The False Claims Act was signed by Abraham Lincoln in 1863 to combat unscrupulous federal contractors. At its core, it creates stiff penalties for anyone claiming money from the government under false pretenses — including for contractors that falsely certify that they've met important standards, including security requirements. From the start the law has offered a financial incentive to whistleblowers, who may report such wrongdoing by filing a legal complaint on behalf of taxpayers. This "qui tam" provision of the FCA allows prevailing plaintiffs to receive up to 30 percent of the money returned to U.S. coffers.
Meanwhile, if a whistleblower gets fired for reporting fraud, or suffers other retaliation, the FCA calls for the harm be reversed entirely: Successful plaintiffs can get their jobs back — and may get damages including attorney fees and payment for emotional distress.
As with all legal claims, deadlines are crucial. If you have been punished for drawing attention to cybersecurity flaws or data breaches, you must file a retaliation claim under the FCA within three years. The statute of limitations for whistleblowers to report the underlying fraud generally is six years under the FCA — or up to 10 years in a few situations. Other laws, including some relevant state laws, may demand faster action. And since the FCA offers a reward only to the first whistleblower to file a valid complaint, it's important to act quickly.
What laws protect cybersecurity whistleblowers?
If you face retaliation for raising concerns about cybersecurity violations, you may be protected by a variety of federal laws depending on the circumstances, including the False Claims Act; the Sarbanes-Oxley Act; and the Defense Contractor Whistleblower Protection Act as amended by the National Defense Authorization Act. In addition, state law may offer you additional protections.
What laws reward cybersecurity whistleblowers?
If you’re blowing the whistle on a federal contractor — especially if you’re an insider whose complaints have been ignored — the federal False Claims Act is likely the first place you should look for a reward. This requires filing a lawsuit. Other options may be available, including state versions of the FCA and, if your employer has investors who are being deceived, the Dodd-Frank Act. An experienced attorney can advise you where to start.
What makes a cybersecurity violation illegal under the False Claims Act?
Government contractors are required to follow the terms of their contracts, which often include security and reporting requirements, either by direct inclusion or by reference to the Defense Federal Acquisition Regulation Supplement (DFARS) or another set of standards. Requesting payment from the government while intentionally violating those standards, or signing a contract while intending to ignore the standards, may be viewed as a false or fraudulent claim or statement under 31 U.S.C. § 3729(a)(1), where these FCA violations are defined.
What are some examples of cybersecurity violations that might be illegal under the FCA?
A classic instance would be where a contractor isn’t applying appropriate cybersecurity standards and fails to disclose its non-compliance — or falsely certifies that it is compliant. Another example would be failing to disclose a data breach through the proper channels. FCA liability may arise wherever a contractor or subcontractor fails to follow whichever regulations are incorporated into the relevant government contract.
Many of these security requirements are spelled out in the Federal Acquisition Regulation and its agency-specific supplements, including the DFARS. In addition, contractors should meet applicable standards set by the National Institute of Standards and Technology, and also must comply with broader data-security laws, including the Health Information Technology for Economic and Clinical Health Act (HITECH) and Health Insurance Portability and Accountability Act (HIPAA), both for sensitive medical information, and the Gramm-Leach-Bliley Act, for sensitive financial information.
To be clear, FCA liability may arise even if there’s no evidence of a hacking incident or data loss: In the Cisco case noted above, for instance, the simple vulnerability of key systems was the main issue. Under the FCA, such vulnerability must be found to be “material” — but in an environment where the U.S. president has declared cybersecurity to be “a top priority and essential to national and economic security,” any substantial corner-cutting should qualify.
If I know about a cybersecurity violation, where should I report it?
First, report it within your company via whatever channel is specified for such security concerns — or if there’s no set procedure, through your chain of command. Federal contractors and subcontractors ultimately must report violations to their contracting agency or, depending on the information at risk, to the Defense Department. If reporting to the government isn’t your responsibility, press your company to do the right thing.
I’ve told my company about cybersecurity flaws, but it refuses to fix or report them. What’s next?
At this point it’s probably a good idea to speak with an attorney who can help you to report the problem to the government in a way that maximizes, first, your protection against blowback and, second, the chance that you’ll be rewarded for your integrity.
Different law firms have different procedures, but if you have solid evidence of fraud against the government you should be able to find an attorney who’ll give you a free consultation. If you choose to proceed under the False Claims Act the attorney may offer to represent you on a contingency basis, so that you have no out-of-pocket costs.
How does the False Claims Act reward and protect whistleblowers?
The FCA is an unusual and powerful law: It allows you to sue on behalf of the U.S. government to compensate taxpayers for payouts that a company received under false pretenses, including by lying about cybersecurity — and violators face a steep punishment that can include triple damages plus substantial extra penalties. Federal prosecutors must investigate your allegations, and if your complaint leads to a monetary recovery you’re entitled to at least 15 percent of the resulting amount.
Meanwhile, the FCA protects whistleblowers with a robust anti-retaliation provision that may require your employer to make you whole for the ill effects of any punishment you receive for speaking out about possible fraud against the government. Other laws may apply, too.
How do I file an FCA complaint about cybersecurity fraud?
False Claims Act complaints are filed under seal in federal court, meaning that they remain secret for at least 60 days and usually much longer. A lawyer can help you with this. The secrecy allows the government to start its investigation and to decide its approach, which could include criminal prosecution.
To get the government’s full attention, an FCA complaint should make detailed allegations that are likely to survive a judge’s early scrutiny, and should be filed in a federal district where the U.S. Attorney’s Office is likely to be interested in the case. Because of this, you should choose an experienced FCA attorney who can guide you through the process.
Can I remain anonymous while reporting cybersecurity problems at a government contractor?
If you report via an FCA complaint, the government will eventually need to know who you are. There are mechanisms that may keep your name from your employer and from the public — including the initial secrecy of the filing — but few FCA whistleblowers remain anonymous forever. This is a good topic to discuss with an attorney. FCA cases take a long time, and some whistleblowers stay under the radar for years.
If I blow the whistle on a security flaw, will I be able to keep my job?
Under the FCA and other laws, it is generally illegal to retaliate against whistleblowers, including by firing them. If you use the FCA to disclose cybersecurity failings, your role as a whistleblower may remain unknown for some time. You may still face retaliation for raising concerns internally, of course — but again, the law should protect you. If you are punished, you may have a viable claim for damages and legal fees.
I have a question about cybersecurity whistleblowing that isn’t covered here.
If you know about cybersecurity failures at a federal contractor, please contact us. We would like to help you.