UPDATES TO THE SECOND EDITION

8.2.7 False Claims Act

Since the DOJ announced its Cyber-Fraud Initiative in 2020, there has been a growing list of FCA actions, illustrating the breath of the effort:

A July 2025 False Claims Act settlement in which defense contractor Aero Turbine Inc. and its private equity investor agreed to pay $1.75 million for knowingly failing to comply with cybersecurity requirements in a contract with the Air Force offers three interesting lessons/reminders:
(1) The underlying allegation in the case was that the contractor had violated DFARS clause 252.204-7012, which requires contractors and subcontractors to provide adequate cybersecurity on all covered contractor information systems by, at a minimum, implementing the requirements specified by NIST SP 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.” As the speculation rages over when the requirement for CMMC assessments will finally start appearing in contracts, this is another reminder that DoD contractors already have been bound for the better part of a decade by 252.204-7012 to meet the standards of NIST 800-171 or face penalties under the False Claims Act.
(2) Contractors must pay attention to data flows to vendors. One specific failing cited in this case involved Aero Turbine's use of a software company based in Egypt. As a result, files containing covered defense information were accessible to the Egyptian provider, even though the software company and its foreign citizen personnel were not authorized to receive such information under the Air Force contract.
(3) After learning of the issues, Aero Turbine provided the government with multiple written self-disclosures, cooperated with the government’s investigation of the issues, and took prompt remedial action. The Department of Justice took this into account in reaching the settlement. In the DOJ press release, Assistant Attorney General Brett A. Shumate specifically said, “When defense contractors fail to comply with cybersecurity requirements, they can mitigate the consequences by making timely self-disclosures, cooperating with investigations, and taking prompt remedial measures.”

Also in July 2025, in another FCA settlement, a company agreed to pay $9.8 million to the government and $1.9 million to the relator in a qui tam action to resolve allegations that the company violated the False Claims Act when it sold to federal agencies certain genomic sequencing systems with cybersecurity vulnerabilities. Neither the qui tam complaint nor the settlement cited any contract clause or other specific statement to the government about cybersecurity by the contractor. The qui tam complaint, while strong on its allegations of the company's cybersecurity failures, on falsity merely alleges that Illumina had represented that it “is committed to data security.” The settlement with the government says that Illumina "falsely represented that … software on the Genomic Sequencing Systems adhered to cybersecurity standards," including ISO and NIST standards. Neither specifically says that those representations were made to the government.

The settlement document states: “The United States contends that the claims to the Agencies were false, regardless of whether any actual cybersecurity breaches occurred, because the … software [in the sequencing systems] had cybersecurity vulnerabilities, and Illumina did not have an adequate product security program and sufficient quality systems to identify and address cybersecurity vulnerabilities affecting the … software. Specifically, the United States contends that the claims were false because Illumina knowingly failed to incorporate product cybersecurity in its software design, development, installation, and on-market monitoring; failed to properly support and resource personnel, systems, and processes tasked with product security;  failed to adequately correct design features that introduced cybersecurity vulnerabilities in the Genomic Sequencing Systems; and falsely represented that the … software on the Genomic Sequencing Systems adhered to cybersecurity standards.” Does this suggest that anyone selling a product to the government implicitly represents that it "incorporate[s] product cybersecurity in its software design, development, installation, and on-market monitoring; properly support[s] and resource[s] personnel, systems, and processes tasked with product security; and adequately correct[s] design features that introduced cybersecurity vulnerabilities?" Not clear, since this is only a settlement, and does not require a full recitation of the government’s evidence.

A May 2025 FCA settlement resolved allegations that Raytheon and a subsidiary failed to implement required cybersecurity controls on an internal development system that was used to perform unclassified work on certain DoD contracts. The government alleged that Raytheon and the subsidiary failed to develop and implement a system security plan for the system, as required by DoD cybersecurity regulations, and failed to ensure that the system complied with other cybersecurity requirements contained in the DFARS 252.204-7012 and FAR 52.204-21. The settlement resolved a qui tam lawsuit filed under the whistleblower provisions of the False Claims Act. U.S. ex rel. Doe v. Raytheon Co. et al., No. 21-cv-2343 (D.D.C.). The settlement provided for the relator, a former director of engineering with Raytheon, to receive a $1,512,000 share of the settlement amount.  The case is significant because Raytheon had sold the business unit that had the contract and submitted the allegedly false claims, yet the settlement includes the company that bought the unit as jointly liable. As attorneys at Quarles have noted, by “nam[ing] the successor company as ‘the successor in liability’ in the claims against the defense contractor, despite the fact that allegations occurred several years prior to the successor company’s acquisition of the defense contractor’s cybersecurity business,” the case has important implications for due diligence in mergers and acquisitions.

In March 2025, MORSECORP Inc. agreed to pay $4.6 million to resolve FCA allegations. As part of the settlement, the company admitted, acknowledged and accepted responsibility for the following facts: using a third-party company to host its emails without requiring and ensuring that the third party met security requirements equivalent to the Federal Risk and Authorization Management Program Moderate baseline and complied with the DoD’s requirements for cyber incident reporting, malicious software, media preservation and protection, access to additional information and equipment necessary for forensic analysis and cyber incident damage assessment; not fully implementing the controls in SP 800-171 as required in its contracts; not having a consolidated written plan, as required under the contracts, for each of its covered information systems describing system boundaries, system environments of operation, how security requirements are implemented and the relationships with or connections to other systems; not updating its NIST 800-171 score after a third-party cybersecurity consultant notified the company that the score it had submitted to the government was wildly inaccurate. The settlement resolved a qui tam lawsuit, United States ex rel. Berich v. MORSECORP Inc. et al., No. 23-cv-10130 (D. Mass.).  

In October 2024, Pennsylvania State University (Penn State) agreed to pay $1,250,000 to resolve allegations that it violated the False Claims Act by failing to comply with cybersecurity requirements in fifteen contracts or subcontracts involving the Department of Defense or National Aeronautics and Space Administration. Specifically, the government alleged that Penn State had submitted cybersecurity assessment scores to DoD that reflected it had not implemented certain required controls (as do many other contractors), but misrepresented the dates by which it would implement them and did not pursue plans of action to do so. The U.S. also alleged that in performing certain of the contracts and subcontracts Penn State did not use an external cloud service provider that met DoD’s security requirements for covered defense information. The settlement resolved a lawsuit filed under the qui tam or whistleblower provisions of the False Claims Act, which permit private parties to sue on behalf of the government when they believe that a defendant has submitted false claims for government funds and receive a share of any recovery. The settlement in this case provided for the whistleblower, the former chief information officer for Penn State’s Applied Research Laboratory, to receive a $250,000 share of the settlement amount. The qui tam case is U.S. ex rel. Decker v. Pennsylvania State University, No. 2:22-cv-03895 (E.D. Pa.).

Also, in August 2024, DOJ filed claims against Georgia Institute of Technology and Georgia Tech Research Corp. alleging that they had failed to meet cybersecurity requirements in connection with Department of Defense (DoD) contracts. The complaint alleged that a research lab at Georgia Tech failed to develop and implement a system security plan, as required by DoD cybersecurity regulations, and submitted a false cybersecurity assessment score to DoD for the Georgia Tech campus. The complaint also alleged that the lab failed to install, update or run anti-virus or anti-malware tools on desktops, laptops, servers and networks at the lab.

Insight Global LLC agreed to pay $2.7 million to resolve allegations that it violated the False Claims Act by failing to implement adequate cybersecurity measures to protect health information obtained during COVID-19 contact tracing. For example, according to the DOJ, certain personal health information and/or personally identifiable information of contact tracing subjects was transmitted in the body of unencrypted emails, staff used shared passwords to access such information, and such information was stored and transmitted using Google files that were not password protected and were potentially accessible to the public via internet links. The case began as a qui tam action. United States ex rel. Seilkop v. Insight Global LLC, no. 1:21-cv-1335 (M.D. Pa.). The obligation of the respondent to protect information arose not from a FARS clause but rather from a Statement of Work in which Insight Global represented that it “recognizes and accepts that the contact tracing workforce will have access to personal health information of contact tracing subjects and must ensure that and all other such information related to the services being provided must be kept confidential and secure.” 

Similar is the June 2024 settlement in United States ex rel. Elevation 33, LLC v. Guidehouse Inc., and Nan McKay and Associates, Inc., no. 1:22-cv-206 (N.D.N.Y.). The case grew out of a contract with the New York state agency responsible for administering the federally funded emergency rental assistance program (ERAP) in New York during the COVID-19 pandemic. The contract called for the creation and management of create an online application portal. Note that the contract was issued not by the federal government but by the New York State’s Office of Temporary and Disability Assistance. Still, since federal funds were involved, the FCA applied. The contract and various state information security policies incorporated therein required that certain cybersecurity testing and scanning occur prior to the launch of the ERAP application to the public. The testing was not performed and the portal, when launched, leaked information to the public internet. One defendant agreed to pay $7.6 million, of which $1.3 million went to the relator, and the other agreed to pay $3.7 million, of which $638,000 went to the relator.

Comprehensive Health Services (CHS) agreed to pay $930,000 to resolve two sets of claims, including one alleging that it violated the False Claims Act when it submitted claims to the government for the cost of a secure electronic medical record (EMR) system. The United States alleged that, between 2012 and 2019, CHS failed to disclose to the government that it had not consistently stored patients’ medical records on a secure EMR system. Both matters began with qui tam actions.

In March 2023, Jelly Bean Communications Design LLC (Jelly Bean) and the individual who was its manager, 50% owner, and sole employee, agreed to pay $293,771 to resolve False Claims Act allegations that they failed to secure personal information on a website, that Jelly Bean created, hosted, and maintained for the federally-funded Florida children’s health insurance program. The contract required that the website comply with the protections for personal information imposed by HIPAA. In 2020, the website was hacked and the information in more than 500,000 applications was potentially exposed. The U.S. Department of Justice alleged that Jelly Bean failed to properly maintain, patch, and update the software systems underlying the website. The case apparently came to the attention of the DOJ after the Florida state agency announced the breach.

In September 2023, Verizon Business Network Services agreed to pay $4,091,317 to resolve FCA allegations. The settlement related to Verizon’s Managed Trusted Internet Protocol Service (MTIPS), which is designed to provide federal agencies with secure connections to the public internet and other external networks. The General Services Administration contracts for the service require compliance with all “Critical Capabilities” specified in the DHS’s Trusted Internet Connections (TIC) Reference Architecture Document. The government alleged that Verizon’s solution did not completely satisfy three of the required controls. The shortfall was reported by Verizon itself, as required by FAR provisions, After learning of the issues, Verizon provided the government with a written self-disclosure, initiated an independent investigation and compliance review of the issues, took prompt and substantial remedial measures, and provided the government with multiple detailed supplemental written disclosures.

___________________________________________________________________________

ARCHIVED UPDATES TO THE FIRST EDITION, INCORPORATED INTO THE SECOND EDITION

8.1.1 Health Insurance Portability and Accountability Act

Also holding that HIPAA does not provide the basis for a negligence per se claim: In re Blackbaud, Inc., Customer Data Breach Litigation, 2021 U.S. Dist. LEXIS 201211, 2021 WL 4866393 (D. S.C. Oct. 19, 2021) (applying South Carolina law).

8.1.7 Fair Credit Reporting Act

Update on the Horizon case: Upon remand, the district court ruled that Horizon was not a credit report agency and thus not covered under the FCRA. In re: Horizon Healthcare Services Inc. Data Breach Litigation, no. 2:13-cv-07418, 2021 U.S. Dist. LEXIS 243041, 2021 WL 6049549 (Dec. 21. 2021). Whatever consumer information Horizon collected was for the purpose of providing health insurance coverage and administering health benefits plans, not for the purpose of furnishing consumer reports. The court also held that the theft of laptops containing personal information was not a disclosure of consumer medical information under § 1681b(g) or a furnishing of a consumer report under § 1681e.

[Add a new subchapter] 8.1.7A Fair and Accurate Credit Transactions Act

For the sake of completeness, the list of federal statutes that specifically regulate cybersecurity should probably include the Fair and Accurate Credit Transactions Act of 2003 (FACTA), Pub. L. No. 108-159, 117 Stat. 1952, which amended the Fair Credit Reporting Act to add 15 U.S.C. §1681m(e)(4), requiring the federal banking agencies to issue guidelines and rules regarding identity theft “red flags.” The red flags rule issued by the Office of the Comptroller of the Currency, the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the Office of Thrift Supervision, the National Credit Union Administration, and the Federal Trade Commission is at 16 C.F.R. § 681.1. It applies to financial institutions or creditors that offer credit card accounts, mortgage loans, automobile loans, margin accounts, cell phone accounts, utility accounts, checking accounts, or savings accounts. A red flag is defined as a pattern, practice, or specific activity that indicates the possible existence of identity theft. Under the rule, financial institutions and creditors that offer covered accounts must develop and implement a written Identity Theft Prevention Program that is designed to detect, prevent, and mitigate identity theft in connection with the opening of a covered account or any existing covered account. The program must be appropriate to the size and complexity of the financial institution or creditor and the nature and scope of its activities.  The SEC’s red flags rule, known as Regulation S-ID, is at 17 C.F.R. Subpart C. Interagency Guidelines on Identity Theft Detection, Prevention, and Mitigation, providing further detail on what constitutes  a red flag, how to detect them, and how to respond, are found at Appendix A to Part 681 of 16 C.F.R. and, for the SEC, at Appendix A to Subpart C of Part 248 of 17 C.F.R.

8.1.11 Cyber Incident Reporting for Critical Infrastructure Act of 2022

Included as Division Y in H.R. 2471, the massive government appropriations bill for FY 2022, and codified at 6 U.S.C. 2240 et seq., the statute requires critical infrastructure entities to report cyber incidents to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency within 72 hours after discovery and to report ransom payments in response to ransomware attacks within 24 hours. For more on the notice requirements of the law, see updates to Chapter 3.

The law also clarifies or expands the authority of the National Cybersecurity and Communications Integration Center (NCCIC) within CISA, specifying, among other things, that the center shall analyze reports from covered entities related to covered cyber incidents to assess the effectiveness of security controls and to identify tactics, techniques, and procedures adversaries use to overcome those controls; to identify and disseminate ways to prevent or mitigate similar cyber incidents in the future; and to provide appropriate entities, including technology providers, with timely, actionable, and anonymized reports of cyber incident campaigns and trends, including, to the maximum extent practicable, related contextual information, cyber threat indicators, and defensive measures.

8.2.7 False Claims Act

In October 2021, the DOJ announced a Civil Cyber-Fraud Initiative that will utilize the False Claims Act to pursue cybersecurity-related fraud by government contractors and grant recipients. The announcement specifically called out the FCA’s qui tam provision, which allows private parties to assist the government in identifying and pursing fraudulent conduct and to share in any recovery, and its provision protecting from retaliation whistleblowers who bring these violations and failures to the government’ attention. 

In a speech after the announcement, Acting Assistant Attorney General Brian M. Boynton said that three common cybersecurity failures were “prime candidates” for FCA enforcement through the initiative: (1) knowing failures to comply with cybersecurity standards required under government contracts or grants, (2) knowing misrepresentation to the government about a contractor’s cybersecurity practices or protocols, or (3) knowing failure to report cybersecurity incidents and breaches when required under a contract. Boynton specifically highlighted the FCA’s qui tam process, stating that “we expect whistleblowers to play a significant role in bringing to light knowing failures and misconduct in the cyber arena.” This suggests a DOJ shift away from the attitude of skepticism (if not outright hostility) toward whistleblower actions that was reflected in the Granston Memo, referred to in the book. Enforcing this point is the fact that the first settlement of a civil cyber-fraud case under the DOJ’s civil cyber-fraud initiative arose from two qui tam actions.

As the book predicted might happen, the FCA cyber initiative leverages the assertions that government contractors make in bidding on and accepting government contracts and the contractual obligations they undertake related to the security of their products and services. Among the contract requirements that could lead to an FCA action:

• The contract clause, FAR 52.204-21, applicable to contractor systems that process “Federal contract information,” which requires contractors to apply 15 basic security controls drawn from NIST Special Publication 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.”

• DFARS clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, which requires contractors to apply the security requirements of NIST SP 800-171 to covered contractor information systems that are not part of an IT service or system operated on behalf of the Government.

• The requirement under DFARS 252.204-7012 to “rapidly report” (defined as reporting within 72 hours) “cyber incidents” to the Department of Defense.

• The DoD Assessment Methodology for NIST SP 800-171, mandated under DFARS 252.204-7019 and 252.204-7020, which requires contractors to prepare and submit self-assessments about the security of their products, and the requirement for a Cybersecurity Maturity Model Certification (CMMC), should that be implemented. (For updates related to the Cybersecurity Maturity Model Certification (CMMC) framework, see updates to Chapter 9.2.4.)

• NIST SP 800-53, “Security and Privacy Controls for Federal Information Systems and Organizations,” which applies to IT systems provided to the government.

• The new contract clause that President Biden required to be developed under EO 14028, Improving the Nation’s Cybersecurity (May 12, 2021), 86 Fed. Reg. 26633, which will require contractors to report “cyber incidents” to affected agencies and, in the case of incidents affecting civilian agency systems, to the Cybersecurity and Infrastructure Security Agency (CISA).

In February 2022, in the Aerojet Rocketdyne case, the district court reduced the number of contracts at issue, and it granted the motion of Aerojet Rocketdyne (AR) for summary judgment on the relator’s claim of false certification under the FCA, but it denied AR’s motion for summary judgment on the relator’s claim of promissory fraud (fraud in the inducement) under the FCA, allowing the case to go forward. United States ex rel. Markus v. Aerojet Rocketdyne Holdings, Inc., 2022 U.S. Dist. LEXIS 18505, 2022 WL 297093 (E.D. Cal. Feb.1, 2022). The parties arguments and the court’s ruling on the promissory fraud theory are possibly quite significant. The relator contended that defendants made false statements regarding AR’s cybersecurity status by not disclosing the full extent of AR’s noncompliance with the Defense Federal Acquisition Regulation clause 252.204–7012 and a similar NASA FARS clause. What is fascinating is that both the relator and the defendants agreed that AR was not compliant with the relevant clauses. The defendants argued that was okay because they had disclosed their non-compliance to the government on multiple occasions. The dispute of fact that resulted in dismissal of defendants’ motion was over whether those disclosures were complete; the relator argued that AR failed to fully disclose just how bad things were, citing lingering concerns from an earlier breach and annual cybersecurity audits of AR done by third parties that were not provided to the government. The defendants also argued that non-compliance with clause 252.204–7012 was not material, citing as evidence the fact that the government went ahead and awarded contracts to AR and other contractors despite knowledge that they were noncompliant. The court said it couldn’t speculate about contracts with other contractors and, as to AR, there was a genuine dispute of material fact as to whether AR’s disclosures had been sufficient to provide the government with actual knowledge that certain requirements were violated. So the case went to trial and on the second day AR settled, agreeing to pay $9 million, of which $2.61 million went to the relator, former Aerojet employee Brian Markus.

 [New chapter:] 8.2.10 CFATS Act of 2014

In 2006, in the Department of Homeland Security appropriations act, Pub. L. 109–295, 120 Stat. 1388, Congress required the Secretary of Homeland Security to issue regulations establishing risk-based performance standards for the security of chemical facilities and requiring vulnerability assessments and the development and implementation of site security plans for chemical facilities. The regulations, at 6 C.F.R. Part 27, are known as the Chemical Facility Anti-Terrorism Standards (CFATS).  In 2014, the Protecting and Securing Chemical Facilities from Terrorist Attacks Act of 2014 (CFATS Act of 2014) was signed into law. Pub. L. 113–254, 128 Stat. 2898, adding 6 U.S.C. 621 et seq. The 2014 statute substantially expanded the legislative authority for the CFATS program and reauthorized it for four years. The CFATS program has been extended periodically, most recently in 2020, when Pub. L. No. 116-150 extend the expiration date of CFATS Act to July 27, 2023.

The statute only indirectly mentions cybersecurity. However, under the regulations today, security plans for covered facilities must include “appropriately risk-based measures” designed to “deter cyber sabotage, including by preventing unauthorized onsite or remote access to critical process controls, such as Supervisory Control and Data Acquisition (SCADA)  systems, Distributed Control Systems (DCS), Process Control Systems (PCS), Industrial Control Systems (ICS), critical business system, and other sensitive computerized systems.” 6 C.F.R. 27.230(a)(8).

Last updated: Aug. 1, 2025.

Photo: “The Allegory of Good Government," by Ambrogio Lorenzetti, 1338, Museo Civico, Siena, (c) Erik Törner, CC BY-NC-SA 2.0.