Updates to Chapter 8

Federal Cybersecurity Statutes

UPDATES TO THE SECOND EDITION

8.2.7 False Claims Act

Since the DOJ announced its Cyber-Fraud Initiative in 2020, there has been a growing list of FCA actions, illustrating the breath of the effort:

In October 2024, Pennsylvania State University (Penn State) agreed to pay $1,250,000 to resolve allegations that it violated the False Claims Act by failing to comply with cybersecurity requirements in fifteen contracts or subcontracts involving the Department of Defense or National Aeronautics and Space Administration. Specifically, the government alleged that Penn State had submitted cybersecurity assessment scores to DoD that reflected it had not implemented certain required controls (as do many other contractors), but misrepresented the dates by which it would implement them and did not pursue plans of action to do so. The U.S. also alleged that in performing certain of the contracts and subcontracts Penn State did not use an external cloud service provider that met DoD’s security requirements for covered defense information. The settlement resolved a lawsuit filed under the qui tam or whistleblower provisions of the False Claims Act, which permit private parties to sue on behalf of the government when they believe that a defendant has submitted false claims for government funds and receive a share of any recovery. The settlement in this case provided for the whistleblower, the former chief information officer for Penn State’s Applied Research Laboratory, to receive a $250,000 share of the settlement amount. The qui tam case is U.S. ex rel. Decker v. Pennsylvania State University, No. 2:22-cv-03895 (E.D. Pa.).

Insight Global LLC agreed to pay $2.7 million to resolve allegations that it violated the False Claims Act by failing to implement adequate cybersecurity measures to protect health information obtained during COVID-19 contact tracing. For example, according to the DOJ, certain personal health information and/or personally identifiable information of contact tracing subjects was transmitted in the body of unencrypted emails, staff used shared passwords to access such information, and such information was stored and transmitted using Google files that were not password protected and were potentially accessible to the public via internet links. The case began as a qui tam action. United States ex rel. Seilkop v. Insight Global LLC, no. 1:21-cv-1335 (M.D. Pa.). The obligation of the respondent to protect information arose not from a FARS clause but rather from a Statement of Work in which Insight Global represented that it “recognizes and accepts that the contact tracing workforce will have access to personal health information of contact tracing subjects and must ensure that and all other such information related to the services being provided must be kept confidential and secure.” 

Similar is the June 2024 settlement in United States ex rel. Elevation 33, LLC v. Guidehouse Inc., and Nan McKay and Associates, Inc., no. 1:22-cv-206 (N.D.N.Y.). The case grew out of a contract with the New York state agency responsible for administering the federally funded emergency rental assistance program (ERAP) in New York during the COVID-19 pandemic. The contract called for the creation and management of create an online application portal. Note that the contract was issued not by the federal government but by the New York State’s Office of Temporary and Disability Assistance. Still, since federal funds were involved, the FCA applied. The contract and various state information security policies incorporated therein required that certain cybersecurity testing and scanning occur prior to the launch of the ERAP application to the public. The testing was not performed and the portal, when launched, leaked information to the public internet. One defendant agreed to pay $7.6 million, of which $1.3 million went to the relator, and the other agreed to pay $3.7 million, of which $638,000 went to the relator.

Comprehensive Health Services (CHS) agreed to pay $930,000 to resolve two sets of claims, including one alleging that it violated the False Claims Act when it submitted claims to the government for the cost of a secure electronic medical record (EMR) system. The United States alleged that, between 2012 and 2019, CHS failed to disclose to the government that it had not consistently stored patients’ medical records on a secure EMR system. Both matters began with qui tam actions.

In March 2023, Jelly Bean Communications Design LLC (Jelly Bean) and the individual who was its manager, 50% owner, and sole employee, agreed to pay $293,771 to resolve False Claims Act allegations that they failed to secure personal information on a website, that Jelly Bean created, hosted, and maintained for the federally-funded Florida children’s health insurance program. The contract required that the website comply with the protections for personal information imposed by HIPAA. In 2020, the website was hacked and the information in more than 500,000 applications was potentially exposed. The U.S. Department of Justice alleged that Jelly Bean failed to properly maintain, patch, and update the software systems underlying the website. The case apparently came to the attention of the DOJ after the Florida state agency announced the breach.

In September 2023, Verizon Business Network Services agreed to pay $4,091,317 to resolve FCA allegations. The settlement related to Verizon’s Managed Trusted Internet Protocol Service (MTIPS), which is designed to provide federal agencies with secure connections to the public internet and other external networks. The General Services Administration contracts for the service require compliance with all “Critical Capabilities” specified in the DHS’s Trusted Internet Connections (TIC) Reference Architecture Document. The government alleged that Verizon’s solution did not completely satisfy three of the required controls. The shortfall was reported by Verizon itself, as required by FAR provisions, After learning of the issues, Verizon provided the government with a written self-disclosure, initiated an independent investigation and compliance review of the issues, took prompt and substantial remedial measures, and provided the government with multiple detailed supplemental written disclosures.

___________________________________________________________________________

ARCHIVED UPDATES TO THE FIRST EDITION, INCORPORATED INTO THE SECOND EDITION

8.1.1 Health Insurance Portability and Accountability Act

Also holding that HIPAA does not provide the basis for a negligence per se claim: In re Blackbaud, Inc., Customer Data Breach Litigation, 2021 U.S. Dist. LEXIS 201211, 2021 WL 4866393 (D. S.C. Oct. 19, 2021) (applying South Carolina law).

8.1.7 Fair Credit Reporting Act

Update on the Horizon case: Upon remand, the district court ruled that Horizon was not a credit report agency and thus not covered under the FCRA. In re: Horizon Healthcare Services Inc. Data Breach Litigation, no. 2:13-cv-07418, 2021 U.S. Dist. LEXIS 243041, 2021 WL 6049549 (Dec. 21. 2021). Whatever consumer information Horizon collected was for the purpose of providing health insurance coverage and administering health benefits plans, not for the purpose of furnishing consumer reports. The court also held that the theft of laptops containing personal information was not a disclosure of consumer medical information under § 1681b(g) or a furnishing of a consumer report under § 1681e.

[Add a new subchapter] 8.1.7A Fair and Accurate Credit Transactions Act

For the sake of completeness, the list of federal statutes that specifically regulate cybersecurity should probably include the Fair and Accurate Credit Transactions Act of 2003 (FACTA), Pub. L. No. 108-159, 117 Stat. 1952, which amended the Fair Credit Reporting Act to add 15 U.S.C. §1681m(e)(4), requiring the federal banking agencies to issue guidelines and rules regarding identity theft “red flags.” The red flags rule issued by the Office of the Comptroller of the Currency, the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the Office of Thrift Supervision, the National Credit Union Administration, and the Federal Trade Commission is at 16 C.F.R. § 681.1. It applies to financial institutions or creditors that offer credit card accounts, mortgage loans, automobile loans, margin accounts, cell phone accounts, utility accounts, checking accounts, or savings accounts. A red flag is defined as a pattern, practice, or specific activity that indicates the possible existence of identity theft. Under the rule, financial institutions and creditors that offer covered accounts must develop and implement a written Identity Theft Prevention Program that is designed to detect, prevent, and mitigate identity theft in connection with the opening of a covered account or any existing covered account. The program must be appropriate to the size and complexity of the financial institution or creditor and the nature and scope of its activities.  The SEC’s red flags rule, known as Regulation S-ID, is at 17 C.F.R. Subpart C. Interagency Guidelines on Identity Theft Detection, Prevention, and Mitigation, providing further detail on what constitutes  a red flag, how to detect them, and how to respond, are found at Appendix A to Part 681 of 16 C.F.R. and, for the SEC, at Appendix A to Subpart C of Part 248 of 17 C.F.R.

8.1.11 Cyber Incident Reporting for Critical Infrastructure Act of 2022

Included as Division Y in H.R. 2471, the massive government appropriations bill for FY 2022, and codified at 6 U.S.C. 2240 et seq., the statute requires critical infrastructure entities to report cyber incidents to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency within 72 hours after discovery and to report ransom payments in response to ransomware attacks within 24 hours. For more on the notice requirements of the law, see updates to Chapter 3.

The law also clarifies or expands the authority of the National Cybersecurity and Communications Integration Center (NCCIC) within CISA, specifying, among other things, that the center shall analyze reports from covered entities related to covered cyber incidents to assess the effectiveness of security controls and to identify tactics, techniques, and procedures adversaries use to overcome those controls; to identify and disseminate ways to prevent or mitigate similar cyber incidents in the future; and to provide appropriate entities, including technology providers, with timely, actionable, and anonymized reports of cyber incident campaigns and trends, including, to the maximum extent practicable, related contextual information, cyber threat indicators, and defensive measures.

8.2.7 False Claims Act

In October 2021, the DOJ announced a Civil Cyber-Fraud Initiative that will utilize the False Claims Act to pursue cybersecurity-related fraud by government contractors and grant recipients. The announcement specifically called out the FCA’s qui tam provision, which allows private parties to assist the government in identifying and pursing fraudulent conduct and to share in any recovery, and its provision protecting from retaliation whistleblowers who bring these violations and failures to the government’ attention. 

In a speech after the announcement, Acting Assistant Attorney General Brian M. Boynton said that three common cybersecurity failures were “prime candidates” for FCA enforcement through the initiative: (1) knowing failures to comply with cybersecurity standards required under government contracts or grants, (2) knowing misrepresentation to the government about a contractor’s cybersecurity practices or protocols, or (3) knowing failure to report cybersecurity incidents and breaches when required under a contract. Boynton specifically highlighted the FCA’s qui tam process, stating that “we expect whistleblowers to play a significant role in bringing to light knowing failures and misconduct in the cyber arena.” This suggests a DOJ shift away from the attitude of skepticism (if not outright hostility) toward whistleblower actions that was reflected in the Granston Memo, referred to in the book. Enforcing this point is the fact that the first settlement of a civil cyber-fraud case under the DOJ’s civil cyber-fraud initiative arose from two qui tam actions.

As the book predicted might happen, the FCA cyber initiative leverages the assertions that government contractors make in bidding on and accepting government contracts and the contractual obligations they undertake related to the security of their products and services. Among the contract requirements that could lead to an FCA action:

  • The contract clause, FAR 52.204-21, applicable to contractor systems that process “Federal contract information,” which requires contractors to apply 15 basic security controls drawn from NIST Special Publication 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.”

  • DFARS clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, which requires contractors to apply the security requirements of NIST SP 800-171 to covered contractor information systems that are not part of an IT service or system operated on behalf of the Government.

  • The requirement under DFARS 252.204-7012 to “rapidly report” (defined as reporting within 72 hours) “cyber incidents” to the Department of Defense.

  • The DoD Assessment Methodology for NIST SP 800-171, mandated under DFARS 252.204-7019 and 252.204-7020, which requires contractors to prepare and submit self-assessments about the security of their products, and the requirement for a Cybersecurity Maturity Model Certification (CMMC), should that be implemented. (For updates related to the Cybersecurity Maturity Model Certification (CMMC) framework, see updates to Chapter 9.2.4.)

  • NIST SP 800-53, “Security and Privacy Controls for Federal Information Systems and Organizations,” which applies to IT systems provided to the government.

  • The new contract clause that President Biden required to be developed under EO 14028, Improving the Nation’s Cybersecurity (May 12, 2021), 86 Fed. Reg. 26633, which will require contractors to report “cyber incidents” to affected agencies and, in the case of incidents affecting civilian agency systems, to the Cybersecurity and Infrastructure Security Agency (CISA).

In February 2022, in the Aerojet Rocketdyne case, the district court reduced the number of contracts at issue, and it granted the motion of Aerojet Rocketdyne (AR) for summary judgment on the relator’s claim of false certification under the FCA, but it denied AR’s motion for summary judgment on the relator’s claim of promissory fraud (fraud in the inducement) under the FCA, allowing the case to go forward. United States ex rel. Markus v. Aerojet Rocketdyne Holdings, Inc., 2022 U.S. Dist. LEXIS 18505, 2022 WL 297093 (E.D. Cal. Feb.1, 2022). The parties arguments and the court’s ruling on the promissory fraud theory are possibly quite significant. The relator contended that defendants made false statements regarding AR’s cybersecurity status by not disclosing the full extent of AR’s noncompliance with the Defense Federal Acquisition Regulation clause 252.204–7012 and a similar NASA FARS clause. What is fascinating is that both the relator and the defendants agreed that AR was not compliant with the relevant clauses. The defendants argued that was okay because they had disclosed their non-compliance to the government on multiple occasions. The dispute of fact that resulted in dismissal of defendants’ motion was over whether those disclosures were complete; the relator argued that AR failed to fully disclose just how bad things were, citing lingering concerns from an earlier breach and annual cybersecurity audits of AR done by third parties that were not provided to the government. The defendants also argued that non-compliance with clause 252.204–7012 was not material, citing as evidence the fact that the government went ahead and awarded contracts to AR and other contractors despite knowledge that they were noncompliant. The court said it couldn’t speculate about contracts with other contractors and, as to AR, there was a genuine dispute of material fact as to whether AR’s disclosures had been sufficient to provide the government with actual knowledge that certain requirements were violated. So the case went to trial and on the second day AR settled, agreeing to pay $9 million, of which $2.61 million went to the relator, former Aerojet employee Brian Markus.

 [New chapter:] 8.2.10 CFATS Act of 2014

In 2006, in the Department of Homeland Security appropriations act, Pub. L. 109–295, 120 Stat. 1388, Congress required the Secretary of Homeland Security to issue regulations establishing risk-based performance standards for the security of chemical facilities and requiring vulnerability assessments and the development and implementation of site security plans for chemical facilities. The regulations, at 6 C.F.R. Part 27, are known as the Chemical Facility Anti-Terrorism Standards (CFATS).  In 2014, the Protecting and Securing Chemical Facilities from Terrorist Attacks Act of 2014 (CFATS Act of 2014) was signed into law. Pub. L. 113–254, 128 Stat. 2898, adding 6 U.S.C. 621 et seq. The 2014 statute substantially expanded the legislative authority for the CFATS program and reauthorized it for four years. The CFATS program has been extended periodically, most recently in 2020, when Pub. L. No. 116-150 extend the expiration date of CFATS Act to July 27, 2023.

The statute only indirectly mentions cybersecurity. However, under the regulations today, security plans for covered facilities must include “appropriately risk-based measures” designed to “deter cyber sabotage, including by preventing unauthorized onsite or remote access to critical process controls, such as Supervisory Control and Data Acquisition (SCADA)  systems, Distributed Control Systems (DCS), Process Control Systems (PCS), Industrial Control Systems (ICS), critical business system, and other sensitive computerized systems.” 6 C.F.R. 27.230(a)(8).


Last updated: Oct. 25, 2024.

Photo: “The Allegory of Good Government," by Ambrogio Lorenzetti, 1338, Museo Civico, Siena, (c) Erik Törner, CC BY-NC-SA 2.0.