RGCI - Another Cyber Security Noncompliance under False Claims Act

Since the Department of Justice (DOJ) started promoting its initiative on Cyber Security reporting there have been several settlements related to cyber security noncompliance, four of which involve defense contractors.

DOJ’s Initiative is to pursue cyber security related fraud (through the False Claims Act) when Government contractors or subcontractors knowingly fail to comply with cyber security requirements. (See Redstone GCI’s blog: Department of Justice Initiative on Cyber Security Incident Reporting)

DOJ Settlements with Contractors

DOJ settled with Comprehensive Health Services LLC (CHS) on February 28, 2022, in the amount of $930,000 to resolve allegations that it violated the False Claims Act by falsely representing to the State Department and the Air Force that it complied with cyber requirements of its federal contracts. This was brought about by two different qui tam suits from employees involving multiple alleged contractual noncompliances, including but not limited to, failing to adequately secure medical records in a HIPAA compliant electronic medical records systems and failing to disclose known HIPAA breaches.

DOJ settled with Aerojet Rocketdyne for alleged cyber security fraud under the False Claims Act resulting in a settlement of $9 million in October 2022. The settlement resulted from an employee that was terminated because the company allegedly asked him to misrepresent its compliance requirements to the Government. The employee filed a qui tam suit alleging cyber security fraud under the False Claims Act (See Redstone’s blog: DOJ settles Cybersecurity Related False Claims Act for $9M).

Jelly Bean Communications failed to provide a HIPAA compliant data hosting website resulting in a settlement under the False Claims Act in the amount of $293,771. Jelly Bean failed to properly maintain, patch, and update its software systems. The noncompliance was identified by an external system hack leading to an investigation.

DOJ Settlement Based on Verizon’s Self Disclosure

On September 2, 2023, DOJ settled with Verizon Business Network Services in the amount of $4.1 million. This settlement didn’t result from a Government audit, or an employee submitting a qui tam suit but resulted from Verizon issuing a self-disclosure to the Department of Homeland Security.

According to the settlement agreement. Verizon had 3 GSA contracts to provide telecommunications services including Managed Trusted Internet Protocol Service (MTIPS) to federal agencies. The nature of the service required compliance with Critical Capabilities of the Department of Homeland Security’s Architecture Document. Verizon did not completely satisfy three required cyber security controls related to General Services Administration (GSA) contracts from 2017 through 2021. Verizon initiated an independent investigation and compliance review of issues and provided a written self-disclosure of issues to the GSA Office of Inspector General.

Is it a Good Thing to Self-Disclose?

At least DOJ thinks so. The DOJ under their initiative stated, “For too long, companies have chosen silence under the mistaken belief that it is less risky to hide a breach than to bring it forward and to report it.”

The Government includes FAR 52.203-13 Contractor Code of Business Ethics and Conduct in prime contracts that exceed $6 million. The clause requires a contractor to timely disclose in writing to the Office of the Inspector General (OIG) in connection with award or performance of a contract or subcontract when there is creditable evidence that a principal, employee, agent, or subcontractor has committed a violation of:

  • criminal law involving fraud, conflict of interest, bribery, or gratuity violations found in Title 18 of the United States Code; or
  • the civil False Claims

To incentivize companies to disclose misconduct and cooperate with Government investigations when there is a False Claims Act violation, the DOJ announced its “Cooperation credit” in May 2019 which is addressed in the US Department of Justice Manual Chapter § 4-4000. The Cooperation credit can be earned by companies who voluntarily disclose misconduct to the Government, cooperate in the investigation or taking steps to remedy the violation. The value of the credit will vary depending on the facts and circumstances of each case and usually results in DOJ reducing the penalties or damages.

Did Verizon Receive Cooperation Credit?

While the settlement agreement states Verizon received credit under DOJ’s guidelines for cooperation for self-disclosing, performing an internal review, and cooperating with the Government investigation, the exact amount of the cooperation credit is not known. However, the penalty for false claims is generally two or three times the damages, and Verizon only paid 1.5 times the damages.

What Should a Company Do?

Redstone GCI recommends companies ensure their cyber security controls are in compliance with contract terms, clauses, and self or third-party assessments are accurate. The amount of the claim doesn’t matter under DOJ’s initiative as you can see with the Jelly Bean settlement. If management is made aware of a noncompliance with the cyber requirements in a contract/subcontract or an internal or external security assessment that is inadequate, it can expose the company to civil and possibly, criminal liability. While the FAR clause 52.203-13 requires a contractor to disclose creditable false claim violations, companies that find a cyber security noncompliance will need to consider self-disclosure to take advantage of the cooperation credit, or the possibility of an employee submitting a qui tam suit in which case there is no credit. It only takes one unhappy employee to submit a qui tam suit as shown by several of the False Claims Acts settlements.

Redstone GCI can provide our clients with information and guidance in working with established industry-leading partners who can assist in fulfilling cyber security compliance requirements. Redstone GCI assists contractors throughout the U.S. and internationally with understanding the Government’s expectations and supporting contractors from contract award to contract closeout. We would be happy to be part of your team.

Contact Us for a Consultation

Written by Lynne Nalley, CPA

Lynne Nalley, CPA Lynne is a Director with Redstone Government Consulting, Inc. providing government contract consulting services to our clients primarily related to Commercial Item Determinations and support, Cost Accounting Standards, DFARS Business System Audits, Proposals, and Incurred Cost. Prior to joining Redstone Government Consulting, Lynne served in several capacities with DCAA and DCMA for over 35 years. Professional Experience Lynne began her career working with DCAA in the Honeywell Resident Office, Clearwater, FL in 1984. Lynne’s experience included various positions which involved conducting or reviewing forward proposals or rate audits, financial capability audits, progress payments, accounting and estimating systems, cost accounting standards, claims and disclosure statement reviews. She is an expert in FAR, DFARS, CAS and testified as an expert witness. Lynne assisted in drafting the commercial item guidance for DCAA Headquarters. Lynne was assigned as a Regional Technical Specialist where she provided guidance to 20 field offices on highly complex or technical issues relative to forward pricing, financial capability or progress payment issues. As an Assistant for Quality, she was involved in reviewing and ensuring audit reports were in compliance with policy and GAGAS as well as made NASBA certified presentations to the staff including but not limited to billing reviews, CAS, unallowable cost and progress payments. To enhance her experience in government contracting, Lynne accepted a position with DCMA in 2015 as part of the newly organized DCMA Cadre of Experts in the Commercial Item Group. This included performing reviews of prime contractor’s assertions and/or commercial item determinations as well as performing price analyses. Lynne was a project lead and later became a lead analyst where she engaged with the buying commands on requests and reviewed price analysis reviews performed by a team of 5 analysts. She also assisted the DCMA CPSR team relative to commercial items and co-instructed the Commercial Item Training presented to DCMA. Education Lynne earned a Bachelor of Science Degree in Accounting from the University of Central Florida. Certifications State of Florida Certified Public Accountant State of Alabama Certified Public Accountant Defense Acquisition Workforce Improvement Act (DAWIA) Level III- Auditing DAWIA Level III – Contracting

About Redstone GCI

Redstone GCI is a consulting firm focused on fulfilling the needs of government contractors in all areas of compliance. With a singular mission to help contractors through the multiple layers of “red tape,” we allow contractors to focus on what they do best – support their mission with the U.S. Government. We are home to a group of consultants made up of GovCon industry professionals, CPAs, attorneys, and retired government audit and acquisition professionals.

Our focus and knowledge of audit and compliance functions administered by DCAA and DCMA will always be at the heart of what we do. However, for the past decade, we’ve strategically grown to support other areas of the government contractor back-office with that same level of focus and expertise. We’ve added expertise in contracts management, subcontract administration, proposal pricing, various software systems, HR and employment law, property administration, manufacturing, data analytics/reporting, Grant specialists, M&A, and many other areas. When we see a trend in the needs of contractors, we act to ensure we can provide the best expertise in the market to fulfill those needs.

One thing our clients can be certain of is that with the Redstone GCI Team in your corner, there is no problem too big and no issue too technical for our team to tackle.

Topics: DFARS Business Systems, Cybersecurity