CIVIL FALSE CLAIMS ACT: Cybersecurity Compliance: Is It the Next FCA Battleground?

CIVIL FALSE CLAIMS ACT: Cybersecurity Compliance: Is It the Next FCA Battleground?


By: Douglas W. Baruch, John T. Boese, Jennifer M. Wollenberg, Kayla Stachniak Kaplan

Companies across the country confront cybersecurity challenges on a daily basis. Chief information officers worry about their systems being hacked. Executives worry about technology theft. Human resources managers worry about privacy breaches. But beyond these routine concerns, many companies doing business with the government – particularly those in the aerospace, defense, healthcare, and information technology sectors – also have to add cybersecurity compliance to their worry lists. In recent years, federal agencies are imposing specific cybersecurity obligations on their contractors. For instance, the Department of Defense has been issuing and amending cybersecurity regulations pertaining to unclassified information used by “nonfederal systems and organizations.” See 48 C.F.R. § 252.204-7012 (2013); 48 C.F.R. § 252.204-7012 (Aug. 2015); 48 C.F.R. § 252.204-7012 (Dec. 2015); 48 C.F.R. § 252.204-7012 (Oct. 2016). And the Department of Health and Human Services began incentivizing the gradual transition to electronic health records, with attendant security features, in 2009 with the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”). As a result, not only are agencies awarding contracts for cyberspace support, but agencies are adopting cybersecurity regulations aimed at controlling the information developed and exchanged under a wide variety of government programs and contracts, including unclassified information used by government contractors. See U.S. Dep't of Commerce, NIST Special Publication 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations (2015). It should come as no surprise, therefore, that cybersecurity compliance itself is fertile ground for False Claims Act enforcement, especially by qui tam relators. Three fairly recent FCA cases likely are harbingers of more FCA cybersecurity litigation to come.

Additional Information
publications-detail.inc