Listen to this post

Unfortunately, but as predicted earlier this year, the Department of Justice (DOJ) has shown no signs of pausing use of the False Claims Act (FCA) as a tool to enforce cybersecurity compliance.

On September 5, 2023, DOJ announced an FCA settlement with Verizon Business Network Services LLC based on Verizon’s failure to comply with cybersecurity requirements with respect to services provided to federal agencies. Verizon contracted with the government to provide secure internet connections but fell short of certain Trusted Internet Connections (TIC) requirements.

Compared to the approximate $9 million Aerojet settlement in 2022, Verizon’s approximately $4.1 million settlement appears to provide helpful suggestions on how to reduce liabilities or mitigate damages. For example, Verizon cooperated and self-disclosed its shortcomings, and the government emphasized the company’s level of cooperation and self-disclosure in their  press release.

Even as cybersecurity requirements become more complex, tried and true compliance strategies remain key to mitigating damages. Companies should encourage a culture of self-reporting and agency.

Establish and Advertise Self-Reporting Hotline Programs

A self-reporting hotline is often a key component of an effective corporate compliance and ethics program. In companies with an internal hotline, studies have found that tips account for over half of all fraud detection. A best practice is to consider making the hotline anonymous as anonymity often generates more calls. Importantly, make sure employees know that the hotline is the appropriate place to report any cybersecurity concerns. Although it might sound ridiculous to lawyers and compliance professionals, employees may not realize cybersecurity issues should be reported on the hotline. Make sure employees know about the hotline. Emphasize it at meetings, in newsletters, on intranet sites, and anywhere else.

Promote a Sense of Agency Throughout the Organization

Employees tend to report concerns only when they feel a sense of agency, or otherwise feel that their reported concerns are being addressed. This, of course, starts with the tone at the top. Make sure all individuals — from the top down — feel like their cybersecurity concerns are being heard and addressed, as appropriate. Consider ways to show that cybersecurity complaints are taken seriously — perhaps by consistently addressing cybersecurity concerns at staff meetings or otherwise publicizing the work done to ameliorate employees’ concerns.

To avoid potential FCA liability, companies need to be absolutely aware of any cybersecurity requirements in government contracts, including how compliance is certified, and how to monitor and report any cybersecurity incidents. When cybersecurity concerns are reported, no matter whether corroborated or otherwise, companies must follow-up on the complaint and with the complainant. Companies must consider ways to “close the feedback loop,” and develop a system to follow up with complainants and to keep them informed about what the company has done about their concerns. Companies must take the investigation seriously and involve experienced cyber and investigations counsel sooner rather than later. Counsel can help determine if a written self-disclosure to a government agency is necessary, help craft the strategy, and guide an investigation that may ultimately reduce liabilities or mitigate damages.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Daniel Fortune Daniel Fortune

Daniel Fortune represents clients in matters involving cybersecurity, white collar defense, government enforcement actions, and regulatory compliance. Prior to joining Bradley, Daniel served as the lead cybersecurity attorney at a litigation boutique, and as a state prosecutor and federal prosecutor litigating matters involving…

Daniel Fortune represents clients in matters involving cybersecurity, white collar defense, government enforcement actions, and regulatory compliance. Prior to joining Bradley, Daniel served as the lead cybersecurity attorney at a litigation boutique, and as a state prosecutor and federal prosecutor litigating matters involving computer forensics, white collar crime, and government investigations. As the Deputy Chief Assistant U.S. Attorney in the Criminal Division, he supervised major cybercrime, white collar fraud, public corruption, asset forfeiture, and national security matters. He also served as the Computer Hacking and Intellectual Property Coordinator with top-secret security clearance, working on matters involving cleared defense contractors.

Photo of Lyndsay E. Medlin Lyndsay E. Medlin

Lyndsay Medlin assists clients across industries with a variety of litigation, internal investigation, and compliance needs. Her experience includes assisting clients with drafting and developing policies and best practices to ensure compliance and prevent litigation; investigating and responding to internal whistleblower allegations, federal…

Lyndsay Medlin assists clients across industries with a variety of litigation, internal investigation, and compliance needs. Her experience includes assisting clients with drafting and developing policies and best practices to ensure compliance and prevent litigation; investigating and responding to internal whistleblower allegations, federal civil investigative demands, and state regulatory inquiries for financial services, healthcare, life sciences, and government contractor clients, and working closely with clients across industries to protect their business interests nationwide. With privacy and cybersecurity becoming paramount concerns for businesses, Lyndsay is also skilled at counseling clients regarding the nuances of privacy notices, protection of customer and client personal information, and for covered financial services clients, Bank Secrecy Act/Anti-Money Laundering compliance.