companies that contract with the government should be on the lookout for non-compliance with cybersecurity requirements. If you have information about cybersecurity violations, you may qualify to be a whistleblower.

Contact Baron & Budd

Baron & Budd’s experienced whistleblower representation team has helped numerous whistleblowers achieve a successful resolution in a wide variety of cases under state and federal law. With over 30 years of experience in qui tam cases, our attorneys can explain your legal options and help you file a case if you have the evidence needed to pursue a lawsuit. Please call (866) 845-2164 or contact us online if you want to report cybersecurity fraud.