The False Claims Act is the nation’s most powerful law protecting whistleblowers. Ever since a landmark announcement in October 2021, it also applies to those reporting cyber fraud and digital false claims. The False Claims Act as a civil enforcement tool allows whistleblowers to collect a percentage of the overall settlement and to keep their identity concealed. It provides protection against retaliation by employers should you be harassed, discriminated against, fired, suspended, or otherwise negatively impacted by your disclosure. It also offers the possibility of recovering damages.
Taking full advantage of the shelter of the FCA is perhaps the most important way that cyber whistleblowers can protect themselves.
What Is the Civil Cyber-Fraud Initiative?
Reporting a data breach sets in motion a necessary chain of events. The weak spot in security protocols must be investigated, information must be shared, backups can be installed, and executives may need to decide whether or not to pay a ransom demand. Because of this, revealing that your company has been hacked can make consumers lose confidence in security protocols, affect investor decisions, and affect overall value.
Many companies choose to hide a data breach rather than report it because of these concerns. However, keeping a data breach secret is always the wrong decision, especially for government contractors and grant recipients. The Civil Cyber-Fraud Initiative, announced October 6, 2021, empowers whistleblowers to report data breaches when company executives choose to conceal them. Doing so helps protect taxpayer funds and holds companies accountable to their commitments to protect government information and provide quality infrastructure.
Under the Civil Cyber-Fraud Initiative, whistleblowers who disclose cyber-related fraud, waste, and abuse can recover anywhere from 10% to 30% of the overall settlement when their information is original and timely, and they are the first to file a lawsuit. Payments come from fines and fees under the FCA, and do not reduce the pool of taxpayer funds available or reduce service abilities. Unreported data breaches may qualify for reward; so, too, can false certifications for cybersecurity compliance, misuse of federal cybersecurity funds, and more.
Cyber whistleblowers can also benefit from the legal infrastructure of the False Claims Act when it comes to protecting against employer retaliation. Under the FCA, whistleblowers whose employers discriminate against them in any way (including but not limited to harassment, demotion, failure to promote, firing, suspension of hours or pay, etc.) can be sued in federal court for up to double back pay as well as additional damages and attorney fees. This provides both a safety net for whistleblowers who speak up as well as additional pressure on employers to address system failings in a timely and reasonable manner.
Common Types of Cyber Fraud Whistleblowers Can Help Expose
The Civil Cyber-Fraud Initiative expands the False Claims Act to protect whistleblowers who report any of the following cybersecurity concerns in connection with a government contractor, grantee, or company that receives public funds:
Failure to Comply With Cybersecurity Standards
Contractors and grantees working with the federal government are usually required to comply with certain standards, including minimum data security measures. These standards can protect sensitive information such as health data, locations of American operators overseas, and more. They include:
- The Federal Acquisition Regulation (FAR)
- Defense Federal Acquisition Regulation Supplement (DFARS)
- The Cybersecurity Maturity Model Certification (CMMC)
Concealment of Data Breaches or Vulnerabilities
Contractors may attempt to hide the fact that their systems are outdated and vulnerable to avoid losing a contract. However, wrongfully concealing vulnerabilities or failing to report a data breach that involves sensitive or classified government data can be considered a violation of contractual or regulatory obligations.
Misrepresentation of Software and System Security
Contractors that knowingly supply the government with counterfeit or faulty tech can be reported for cyber fraud. Data technology must be secure, in compliance with federal standards, and have passed certain minimum performance screenings.
Misuse of Federal Funds for Cybersecurity
Misuse of funds meant for cybersecurity programs or infrastructure may be an act of fraud. This may look like a contractor that bills the government for cybersecurity services that were never implemented, or tools not rendered.
Fraudulent Incident Reporting
Companies contracted by the government are required by many departments to have incident response plans in place. In some cases, they may falsify these reports in order to ensure that they receive a contract, pushing out a competitor who would have been a better fit for the job. Failing to report an incident or wrongfully reporting company protocols for data protection is now actionable under the False Claims Act.
How You Can Expose Fraud as a Cyber Whistleblower
The number one reason why whistleblowers worry about coming forwards is fear of retaliation. Under the FCA, whistleblowers have every reason to report data breaches and false certifications, including the possibility of receiving a substantial financial reward for their honesty. Cyber whistleblowers can now also rest easy knowing they have the full might of the FCA by their side when it comes to defending against possible employer retaliation. To begin the process of blowing the whistle, first:
1. Consult a Whistleblower Lawyer
You can report on your own, but working with a reliable and well-respected qui tam lawyer is the best way to blow the whistle on fraud. DOJ investigation and communication will flow through the firm’s established infrastructure, which is dedicated to ensuring that you are in compliance with the law every step of the way.
Working with a whistleblower lawyer means that you do not miss any filing deadlines, that you report under the appropriate federal and state jurisdictions, and that you avoid dangerous pitfalls in evidence gathering and disclosures. A qui tam attorney is your guide throughout every stage of reporting your claim and can insulate you from harassment from your employers or respond to media attention. In short, working with a whistleblower law firm is the number one way to protect your interests when disclosing wrongdoing.
2. Build Your Case
Your claim can be supported by documentation that you may already have within your possession. You may be able to support your disclosure with emails, direct messages, screenshots, company manuals, even unexpected sources like your own hiring and compliance paperwork. In some cases, you may be asked by federal investigators to provide testimony under oath or other additions to your claim. Make a copy of your proof and keep it in a secure location. Then bring your initial information to the law firm and only act in consultation with a qui tam attorney about what you should do next to file.
3. File Your Complaint
Your disclosure is only protected once it has been made officially, which means following the appropriate procedures to qualify under the FCA. Simply speaking your concerns to a coworker or even in some circumstances a superior does not automatically qualify you for FCA protections. You can be fired, demoted, or retaliated against legally as a whistleblower if you do not make an official disclosure through protected channels. The FCA only applies to whistleblowers who speak up through a federal investigator, tip line, or a qui tam law firm and formally file a complaint.
Because of this, working with a law firm is paramount to confirm your claim is filed appropriately and you qualify for all protections under state and federal law. Speaking to a qui tam attorney creates a paper trail about when you first came forward about your concerns, thereby also protecting your award potential under the “first to file” rule. Your attorney will submit your information as well as any additional legal evidence that supports your claim to federal investigators, where the claim will remain under seal for 60 days. This period can be extended for good cause, such as if investigators need more time to follow through on a credible tip. The lawsuit will not be served to the defendant (usually the government contractor’s offices or grant award sponsor) until the court orders its release.
You may be able to file under not only the FCA, but also your own state’s whistleblower statutes and company’s internal protocols for additional protections. Consulting with a law firm reduces the risk of missing any of these channels that can also benefit you.
4. Be Prepared to Cooperate With the Government
You must cooperate with federal investigators in order to qualify for any possible reward under the FCA. This may include sharing information from your claim, responding to requests for additional details, or being interviewed under oath. Cases that receive government information tend to result in some of the highest dollar amounts for whistleblower rewards.
Not every disclosure of fraud, however, will be pursued by the federal government. Due to a lack of resources and other concerns, some DOJ investigations are dropped before they ever reach the prosecution phase. In these cases, you may be able to continue with your own lawsuit with representation from your qui tam firm. When these claims are successful, whistleblowers are automatically awarded the highest reward percentage possible from the settlement.
The Effects of Cyber Fraud: Why You Should Act Now
One of the first claims reported ever under the Civil Cyber-Fraud Initiative, against Comprehensive Health Services LLC, was made in order to protect sensitive health information as well as the location of American service members in Iraq and Afghanistan. Other recent cyber fraud cases under the FCA have recovered millions from:
- Defense contractors who have misrepresented system security,
- Medicaid service providers who leaked patient data for Florida children, and
- Communications systems providers that failed to provide minimum secure standards for public internet access.
The government contracts for vital services, many of which now involve secure internet infrastructure and data privacy. The Civil Cyber-Fraud Initiative helps hold government contractors accountable to certain minimum security standards while ensuring honest reporting by the companies that receive taxpayer funds. Speaking up ensures that the system works as it should, and that taxpayers get what they are paying for. Under the FCA, digital service providers are now held to just as high a standard as construction contractors, hospitals, universities, and other companies that receive government funds and are already held to stringent protocols by the FCA.