Image of False Claims Act Cybersecurity Whistleblower Rewards and Protections for Employees of Federal Contractors and Grantees

False Claims Act Cybersecurity Whistleblower Rewards and Protections for Employees of Federal Contractors and Grantees

 

 

cybersecurity whistleblower protection

Complying with information security and data privacy requirements is a fundamental duty of government contractors and grantees and is vital for the protection of government data. Cybersecurity professionals are oftent the first to identify non-compliance with these requirements.

Federal whistleblower laws protect cybersecurity whistleblowers at government contractors and grantees, including the Defense Contractor Whistleblower Protection Act, False Claims Act, and NDAA Whistleblower Protection Law.

To schedule a confidential consultation with our cybsersecurity whistleblower lawyers, call us at 202-262-8959.

2021 Civil Cyber-Fraud Initiative and Cybersecurity False Claims Act Whistleblowing

On October 6, 2021, the Department of Justice launched a Civil Cyber-Fraud Initiative, to combat new and emerging cyber threats to the security of sensitive information and critical systems. Deputy Attorney General Monaco announced the purpose of the initiative: “We are announcing today that we will use our civil enforcement tools to pursue companies, those who are government contractors who receive federal funds, when they fail to follow required cybersecurity standards — because we know that puts all of us at risk. This is a tool that we have to ensure that taxpayer dollars are used appropriately and guard the public fisc and public trust.”

The Civil Cyber-Fraud Initiative will utilize the False Claims Act to pursue cybersecurity-related fraud by government contractors and grant recipients. The benefits of the initiative will include:

  • Building broad resiliency against cybersecurity intrusions across the government, the public sector and key industry partners.
  • Holding contractors and grantees to their commitments to protect government information and infrastructure.
  • Supporting government experts’ efforts to timely identify, create and publicize patches for vulnerabilities in commonly-used information technology products and services.
  • Ensuring that companies that follow the rules and invest in meeting cybersecurity requirements are not at a competitive disadvantage.
  • Reimbursing the government and the taxpayers for the losses incurred when companies fail to satisfy their cybersecurity obligations.
  • Improving overall cybersecurity practices that will benefit the government, private users and the American public.

What cybersecurity requirements apply to federal contractors?

cybersecurity whistleblower protectionFederal contractors are subject to data privacy and information security requirements.

The FY 2022 appropriations law includes a cyber reporting provision that requires companies in critical infrastructure (as defined in Presidential Policy Directive 21) to report a covered cyber incident within 72 hours to the Cybersecurity and Infrastructure Security Agency.

The Federal Information Security Management Act (“FISMA”) creates information security requirements for federal agencies to minimize risk to the U.S. government’s data.  FISMA also applies these requirements to state agencies administering federal programs and private businesses contracting with the federal government.  Federal acquisition regulations codify the cybersecurity and data privacy requirements applicable to federal contractors.  E.g., 48 C.F.R. §§ 252.204-7008, 7012 (providing for cybersecurity standards in contracts with the U.S. Department of Defense); 48 C.F.R. § 52.204-21 (outlining basic procedures for contractors to safeguard information processed, stored, or transmitted under a federal contract).  

Pursuant to the FISMA Implementation Project, the National Institute of Standards and Technology (“NIST”) produces security standards and guidelines to ensure compliance with FISMA.  Key principles of FISMA compliance include a systemic approach to the data that results in baseline controls, a risk assessment procedure to refine controls, and implementation of controls.  A security plan must document the controls.  Those managing the information must also assess the controls’ effectiveness.  NIST also focuses its standards on determining enterprise risk, information system authorization, and ongoing monitoring of security controls.

Essential standards established by NIST include FIPS 199, FIPS 200, and the NIST 800 series.  Core FISMA requirements include:

  • Federal contractors must keep an inventory of all of an organization’s information systems.
  • Contractors must identify the integration between information systems and other systems in the network.
  • Contractors must categorize information and information systems according to risk. This prioritizes security for the most sensitive information and systems.  See “Standards for Security Categorization of Federal Information and Information Systems” FIPS 199.
  • Contractors must have a current information security plan that covers controls, cybersecurity policies, and planned improvements.
  • Contractors must consider an organization’s particular needs and systems and then identify, implement, and document adequate information security controls. See NIST SP 800-53 (identifying suggested cybersecurity controls).
  • Contractors must assess information security risks. See NIST SP 800-30 (recommending that an organization assess risks at the organizational level, the business process level, and the information system level).
  • Contractors must conduct annual reviews to ensure that information security risks are minimal.

The NIST Framework includes “a set of cybersecurity activities, outcomes and informative references that are common across sectors and critical infrastructure” and is designed to “help an organization align and prioritize cybersecurity activities with its business/mission requirements, risk tolerances and resources.” NIST Special Publication 800-53 Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations (NIST 800-53).

In addition to generally-applicable standards, individual contracts may create other cybersecurity or data privacy requirements for a government contractor.  Such requirements are prevalent when the contractor provides information security products or services for the government.

What protections exist for cybersecurity whistleblowers employed at federal contractors?

Federal law contains whistleblower protection provisions that may prohibit employers from retaliating against whistleblowers who report cybersecurity or data privacy concerns.  See Defense Contractor Whistleblower Protection Act, 10 U.S.C. § 4701; False Claims Act, 31 U.S.C. § 3730(h); NDAA Whistleblower Protection Law, 41 U.S.C. § 4712.  These laws protect a broad range of conduct.

Protected conduct under these laws includes:

  • Efforts to stop false claims to the government;
  • Lawful acts in furtherance of an action alleging false claims to the government; and
  • Disclosures of gross mismanagement, gross waste, abuse of authority, or a violation of law, rule, or regulation related to a federal contract or grant. Id.

These provisions have wide coverage.  They protect any employee of any private sector employer that is a contractor or grantee of the federal government.  In some cases, even the employer’s contractors and agents are protected.

An employer’s non-compliance with information security requirements could breach the employer’s contractual obligations to the federal government and violate federal law and regulation.  Thus, whistleblowers who report cybersecurity or data privacy concerns related to a federal contract or grant may be protected from employment retaliation.

What is the burden to establish unlawful retaliation for reporting cybersecurity concerns?

Exact requirements vary, but an employee typically establishes unlawful retaliation by proving that (1) the employee engaged in conduct that is protected by statute, and (2) the protected conduct to some degree caused a negative employment action.  See, e.g., 10 U.S.C. § 4701 (incorporating burden of proof from 5 U.S.C. § 1221(e)); 41 U.S.C. § 4712(c)(6) (same); 31 U.S.C. § 3730(h)(1).  

Under some of the applicable protections, an employee need prove only that the protected conduct played any role whatsoever in the employer’s decision to take the challenged employment action.  See 10 U.S.C. § 4701; 41 U.S.C. § 4712.

What damages or remedies can a cybersecurity whistleblower recover for retaliation?

Sarbanes-Oxley cybersecurity whistleblower protectionsThe relief available depends on which laws apply to the particular case.  Remedies may include an amount equal to double an employee’s lost wages, as well as reinstatement or front pay.  In some cases, a whistleblower may also recover uncapped compensatory damages for harms like emotional distress and reputational damage.  Additionally, a prevailing plaintiff can recover reasonable attorneys’ fees and costs.

Recently, a jury awarded a defense contractor whistleblower $1 million in compensatory damages.  The whistleblower proved that the employer more than likely retaliated by demoting him after he reported issues with tests related to a federal contract, according to the jury.  Specifically, the whistleblower alleged he reported and opposed management’s directive to misrepresent the completion status of testing procedures.

In a recent case under the False Claims Act, a whistleblower received more than $2.5 million for retaliation she suffered after internally reporting off-label promotion for a drug outside its FDA-approved use.  The False Claims Act protects employees from retaliation who blow the whistle on fraud against the government, including those who blow the whistle internally to a government contractor or grantee.

Tips for Cybersecurity Whistleblowers

cybersecurity whistleblowing

Have Qui Tam Whistleblowers Obtained Awards for Reporting Cyberfraud?

Qui Tam Award
Amount
ViolationsDateDOJ Press Release or Media Coverage
$8.6MQui tam relator Glenn alleged that Cisco sold flawed video surveillance gear to government agencies. According to the complaint, the video surveillance product was "riddled with serious security defects." July 31, 2019Cisco whistleblower cybersecurity case brought by Phillips & Cohen settles for $8.6M
$930,000Comprehensive Health Services, LLC agreed to pay $930,000 to resolve allegations that it violated the False Claims Act by falsely representing to the State Department and the Air Force that it complied with contract requirements relating to the provision of medical services at State Department and Air Force facilities in Iraq and Afghanistan. The United States alleged that, between 2012 and 2019, CHS failed to disclose to the State Department that it had not consistently stored patients’ medical records on a secure EMR system.March 8, 2022Contractor Pays $930,000 to Settle False Claims Act Allegations Relating to Medical Services Contracts at State Department and Air Force Facilities in Iraq and Afghanistan

Do any court cases address whether cybersecurity whistleblowers are protected?

Yes.  Judges and juries have applied these laws to protect cybersecurity whistleblowers.

For example, in United States ex rel. Glenn v. Cisco Systems, Inc., defendant Cisco Systems settled for $8.6 million in what is likely the first successful cybersecurity case brought under the False Claims Act.  The plaintiff/relator James Glenn worked for Cisco and internally reported serious cybersecurity deficiencies in a video surveillance system, soon after which he was fired.  Cisco had sold the surveillance systems to various federal government entities, including the Department of Homeland Security, FEMA, the Secret Service, NASA, and all branches of the military.  After monitoring Cisco’s public pronouncements regarding the system and confirming the company had not solved the problems or reported vulnerabilities to customers, Glenn contacted the FBI.  Multiple states joined in the complaint and brought claims under state laws.

While the case did not proceed to litigation, Glenn received nearly $2 million of the settlement, and the federal government’s attention to the issue proves that cybersecurity and data privacy are of utmost importance.

Surely, as more of our lives and businesses move online, the government will place increased importance on contractors and grantees following data security and privacy requirements and disclosing known vulnerabilities.  Cybersecurity whistleblowers working for government contractors play an important part in revealing these vulnerabilities and keeping the federal government secure.  Still, these whistleblowers may experience retaliation after blowing the whistle internally at their place of work.

How can employees enforce these protections from retaliation?

cybersecurity whistleblower lawyersEmployees generally have the right to bring claims of unlawful retaliation for cybersecurity or data privacy whistleblowing in federal court.  However, some claims limit that right to whistleblowers who first exhaust all their administrative remedies.  For example, in some cases, whistleblowers will first need to pursue relief from the Office of Inspector General of the relevant federal agency.  Additionally, cybersecurity whistleblower claims are subject to strict deadlines.  See, e.g., 31 U.S. Code § 3730; 10 U.S.C. § 4701; 41 U.S.C. § 4712.

Cybersecurity Violations are Material Under the False Claims Act

As discussed in a Department of Justice Statement of Interest in United States ex rel. Brian Markus v. Aerojet Rocketdyne Holdings, Inc., “[i]t is well settled that when a contract is obtained through false statements or fraudulent conduct, FCA liability attaches to each claim submitted to the government under the contract.”  See United States ex rel. Hendow v. Univ. of Phoenix, 461 F.3d 1166, 1173 (9th Cir. 2006) (citing United States ex rel. Marcus v. Hess, 317 U.S. 537, 542 (1943)).   “Each claim submitted to the government under a contract which was procured by such fraud is false even if false representations were not made on the claim itself.”  United States ex rel. Campie v. Gilead Scis., Inc., 862 F.3d 890, 904 (9th Cir. 2017); United States ex rel. Bettis v. Odebrecht Contractors of Cal., Inc., 393 F.3d 1321, 1326 (D.C. Cir. 2005) (a contractor is liable “for each claim submitted to the Government under a contract which was procured by fraud, even in the absence of evidence that the claims were fraudulent in themselves.”).  Therefore, false representations about cybersecurity compliance are material and can give rise to FCA liability.

DOJ Statement of Interest in Aerojet

Tips for Cybersecurity Whistleblowers

cybersecurity whistleblowing

Cybersecurity Whistleblower Lawyers’ Guide for Cybersecurity Whistleblowers

To schedule a consultation, call us at 202-262-8959.

False Claims Act Whistleblower Awards for Cybersecurity Whistleblowers

False Claims Act whistleblower awardsA cybersecurity qui tam whistleblower can be eligible for a large recovery when they report a government contractor that fails to follow required cybersecurity standards.  There are unique rules and procedures that govern qui tam whistleblower cases.

Therefore, it is critical to retain an experienced cybersecurity False Claims Act whistleblower lawyer to maximize your recovery.  This FAQ provides an overview of some of the key aspects of False Claims Act claims.

Cybersecurity False Claims Act Whistleblower Protection

False Claims Act Whistleblower Protection Law

Whistleblower Retaliation Laws Protecting
Cybersecurity Whistleblowers at Government Contractors and Grantees

Courageous whistleblowers that come forward to report fraud deserve robust protection against retaliation.  Below is a list of common questions about key aspects of the anti-retaliation provisions of the False Claims Act and the Defense Contractor Whistleblower Protection Act.

Cybersecurity False Claims Act Qui Tam Whistleblower Attorneys Representing Cybersecurity Whistleblowers Nationwide

The experienced whistleblower attorneys at leading whistleblower law firm Zuckerman Law have substantial experience representing whistleblowers disclosing fraud and other wrongdoing at government contractors and grantees.  To schedule a confidential consultation, click here or call us at 202-262-8959.

Our experience includes:

  • Representing whistleblowers in NDAA retaliation claims before the Department of Defense, and Department of Homeland Security, Department of Justice Offices of Inspectors General.
  • Litigating False Claims Act retaliation cases.
  • Representing qui tam relators in False Claims Act cases.
  • Representing whistleblowers disclosing fraud on the government in Congressional investigations.
  • Training judges, senior Office of Inspector General officials, and federal law enforcement about whistleblower protections.

In addition, we have substantial experience representing whistleblowers under the Whistleblower Protection Act (WPA) and enforcing the WPA, the law that the NDAA whistleblower provisions are based upon.

Jason Zuckerman served as Senior Legal Advisor to the Special Counsel at OSC, where he worked on the implementation of the Whistleblower Protection Enhancement Act and several high-profile investigations, including a matter resulting in the removal of an Inspector General.

Before hiring a lawyer for a high-stakes whistleblower case, assess the lawyer’s reputation, prior experience representing whistleblowers, knowledge of whistleblower laws and prior results.  And consider the experience of other whistleblowers working with that attorney.  See our client testimonials by clicking here.

 

Jason Zuckerman, Principal of Zuckerman Law, litigates whistleblower retaliation, qui tam, wrongful discharge, and other employment-related claims. He is rated 10 out of 10 by Avvo, was recognized by Washingtonian magazine as a “Top Whistleblower Lawyer” in 2015 and selected by his peers to be included in The Best Lawyers in America® and in SuperLawyers.