This past year has brought new U.S. Department of Justice actions—both civil and criminal—against companies and individuals for cybersecurity deficiencies and for concealing cybersecurity incidents. In October 2021 DOJ announced the Civil Cyber-Fraud Initiative, which uses the False Claims Act to hold those federal government contractors (including IT contractors) accountable that put U.S. information or systems at risk by “knowingly providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cybersecurity incidents and breaches.”1 The False Claims Act also includes a whistleblower provision that allows private parties to identify fraudulent conduct relating to government contracts and programs and share in any recovery ultimately obtained by the government. As a result, company employees aware of deficient cybersecurity practices relating to government contracts are now incentivized to report those deficiencies to DOJ. The Civil Cyber-Fraud Initiative has already resulted in two corporate settlements that resolve allegations of false representations concerning compliance with cybersecurity requirements in government contracts.
On the criminal side, last month Uber’s former security chief Joseph Sullivan was convicted in California federal court for concealing the company’s 2016 data breach, specifically for obstructing an ongoing Federal Trade Commission investigation into an earlier, smaller breach and for misprision of a felony (i.e., knowing that a federal felony had been committed and taking affirmative steps to conceal it). This alert summarizes these three DOJ cases and provides takeaways for protecting your company against whistleblower activity and DOJ exposure.
Civil Cases: Comprehensive Health Services (“CHS”) and Aerojet RocketDyne Holdings (“Aerojet”)
In March 2022 CHS became the first company to settle with DOJ under the Civil Cyber-Fraud Initiative to resolve allegations that it falsely represented compliance with contract requirements relating to medical services provided to government facilities in Iraq and Afghanistan. Specifically, DOJ alleged that CHS failed to store medical records on a secure electronic medical record system as required, and instead maintained records on an unsecured internal network drive. In settling this probe, CHS agreed to pay $930,000 under the False Claims Act.
In July 2022 Aerojet agreed to pay $9 million to resolve allegations that it misrepresented its compliance with cybersecurity requirements in government contracts. Notably, Aerojet disclosed its noncompliance to the government, but the disclosure was allegedly incomplete. The case was brought by a relator (whistleblower) who was a former director of cybersecurity, compliance and controls at the company. The relator alleged that he was terminated after he contacted the company’s ethics hotline and filed an internal report concerning the company’s deficiencies. He ultimately was awarded over $2.6 million for his role as a whistleblower under the False Claims Act.
Criminal Case: Sullivan
Joseph Sullivan was hired as Chief Security Officer in April 2015 after Uber disclosed to the FTC a 2014 breach in which hackers obtained approximately 50,000 consumers’ names and driver’s license numbers. The evidence at trial demonstrated that he played a key role in Uber’s response to the FTC’s Civil Investigative Demands, participated in a presentation to the FTC in March 2016, and testified under oath to the FTC in November 2016 as to Uber’s data security practices, including specific representations about steps he claimed Uber took to keep customer data secure.
Ten days after his FTC testimony, Sullivan learned Uber was hacked again. The 2016 breach compromised the data of 57 million passengers and drivers. The hackers discovered a flaw in Uber’s security system that allowed them to access its cloud-stored databases and then demanded a ransom for deleting the user data they confiscated. Sullivan failed to disclose the incident to Uber’s general counsel or to the company lawyers who were assigned to work on the FTC’s investigation of the 2014 data breach. Sullivan also instructed a subordinate that they “can’t let this get out.”
In December 2016, Uber paid the hackers $100,000 in bitcoin and asked them to sign a nondisclosure agreement falsely stating they did not take or store any data. The trial evidence showed that Sullivan justified the payoff as part of Uber’s “bug bounty program,” which rewards responsible hackers and researchers who discover security vulnerabilities, but the payment was over 10 times the program’s award cap. The government also presented evidence that Sullivan was aware that the hackers had hacked and extorted other companies as well.
Dara Khrosrowshahi, who became CEO in August 2017, testified at trial that he learned of the breach from a special committee shortly after beginning his tenure and promptly launched an independent investigation. Sullivan was terminated after the investigation determined that he provided incomplete and misleading details about the breach. In November 2017 Khrosrowshahi announced the breach in a blog post and Uber subsequently disclosed the incident to the FTC. Although by that point the FTC had reached a settlement with Uber regarding the 2014 breach, the late disclosure of the 2016 breach prompted the FTC to withdraw the initial settlement and renegotiate. The revised settlement included a provision requiring Uber to notify the FTC when breaches occur.
Taken together, these three cases show DOJ’s commitment to policing three types of cybersecurity failures: (i) knowing failure to meet cybersecurity standards set forth in government contracts; (ii) misrepresenting cybersecurity compliance and controls in government contracts; and (iii) concealing cybersecurity incidents such as breaches. Government contractors and grant recipients, as well as others in federal programs, should expect increased enforcement of cybersecurity-related fraud under the False Claims Act, as well as increased whistleblower activity.
To protect against exposure under the False Claims Act, companies should review any cybersecurity requirements in government contracts to discern whether they are fully compliant. A company need not experience a data breach to have enforcement exposure. Given the breadth of the requirements and certifications in many government contracts, failure to maintain secure storage of sensitive data is enough to create liability. Companies with governments contracts also benefit from regular review of their whistleblower program, as many whistleblowers (like the one in Aerojet) start out reporting issues internally, meet obstacles, indifference, or retaliation, and then report to the government.
To protect against criminal exposure or the reputational harm of an allegedly concealed breach, companies should have a written incident response plan that directs the internal cybersecurity team to disclose the incident to the relevant in-house legal team or other incident response team. The legal team can then review the company’s existing obligations (arising from existing investigations, contracts, or state or federal law) that might require disclosure to various government components and draft those disclosures with the appropriate level of detail. The company should be especially mindful of transparency to the extent it is under an existing investigation related to cybersecurity issues.
In working through their disclosure obligations, companies should also note that every state has adopted data breach notification requirements, mandating that companies alert affected individuals and, in some cases, state regulatory or law enforcement authorities. Moreover, the SEC recently proposed regulations under the Securities Exchange Act of 1934 to require publicly traded companies to disclose certain data breaches. These requirements do not impose strict liability for breaches – rather they reflect an emerging consensus that data breaches are inevitable, and that harm mitigation is as important (and legally actionable) as harm prevention.
Although companies may worry that disclosure of data breaches will invite negative press, an enforcement action, or a civil class-action, the recent cases underscore that concealing a cyber incident only increases the risks to the company.