Unfortunately, but as predicted earlier this year, the Department of Justice (DOJ) has shown no signs of pausing use of the False Claims Act (FCA) as a tool to enforce cybersecurity compliance.
On September 5, 2023, DOJ announced an FCA settlement with Verizon Business Network Services LLC based on Verizon’s failure to comply with cybersecurity requirements with respect to services provided to federal agencies. Verizon contracted with the government to provide secure internet connections but fell short of certain Trusted Internet Connections (TIC) requirements.
Compared to the approximate $9 million Aerojet settlement in 2022, Verizon’s approximately $4.1 million settlement appears to provide helpful suggestions on how to reduce liabilities or mitigate damages. For example, Verizon cooperated and self-disclosed its shortcomings, and the government emphasized the company’s level of cooperation and self-disclosure in their press release.
Even as cybersecurity requirements become more complex, tried and true compliance strategies remain key to mitigating damages. Companies should encourage a culture of self-reporting and agency.
Establish and Advertise Self-Reporting Hotline Programs
A self-reporting hotline is often a key component of an effective corporate compliance and ethics program. In companies with an internal hotline, studies have found that tips account for over half of all fraud detection. A best practice is to consider making the hotline anonymous as anonymity often generates more calls. Importantly, make sure employees know that the hotline is the appropriate place to report any cybersecurity concerns. Although it might sound ridiculous to lawyers and compliance professionals, employees may not realize cybersecurity issues should be reported on the hotline. Make sure employees know about the hotline. Emphasize it at meetings, in newsletters, on intranet sites, and anywhere else.
Promote a Sense of Agency Throughout the Organization
Employees tend to report concerns only when they feel a sense of agency, or otherwise feel that their reported concerns are being addressed. This, of course, starts with the tone at the top. Make sure all individuals — from the top down — feel like their cybersecurity concerns are being heard and addressed, as appropriate. Consider ways to show that cybersecurity complaints are taken seriously — perhaps by consistently addressing cybersecurity concerns at staff meetings or otherwise publicizing the work done to ameliorate employees’ concerns.
To avoid potential FCA liability, companies need to be absolutely aware of any cybersecurity requirements in government contracts, including how compliance is certified, and how to monitor and report any cybersecurity incidents. When cybersecurity concerns are reported, no matter whether corroborated or otherwise, companies must follow-up on the complaint and with the complainant. Companies must consider ways to “close the feedback loop,” and develop a system to follow up with complainants and to keep them informed about what the company has done about their concerns. Companies must take the investigation seriously and involve experienced cyber and investigations counsel sooner rather than later. Counsel can help determine if a written self-disclosure to a government agency is necessary, help craft the strategy, and guide an investigation that may ultimately reduce liabilities or mitigate damages.