How to Report Cybersecurity Issues at a Federal Contractor

How to Report Cybersecurity Issues at a Federal Contractor
  • Are you a whistleblower who knows about cybersecurity failures at a government contractor?

  • Is your employer certifying that its work is secure — even though it's not?
  • Have you raised concerns, only to be ignored or punished?
  • Are federal programs, or even human lives, in danger because of your company's false claims and cover-ups?

If you want to put things right — and maybe get a reward for doing so — the law is on your side.

Ensuring the security of government systems is a top priority for the U.S. Department of Justice (DOJ), which is looking for whistleblowers to help its enforcement efforts. Anyone who reveals cybersecurity flaws that are being hidden from federal contracting officers, or from the government generally, is protected from retaliation — and could earn a cash payment. Under the federal False Claims Act (FCA), for instance, the U.S. government may reward a tipster with up to 30 percent of any money that is recovered from a contractor that hasn't kept its cybersecurity promises.

Since 2021 the DOJ has been ramping up its efforts in this area. Its "Civil Cyber-Fraud Initiative" is aimed at federal contractors that fail to meet required security standards, and prosecutors have asked whistleblowers to report contractors that are "knowingly providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cybersecurity incidents and breaches" to the government.

If you work for an employer that is lying to the feds about its cybersecurity efforts, our lawyers can help you to report this wrongdoing to the DOJ, to defend yourself against backlash, and — if your tip results in a recovery for taxpayers — to claim a reward. Importantly, your action could help to protect the United States.

The Employment Law Group® law firm is experienced in representing employees who blow the whistle on procurement fraud, which includes false certification of a contractor’s compliance with security requirements. Our attorneys have represented engineers, project managers, executives, salespeople, accountants, and other employees in their whistleblower claims. We have a number of contractor fraud cases in progress, including FCA cases that involve defense, healthcare, and homeland security contracts.

The FCA is a proven tool against cybersecurity fraud and data breaches. In 2022, for instance, Aerojet Rocketdyne Inc. agreed to pay $9 million to settle a whistleblower’s complaint that it had misrepresented its compliance with the cybersecurity requirements in contracts with NASA, the U.S. Department of Defense, and other federal agencies. The whistleblower received $2.6 million.

In 2019, meanwhile, Cisco Systems Inc. agreed to pay $8.6 million to settle a whistleblower’s FCA complaint that claimed its video surveillance systems didn’t meet basic security standards — yet were sold to highly sensitive buyers including the U.S. Army and the U.S. Secret Service. In that case, the whistleblower received more than $1 million for his tip.

Learn More

The False Claims Act was signed by Abraham Lincoln in 1863 to combat unscrupulous federal contractors. At its core, it creates stiff penalties for anyone claiming money from the government under false pretenses — including for contractors that falsely certify that they've met important standards, including security requirements. From the start the law has offered a financial incentive to whistleblowers, who may report such wrongdoing by filing a legal complaint on behalf of taxpayers. This "qui tam" provision of the FCA allows prevailing plaintiffs to receive up to 30 percent of the money returned to U.S. coffers.

Meanwhile, if a whistleblower gets fired for reporting fraud, or suffers other retaliation, the FCA calls for the harm be reversed entirely: Successful plaintiffs can get their jobs back — and may get damages including attorney fees and payment for emotional distress.

As with all legal claims, deadlines are crucial. If you have been punished for drawing attention to cybersecurity flaws or data breaches, you must file a retaliation claim under the FCA within three years. The statute of limitations for whistleblowers to report the underlying fraud generally is six years under the FCA — or up to 10 years in a few situations. Other laws, including some relevant state laws, may demand faster action. And since the FCA offers a reward only to the first whistleblower to file a valid complaint, it's important to act quickly.

Frequently Asked Questions

What laws protect cybersecurity whistleblowers?

If you face retaliation for raising concerns about cybersecurity violations, you may be protected by a variety of federal laws depending on the circumstances, including the False Claims Act; the Sarbanes-Oxley Act; and the Defense Contractor Whistleblower Protection Act as amended by the National Defense Authorization Act. In addition, state law may offer you additional protections.

What laws reward cybersecurity whistleblowers?

If you’re blowing the whistle on a federal contractor — especially if you’re an insider whose complaints have been ignored — the federal False Claims Act is likely the first place you should look for a reward. This requires filing a lawsuit. Other options may be available, including state versions of the FCA and, if your employer has investors who are being deceived, the Dodd-Frank Act. An experienced attorney can advise you where to start.

What makes a cybersecurity violation illegal under the False Claims Act?

Government contractors are required to follow the terms of their contracts, which often include security and reporting requirements, either by direct inclusion or by reference to the Defense Federal Acquisition Regulation Supplement (DFARS) or another set of standards. Requesting payment from the government while intentionally violating those standards, or signing a contract while intending to ignore the standards, may be viewed as a false or fraudulent claim or statement under 31 U.S.C. § 3729(a)(1), where these FCA violations are defined.

What are some examples of cybersecurity violations that might be illegal under the FCA?

A classic instance would be where a contractor isn’t applying appropriate cybersecurity standards and fails to disclose its non-compliance — or falsely certifies that it is compliant. Another example would be failing to disclose a data breach through the proper channels. FCA liability may arise wherever a contractor or subcontractor fails to follow whichever regulations are incorporated into the relevant government contract.

Many of these security requirements are spelled out in the Federal Acquisition Regulation and its agency-specific supplements, including the DFARS. In addition, contractors should meet applicable standards set by the National Institute of Standards and Technology, and also must comply with broader data-security laws, including the Health Information Technology for Economic and Clinical Health Act (HITECH) and Health Insurance Portability and Accountability Act (HIPAA), both for sensitive medical information, and the Gramm-Leach-Bliley Act, for sensitive financial information.

To be clear, FCA liability may arise even if there’s no evidence of a hacking incident or data loss: In the Cisco case noted above, for instance, the simple vulnerability of key systems was the main issue. Under the FCA, such vulnerability must be found to be “material” — but in an environment where the U.S. president has declared cybersecurity to be “a top priority and essential to national and economic security,” any substantial corner-cutting should qualify.

If I know about a cybersecurity violation, where should I report it?

First, report it within your company via whatever channel is specified for such security concerns — or if there’s no set procedure, through your chain of command. Federal contractors and subcontractors ultimately must report violations to their contracting agency or, depending on the information at risk, to the Defense Department. If reporting to the government isn’t your responsibility, press your company to do the right thing.

I’ve told my company about cybersecurity flaws, but it refuses to fix or report them. What’s next?

At this point it’s probably a good idea to speak with an attorney who can help you to report the problem to the government in a way that maximizes, first, your protection against blowback and, second, the chance that you’ll be rewarded for your integrity.

Different law firms have different procedures, but if you have solid evidence of fraud against the government you should be able to find an attorney who’ll give you a free consultation. If you choose to proceed under the False Claims Act the attorney may offer to represent you on a contingency basis, so that you have no out-of-pocket costs.

How does the False Claims Act reward and protect whistleblowers?

The FCA is an unusual and powerful law: It allows you to sue on behalf of the U.S. government to compensate taxpayers for payouts that a company received under false pretenses, including by lying about cybersecurity — and violators face a steep punishment that can include triple damages plus substantial extra penalties. Federal prosecutors must investigate your allegations, and if your complaint leads to a monetary recovery you’re entitled to at least 15 percent of the resulting amount.

Meanwhile, the FCA protects whistleblowers with a robust anti-retaliation provision that may require your employer to make you whole for the ill effects of any punishment you receive for speaking out about possible fraud against the government. Other laws may apply, too.

How do I file an FCA complaint about cybersecurity fraud?

False Claims Act complaints are filed under seal in federal court, meaning that they remain secret for at least 60 days and usually much longer. A lawyer can help you with this. The secrecy allows the government to start its investigation and to decide its approach, which could include criminal prosecution.

To get the government’s full attention, an FCA complaint should make detailed allegations that are likely to survive a judge’s early scrutiny, and should be filed in a federal district where the U.S. Attorney’s Office is likely to be interested in the case. Because of this, you should choose an experienced FCA attorney who can guide you through the process.

Can I remain anonymous while reporting cybersecurity problems at a government contractor?

If you report via an FCA complaint, the government will eventually need to know who you are. There are mechanisms that may keep your name from your employer and from the public — including the initial secrecy of the filing — but few FCA whistleblowers remain anonymous forever. This is a good topic to discuss with an attorney. FCA cases take a long time, and some whistleblowers stay under the radar for years.

If I blow the whistle on a security flaw, will I be able to keep my job?

Under the FCA and other laws, it is generally illegal to retaliate against whistleblowers, including by firing them. If you use the FCA to disclose cybersecurity failings, your role as a whistleblower may remain unknown for some time. You may still face retaliation for raising concerns internally, of course — but again, the law should protect you. If you are punished, you may have a viable claim for damages and legal fees.

I have a question about cybersecurity whistleblowing that isn’t covered here.

If you know about cybersecurity failures at a federal contractor, please contact us. We would like to help you.