The False Claims Act and cybersecurity: Are third-party vendors putting you at risk?
A government supplier law written over a century ago may seem outdated in the digital age, but it may be putting your company at risk. Recent court rulings related to the 1863 False Claims Act have broad ramifications for cybersecurity, and your organization needs to understand how it may be impacted.
What is the False Claims Act?
Enacted before the electric bulb and the telephone were invented, the False Claims Act is a whistleblower law allowing any individual to sue a person or entity defrauding the government. The plaintiff can recover damages on behalf of the government and receive a percentage of the settlement as a result. The law also protects the plaintiff from retaliation by the defendant, including being fired from the job.
President Lincoln was highly in favor of the law, whose purpose at the time was to fight fraud by vendors selling supplies to the Union Army during the Civil War. The act contains a provision called “qui tam,” a short version of a Latin phrase that translates roughly as “he who brings an action for the king as well as for himself.”
The liabilities under the law fall in three general categories:
- Presenting a false claim for payment
- Using a false statement for getting a claim paid
- Reversing false claims
The US Congress revised the act in 1943, making lawsuits less appealing due to the reduced damages that could be awarded. But it reversed to the original provision in the 1980s to encourage more whistleblowers to spend their own money to investigate fraud against the government.
Reportedly, more than 13,000 qui tam cases have been filed in the last two-plus decades, enabling federal and state agencies to recover more than $55 billion in settlements and fines. In FY2019 alone, the total was more than $3 billion.
What does the False Claims Act have to do with cybersecurity?
In July 2019, Cisco Systems agreed to settle a whistleblower’s claim that it sold video surveillance software to governments while knowing the software had vulnerabilities. It was the first False Claims Act payout related to cybersecurity standards.
Whistleblower James Glenn filed the claim in 2011, alleging that Cisco sold a product that was vulnerable to hacking and could enable someone to get administrative control of the entire network. Glenn worked for a Danish company that was a Cisco vendor partner; he reportedly warned Cisco about the flaw but the company failed to act.
Cisco acquired the company that made the original video surveillance manager software and upgraded it two years after Glenn filed his case. The company had sold the vulnerable software to clients such as the Washington, D.C., police, Los Angeles International Airport and the US military. In total, the case listed 15 state buyers in addition to the federal government.
Another case that’s going through the courts in California was filed on behalf of NASA and the Department of Defense against Aerojet Rocketdyne Holdings, Inc. The whistleblower, a former employee of the company’s cybersecurity department, alleged that Aerojet fraudulently entered into federal contracts despite not meeting cybersecurity requirements that government contractors must comply with. A district court allowed the case to move forward in summer 2019.
How vendors may be putting you at risk
Many government agencies have cybersecurity requirements for their contractors and vendors, regardless of what kind of services and products they sell to the government. These requirements, which are constantly evolving, are designed to protect the privacy and security of the government’s information systems and data.
Where do vendors come into the equation? Like any organization, you’re likely using third-party vendors for a variety of purposes, from processing data and supplying parts to protecting your cloud applications. Here are two scenarios to consider:
- In today’s interconnected world, any of your vendors can be a weak link for your cybersecurity. While you may not be liable for a vendor’s weak cybersecurity under the False Claims Act, you could be liable if you don’t have a plan that spells out how you mitigate third-party risk.
- Cybersecurity products themselves can be just as vulnerable as the systems they protect. We saw this last year when news broke that state-sponsored hackers were exploiting the flaws in the enterprise-grade VPNs of several vendors. While you wouldn’t be liable for that vendor’s product, not having a consistent policy for patching (for example) could bring the liability to your door.
You need to understand your third-party risks and what you should do to minimize your exposure. In many cases, government contracts require suppliers to have a cybersecurity plan and mitigation. That means you should pass along compliance requirements to your own vendors and include in your plan how you’re managing the vendors’ compliance.
If you’re attesting in your government contract that you’re meeting the federal agency’s cybersecurity requirements but in reality don’t have a good plan, you could be liable for noncompliance. The False Claims Act requires the plaintiffs to provide proof based on information not available publicly — which means any of your employees or other insiders with knowledge of your practices could blow the whistle if they believe you’re fraudulently claiming compliance.
Best practices for third-party risk management
If you rely on vendors and suppliers as part of the services or products you provide to the government, make sure you understand what the government requires with regards to your subcontractors and partners. Additionally, basic steps to take include:
- Assess the risks: A risk assessment is the first step because it’s difficult to mitigate risks you don’t exist. Understand your relationships with third parties and how they impact your own cybersecurity. Consider categorizing vendors based on level of risk
- Policies and due diligence: To ensure consistent enforcement, document your vendor-management policies. Create a screening and onboarding process for all your vendors
- Service agreements: Include cybersecurity criteria, rights and responsibilities in agreements with your all business associates
- Proof of compliance: Document your process for how you’ll validate your vendors’ compliance. Will they self-attest or provide validation using third parties or will you use audits or other metrics to verify compliance?
- Limit access: Limit your vendor’s access, both on premises and virtually, to your critical assets and ensure they can only access what’s necessary for them to complete the work. This can be done through methods such as network segmentation and user identity management
- Incident response plan: Include your vendors in your incident response scenarios. Despite your best efforts, an incident involving a vendor is likely and you need a plan for how you’ll respond when your cybersecurity is impacted
Cybersecurity is here to stay for whistleblowers
With the increased number of cybersecurity attacks and data breaches, the government’s scrutiny over cybersecurity compliance will grow, and organizations should expect requirements to continue growing. Firms representing whistleblower claims say they’re seeing increased inquiries related to cybersecurity from potential plaintiffs, so expect to see more cybersecurity-related suits to be filed under the False Claims Act. If you’re doing business with the government, you need to take steps now to make sure you’re protecting yourself.
- The False Claims Act: 156 years old and newly relevant to software security, Security Boulevard
- Cisco whistleblower gets first False Claims payout over cybersecurity, Reuters
- What is the False Claims Act?, Cohen & Phillips, LLP
- Cisco’s $8.6M settlement for security flaws has broader ramifications, Compliance Week
- Eastern District of California Allows False Claims Act Allegations Based on Noncompliance with DoD Cybersecurity Requirements to Go Forward, Government Compliance Navigator