Normalizing Greater Accountability For Cybersecurity Fraud

EP 96: Normalizing Greater Accountability For Cybersecurity Fraud

Our bi-weekly Inflection Point bulletin will help you keep up with the fast-paced evolution of cyber risk management.

Sign Up Now!

About this episode

January 4, 2022
What is the False Claims Act and how will the Department of Justice start using it to help keep the nation safe from cyber criminals and adversaries? Let’s find out with your hosts Kip Boyle, vCISO with Cyber Risk Opportunities, and Jake Bernstein, Partner with K&L Gates.

Episode Transcript

Announcer: Welcome to the Cyber Risk Management Podcast. Our mission is to help executives thrive as cyber risk managers. Your host are Kip Boyle, Virtual Chief Information Security Officer at Cyber Risk Opportunities and Jake Bernstein, partner at the law firm of K&L Gates. Visit them at cr-map.com and klgates.com.

Kip: Jake, hi. What are we going to talk about today?

Jake: Hey, Kip. Today, we're going to again, look at a recent federal policy. This time it's the Department of Justice's announcement that it intends to pursue cybersecurity failures by leveraging the False Claims Act.

Kip: Okay. The False Claims Act, that doesn't sound new. Is it new? Could it be new?

Jake: It is the opposite of new actually. And if you'll indulge me for a moment, the False Claims Act can actually date back to some of the original qui tam laws in the year... Are you ready for this?

Kip: Yeah.

Jake: 1318. So that's 800 years ago, right?

Kip: I've never heard the year 1318 quoted as being significant for anything. So it now has something to claim.

Jake: Yes. And obviously that's like over 450 years before the US.

Kip: And it's not even a false claim. It's a real claim.

Jake: No, it's a real claim. So what does this mean? So the False Claims Act is the primary mechanism of fighting fraud that is perpetrated against the US government. And what qui tam means is that someone who's not affiliated with the government can file a lawsuit, and if the lawsuit is successful, they'll receive essentially a bounty of 15 to 30% of the damages. And these are also called whistleblower lawsuits, when the individual starting the lawsuit works for the company that is defrauding the government. And then just to bring it up to far more recent than 1318, the original False Claims Act in the US was passed in 1863 and is sometimes called The Lincoln Law because guess who signed it into law?

Kip: I love this. So we don't always get to unpack history here on the Cyber Risk Management Podcast, but today we're going to do it. And I love this idea that we're going to take this concept that goes back hundreds of years, that actually also involves Abraham Lincoln in the United States. And we're going to apply it to cybersecurity failures, it's one of the most recent problems our society is facing. I think this is pretty cool.

Jake: It is pretty cool. I actually, I totally agree. And I think some quick relevant statistics about the False Claims Act, and by the way, we're not actually going to go through the long and sorted history of the False Claims Act and its various incarnations and amendments. But consider this, between 1987 and 2019, the government recovered about $62.1 billion using the False Claims Act.

Kip: Wow.

Jake: And of that amount, just about 44.7 billion was from these qui tam actions. So this is a big deal.

Kip: Oh my God, that's a huge amount of money. I don't think I've ever read about this recovery, and the amounts. This is a big deal. This is a lot of money. Okay. So I can see why you want to talk about it. And I think as we go along, we're going to unpack this and I want our audience to follow along because if you think that this doesn't apply to you because you don't work in the government, you don't sell to the government, just hang on because I think as we unpack this, you're going to see there's a broad applicability here. So Jake, how does this thing actually work?

Jake: Okay. So we're going to set aside the procedural details of how one goes about filing a lawsuit.

Kip: I know that's tough for you because you enjoy that.

Jake: Yes. Well, sometimes, but I want to focus on what the act prohibits and then how the DOJ intends to use it, to enforce compliance with cybersecurity standards. Because this really is quite interesting. And I think the simplest way of putting it is... And if you listen to the Cyber Risk Management Podcast you are well aware that I'm a former assistant Attorney General in the Consumer Protection Division and I used to protect consumers. And the False Claims Act and we may call it the FCA is very much like a Consumer Protection Act for the government. You might say it's a government protection Act, but instead of unfair deceptive acts or practices, which is the typical consumer protection Act language, the False Claims Act prohibits knowingly presenting or causing to be presented a false claim for payment or approval, knowingly making, using, or causing to be made or used a false record or statement material to a false or fraudulent claim. And of course, conspiring to commit any of these violations. And there are more details, but we don't need to get into them now.

Kip: I think this is pretty interesting. So consumers needed the government to provide protection when they bought something like a like lemon laws. I often think of lemon laws, when you buy a shoddy car, but now we've got this where the government has passed laws to protect itself as it goes and makes purchases. That's fascinating.

Jake: Yes, but remember which one came first, right? These dates back 800 years, they were literally because the king was tired of having people rip him off.

Kip: I know, I know. I know, but that's not the way I learned about out this. Okay?

Jake: True. True.

Kip: I'm just like, as a consumer, as a person in the economy buying things, I of course heard of the lemon laws long before I heard of any of this.

Jake: That is true.

Kip: Okay. So far we've acknowledged there's a lot of legalese, which we're not going to unpack all that. And I think a great way to avoid unpacking the legal aspects of this is to just look at a press release, believe it or not, the Department of Justice has public relations, maybe that maybe you don't, but they had a press release in October of on the sixth of this year, 2021. And so Deputy Attorney General, Lisa Monaco announced this whole initiative, of using the FCA to protect against cybersecurity failures. And this is what she said, "For too long companies have chosen silence under the mistaken belief that it is less risk to hide a breach than to bring it forward and to report it."

Okay. So the press release is much bigger than this, but I think we should just stop right here and kind of unpack this one here, because it wasn't what I was expecting. Right. She's talking about reporting data breach. But to this point, I thought we were talking about the government buying things that were shoddy or didn't fulfill the promises made by the sellers. And now we're talking about data breaches. What's going on?

Jake: So I'm going to draw this back to all of our many FTC discussions. It's the same basic idea, right? Is that there it's an unfair practice to have shoddy cybersecurity. That's what the FTC has said, in the absence of any specific other laws about it. And I think this is very similar. You're taking a law that has its roots over 800 years ago. I still can't kind of get over that.

Kip: You're geeking out. This not even the history podcast.

Jake: Yeah. I know. And then you're using it to basically prosecute cybersecurity failures. So let's talk a little bit about the scope of this, because I think as we get into it... I don't want to wait on this part of the discussion. So this is extremely far reaching. Anyone who takes federal dollars is going to be affected by this. And that'll become more clear as to why. But not just anyone who directly takes federal dollars, right. It'll also affect anyone who supplies companies, who federal dollars, crosstalk because there's going to be passed through contracting requirements. You won't be able to do business with a company that is taking federal dollars, unless you can essentially meet these requirements that we'll be talking about.

Kip: Okay. Because I had said a few moments ago, I'm like, look, "This is a far reaching thing." And I think you've just put some clarity on just how far reaching it is. So let's say the federal government... And I like products, because it just helps me kind of make this a little bit more concrete. Uncle Sam buys a firewall from Cisco. Now that firewall that Cisco sells is actually an amalgamation of hardware and software. They don't make all their own hardware. They probably don't write all their own software. So that implies that Cisco has a supply chain that it relies on in order to assemble and deliver a firewall to the government. So if I'm contributing pieces and parts to Cisco into a product that it sells to Uncle Sam, then as a supplier to Cisco, the scope of this is on me too. Right?

Jake: Yeah. Even if it's not directly on you, it'll be indirectly on you because Cisco is not going to buy from you, unless you can prove that you're essentially doing the same thing Cisco has to do because of course it flows through, right? If Cisco buys something from you and it's garbage and then they turn around and sell it to the federal government, the federal government's going to go after Cisco, Cisco can come after you. Right.

Kip: Right. So you're in the shadow of this in any event?

Jake: Yes. And just to be clear... And we're not going to get into any politics here on the Cyber Risk Management Podcast, but this is very similar to how the breadth of the vaccine mandate works. Right? It was federal contracting, federal grants, anyone taking federal money was subject to that, which really covered just almost everybody. And there's also an OSHA laws. We're not going to discuss that, but it's the same basic principle.

Kip: Okay. And I think that's really part of what we're trying to say here, is that the federal government in the United States is a massive purchaser of goods and services in the economy.

Jake: Huge.

Kip: And so what they do with that power inevitably either directly or indirectly affects all commerce in the US, is that right?

Jake: It really does. Again, not getting into politics, but it's about to get even more involved. We've just passed an infrastructure bill worth almost a trillion dollars or somewhere about $1.2 trillion. There's a possibility that we'll add another 1.7 trillion onto that. That's a lot of money that's going to be injected into the economy and look, a lot of that's going to go toward buying stuff and software and supplies that implicates cybersecurity, so.

Kip: And this isn't the first time somebody has suggested that the federal government should use its buying power in order to normalize better cybersecurity.

Jake: Oh no, it is not. And the federal government using its buying power happens all the time right, to affect change. So let me kind of follow up here with the Deputy Attorney General Monica's additional explanation of the initiative. So what she says is, "We are announcing today..." This was back in October. "That we will use our civil enforcement tools to pursue companies. Those who are government contractors who receive federal funds when they fail to follow required cyber security standards. Because we know that puts all of us at risk. This is a tool we have to ensure that taxpayer dollars are used appropriately and guard the public fisc and public trust." Well, so let me say, I admit I'm not too familiar with the public fisc, but the gist of that is that the DOJ wants to prevent wasting taxpayer dollars. And I am definitely all for the that.

Kip: Okay. I looked up fisc, I couldn't help it. And fisc, actually you think the law goes back ways to what 1318, right? Is what you said?

Jake: Yep.

Kip: Okay. The word fisc is actually an archaic term that refers to the Roman emperor's privy purse.

Jake: Ladies and gentlemen, welcome to the Cyber Risk Management Podcast, where we discuss the Roman empire and the middle ages in addition to cyber risk and the management thereof.

Kip: This is fascinating. Sorry, I couldn't help myself. I just I was already geeking out on the 1318, and I was like, "Okay, this probably has something here that I'm going to dig in." But anyway, so the public purse, right? Hey, I contribute to the public purse. Right?

Jake: We all do.

Kip: Yeah. Anybody who pays any kind of tax, whether it's a sales tax or an income tax or cap gains tax, whatever, that's our money. And I absolutely want to make sure that Uncle Sam is getting the most for the money that I'm contributing for the greater good. Okay. Now there's still a little bit of ambiguity here, so I want to talk to you a little bit more about this. We need to unpack some more.

Okay. So let me just recap. So there's this law it's called the False Claims Act, the Department of Justice is realizing that it's another tool that they have and they're going to use it to make it illegal to defraud the government. And we've talked a little bit about how this is being used to pursue cybersecurity problems, but is there any more detail about how this is actually going to work?

Jake: There is, it's a good question, almost as if it was scripted. So the DOJs press release states that the... And this is the name, the official name. "Civil cyber fraud initiative" will utilize the False Claims Act to pursue cyber security related fraud by government contractors and grant recipients. And again, just to really hammer it home, those who take federal money is a really big tit. And we just want to make that super clear. So Kip, why don't you explain why this is called the False Claims Act? Because we just kind of said it, but I want to make it extra clear.

Kip: Right. Okay. So the way that I understood this is that the FCA is the government's primary civil tool, civil as opposed to criminal. To "redress" false claims for federal funds and property involving government programs and operations. I think I said at all that correctly. And so when you start to process that, okay, now it's starting to make more sense. A false claim is a claim for a payment of federal funds, right? So I sell Uncle Sam a security widget, and I sell it to Uncle Sam saying, it'll do all these things, but I'm lying or misrepresenting or whatever, there's something untrue and fraudulent about that transaction. I've made a false claim and that's what this thing's designed to deal with. Did I get that?

Jake: Yes. That is the idea. And we already know about the qui tam provision that has been around for 800 years and Kip, do you want to know the full Latin phrase?

Kip: I think we're going to overwhelm both me and the audience with antiquity if we do that.

Jake: Fine. Fine. Fine. So the bottom line here though, is that in addition to the false claim, this idea, the private parties who assist the government in identifying and pursuing fraudulent conduct can share in recovery and receive protections against retaliation. And I think that's an important point, because again, a lot of the times the way that these suits happen is that someone on the inside says, "This isn't right." This is a true whistleblower. It's just that I think a lot of people aren't aware that whistleblowers can make money, whistle blowing. And I don't want to make it seem like this is this, it's not a way to make money. It is a way to be rewarded for assisting crosstalk.

Kip: It's not a bug bounty program.

Jake: Well actually it kind of is in its own way, a bug bounty program. But it's a different style of it. Right? It is definitely a bounty in a sense, because the government wants to encourage people who are in the best position to sniff out fraud to do so. Right? And why would you do so if you weren't going to get anything out of it and you were going to get fired. There's really no reason to do so.

Kip: Yeah. Because you're really staking your career.

Jake: You are.

Kip: Not just with the firm that you work for, but who's going to hire you after that?

Jake: Precisely.

Kip: Your trustworthiness goes into the toilet.

Jake: Yeah. Which is interesting. Because really, I would say that, and I think this is the difficulty of this type of situation is that who's more trustworthy, the one who's trying to report the fraud or the one who is walking the, being a good soldier and not reporting the fraud. crosstalk It's actually a really difficult position to be in, I'm thankful that I'm not in that position.

Kip: Yeah. There's this old term, right? No good deed goes unpunished.

Jake: Yeah.

Kip: You point out fraud, but then your employer is mad at you because you've pointed out fraud and they could retaliate against you. And future employers might think that, "Well, gosh, if this person is telling our secrets about the risks that we're taking in our business, why would I knowingly put that person on my payroll? They might get addicted to this idea that they can earn money by telling my deep dark secrets to the federal government." It scares people.

Jake: It is, it's tough.

Kip: Yeah. It is. It's really tough. And it's not unique to what we're talking about, whistleblower protection Act, right? Those folks need protected. And the idea that they're going to earn a bounty, I think is really a part of that is to let people know that if they become unemployable, because they blow this whistle, that's not going to make them destitute.

Jake: Right. So, okay. All of this being said, it's still not quite clear how this applies to cybersecurity yet. Is it?

Kip: Well, there's still a little gap here. Right? Okay. But let's continue unpack the press release because there's more. So it says, "The initiative will hold accountable entities or individuals that put US information or systems at risk by knowingly providing deficient cybersecurity products or services" I think that's pretty straightforward. "Second, is knowingly misrepresenting their cyber security practices or protocols." And this is kept making an editorial comment. That's like lying on your 300 question questionnaire about how you really do things just so you can land that sweet contract

Jake: And let me editorialize. It's not necessarily that you're lying. Right? I think a lot of people will say, "Well, I don't lie on those things. I don't lie." But think about it this way, you might think of it as taking a calculated risk, when you represent that you have this full fledged cybersecurity program in place when really it's more accurate to say that you want to have a full-fledged cyber risk management programming place, but you're just not quite there, but you really need the business. So you're going to say yes anyway. I think a lot of people, they're going to convince themselves, they're not "lying," but it is a misrepresentation. So that is unfortunately probably very common, and it's a very, very... We advise clients all the time on this issue and what the federal government is doing is really upping the ante and the risk of doing that.

Kip: Right. Okay. So that's the second of three bullets that I wanted to cover. So one's about products and services. One's about practices and protocols. And the third one is knowingly violating obligations to monitor and report cybersecurity, incidents and breaches. And this is all fascinating because guess what? These three things are legion. We see them all the time.

Jake: And now we're dead on point, right? Now there's really no question as to how this is going to affect cybersecurity marketplace and just companies in general that have their own cybersecurity problems, which is all of them.

Kip: Mm-hmm (affirmative). Yeah. Okay. But have we covered it all?

Jake: We've covered most of it. I do want to kind of talk a little about what the DOJ is saying are the benefits of this initiative. And there's a number of bullet points here. I'm going to go a little quicker. They say this is going to build broad resiliency against cybersecurity intrusions across the government, the public sector and key industry partners. So look, they're really looking at this as a key component of building national cybersecurity resilience. That's important. They're going to hold grantees and contractors to their commitments to protect government information and infrastructure. They're going to support government experts efforts to timely identify, create, and publicize patches for vulnerabilities in commonly used information, technology, products, and services. This is kind of that herd issue, right. And it just kind of goes to the complexity of the supply chain that we've talked about before.

The initiative will ensure that companies that do follow the rules and invest in meeting these requirements are not at a competitive disadvantage.

Kip: Yeah, that's important.

Jake: I actually want to pause on this one, because I think this is a really big deal. What this is saying is that, look, the government is kind of recognizing that doing this right can be expensive and difficult as we well know. And what they're saying is this initiative is going to make it... Not only is that not a competitive disadvantage, it probably will become a competitive advantage. And that's something that you and I have been trying to really play that drum for a long time. crosstalk.

Kip: I really support this idea. Mm-hmm (affirmative). Yeah.

Jake: Exactly. It will reimburse the government and the tax payers for the losses incurred when companies fail to satisfy their cyber security obligations and it will overall improve the cyber security practices that benefit everybody, government, private users, and American public.

Kip: I'm glad we went over this list of benefits. The thing that really stands out to me is that organizations that meet these cyber security requirements are not at a competitive disadvantage. And that really reminds me of the environmental protection agency. And this is a perception that I've had for a long time, which is, if you're going to tell automakers, "Hey, your automobiles are polluting too much. You need to cut the emissions." But you leave it up to the automobile manufacturers to figure out how to do that. You just completely leave it up to them. Well, they're going to be frozen because it costs money to reduce emissions. And if one company is trying to reduce emissions, that's going to make the cost of their cars go up, or it's going to decimate their profit margin. And so they're not going to want to do it.

But if the government says, okay, everybody has to do this, then it creates an equal footing for them all to be on. And so I think this really harkens back to a lot of the things that the government has done to regulate the market so that we can have these kinds of benefits without having the invisible hand cause companies to not move forward. So that's pretty cool.

Jake: It is cool. Speaking of hearkening back, if you'll recall a few episodes ago, we talked about the executive orders and the ransomware memo. So I just want to make it clear that this initiative arose directly from the President Biden's cybersecurity related executive order back in May. This came out of that review process.

Kip: Okay. I'm glad to mentioned that.

Jake: Yeah. It's not disconnected from that, it does show how we can take effective leadership when the appropriate-

Kip: Yeah, that's good

Jake: ... when attention is paid.

Kip: So the executive branch create an executive order, the DOJ responds to that. They take an existing-

Jake: Well, the DOJ is part of the executive branch. So they have to.

Kip: Well, yes, of course, but I'm just making sure that it's clear sort of the chain of events, right? The DOJ says "Yeah, we're on board with that executive order. So we're going to go and find existing tools and use them in new ways." And I think this is powerful because now we don't have to go to Congress and say, "Can we have a new law, which is going to take forever." So I just want to point out that this is something where we're taking existing laws and we're applying them to conceptually similar problems. And a lot of people talk about that. They're like, "Hey, we don't want new laws. We just want better enforcement of existing laws." I hear that. Right? And so I think this is a good example of that. Okay. So let's see, what else do we need to talk about on this effort here? What else should we unpack on this?

Jake: So there's a couple other things, one example is that there have been other commentary on this since the DOJs announcement. One blog that I found suggests, and I tend to agree that the DOJ is going to use the FCA in conjunction with other sources of liability. So for example, as part of enforcement actions by the SEC for violations of the safeguards rule, which that is definitely a future episode right there, by the federal trade commission for violations of Section V, we've talked about that before, or for HHS actions for violations of HIPAA. So that's basically anytime there's a data breach involving medical information, it's actually the office of civil rights in the... What does HHS stand for? Health and Human Services?

Kip: Yeah. Health and Housing crosstalk.

Jake: Yeah. Health and Human Services. They're the ones that enforce that. The DOJ can even attack FCA claims onto class actions brought by individuals. And then of course, enforcement actions brought by state attorneys general. So there's a lot of options here. And one thing that we haven't mentioned yet, and I want to make this point really clear, because it's actually incredibly important for business to understand is that the FCA allows the government to recover trouble damages and per claim monetary penalties. And before you ask, I don't know why the law insists on using the phrase trouble instead of triple. It just means triple, times three.

And let's unpack that for a second because many consumer protection Acts have the same provision and think about what this does. Let's say that you are a less than savory business and you're thinking to yourself, "Okay, I can build the cost of getting caught a few times into my overall business plan." So in other words, "I'm going to treat some of these lawsuits as just a cost of doing business." Right? You hear that? Well, that becomes much more difficult, almost impossible to do when the law triples the damages, the actual damages that are suffered and then imposes straight up monetary penalties. These are fines, right? These are civil penalties that have nothing to do with the damage it's just a per claim penalty. And that's huge. Right? Because if you think about it now, you really can't make that determination. Right? It's designed to really dissuade that kind of conduct.

Kip: Geez. Yeah, that sounds really strict. Triple damages, proclaim monetary penalties. It kind of reminds me of some of the conversations you and I have had about the CCPA and plaintiff's actions and so forth and just the... What was it like? I think you said $750 per violated record in terms of the privacy or something like that.

Jake: Yep. That's the statutory damages and these are all different tools that lawmakers have to basically affect behavior. And determine how things work.

Kip: Right. And we did a little simple math. And the reason why I'm bringing up CCPA is because if you have... And this is not uncommon, right? ...several million records in involved in a data breach, and then you multiply each one of those records by a $750 essentially fine, you get this astronomical amount of money. And as I remember us talking about, it's not so much the idea that a company's going to end up paying so much money and fines that it's going to absolutely break its back and cause it to go bankrupt. But it's just really about giving the government this amazing hammer where they can say, "Well, we have the right to levy this fine, let's talk. Because what we really want is better behavior out of you."

Jake: Yep. And if you think about it too, whether it's a jury trial or a bench trial, not a whole lot of people that are sympathetic to someone who's alleged to have defrauded either consumers or the government. This is not generally a popular thing to do. So your risk of getting hit with those triple damages and maximum penalties is pretty high.

Kip: Yeah. Yeah. Okay. But there's still something here that needs to be proven. Right. There's a knowing standard here. Right? Isn't that difficult to prove? It seems like could be awful if it was proven, but that still seems a little murky, isn't it?

Jake: It is and it isn't. It's a very, very common, legal standard, particularly in some of these types of statutes. It's essentially a type of intent mens rea if you will, from criminal standard, it's just not quite the same level though. Right? Knowing is not the same as malicious intent. Right? This is a lower standard than that. What it really means is that you're not going to be liable under False Claims Act if you didn't know at all about that you were making a false claim. So for example, let's just say this, let's say that I'm a car reseller, right. Let's just say I buy used cars and I want to resell them to the government at a price that, it's a government price.

Kip: Sure.

Jake: And let's say that I buy a bunch of cars and I simply don't know that somebody has rewound the odometer on a bunch of cars. And I sell these cars to the government and pretend that there's no way I could have known et cetera, et cetera, I'm not liable.

Kip: But then it gets determined- Okay. Right. Okay.

Jake: And if it is later determined, I didn't know, and therefore I'm not going to be liable. That's kind of a contrived example of course, but that's the basic idea there.

Kip: Okay. So the first refuge of any scoundrel is, "I didn't do it." Right?

Jake: Of course, of course. And that where-

Kip: So how do you prove it? How do you prove that they did know?

Jake: And this is a litigation mechanics question, but it really comes down to circumstantial evidence, right? You look for documentation, you look for emails, you look for what people did and didn't know, you talk about some of our core principles on this show and how we practice attorney-client privilege of cyber risk assessments. That could become very relevant if this situation comes up. Right? And there are some other remarks that have been made. So Brian Boynton is an acting Assistant Attorney General who spoke at the fourth annual national cyber security summit in mid-October

Kip: Oh, right after this press release.

Jake: Yep. After the press release. And he mentioned three specific usages of the False Claims Act in the cyber security context. And the first was knowing fail years to comply with cybersecurity standards, explaining that the government agencies are usually requiring contractors and grantees to meet specific contract terms. And we've talked about this before, signing those contracts, without being able to meet the requirements has always been a risk. Right? Now it's a real big, serious liability because if you do it and they can prove that you knew what you were doing, let's be honest, we all can kind of imagine how there might be evidence of that.

You're talking the triple damages and everything. Remember there's depositions, that's being questioned under oath, not none of this stuff's going to rise to the level of a lie detector test. They don't need to, because the civil standard is more likely than not, this is not one of those things where, the government has to prove that you knew under reasonable doubt. No, no, no. The government just has to show that you knew. Yeah, that it was more likely than not that you knew.

Kip: That's okay.

Jake: Right? Kind of see what I'm talking about, how this is not that difficult?

Kip: Okay. Okay. Because I watch too much CSI and I think the bar's really high.

Jake: Yeah. The bar are not that high. So another one is False Claims Act liability can be based on the knowing misrepresentation of security controls and practices, but this happens all the time. In seeking a government contract or performing under it. this is particularly hard for younger companies that like really need that revenue. They really need the customer. And so they fudge a little bit or they exaggerate a little bit or they don't parse it quite the way that it maybe should be parsed. And you know that is one of those things that can lead to a False Claims Act liability.
And then the last one of there is the knowing failure to timely report suspected breaches. That one's almost even easier, the facts are almost always going to come out. So what do you think, do you think we have a better sense of how the government plans to use the False Claims Act going forward?

Kip: Yeah. Yeah. I think we do. I think we definitely do. And let's see. So this is really interesting. I kind of have a wait and see attitude though. I don't see any problems with the logic here or the idea or the intent, but I do kind of have a wait and see attitude on, "Okay, well, let's see the government go out there and do it. Right? Let's actually see what they can discover and what they can prove." Because in my experience, senior decision makers are going to want to see action in order to believe that it's credible. And I think that's what I want to see.

Jake: Yeah. And remember that of that 62-some odd billion dollars that has been recovered under the False Claims Act between 87 and 2019, 44 billion of that was begun by a qui tam whistleblower, which means that this does not require the government to go actively bring these cases. Right?

Kip: Also they can just wait for the cases to come to them.

Jake: They just wait. Right? And the reason they just wait is that, think about how much money... Remember what I said, there's a 10 to 30% bounty for the bringer of these lawsuits. So if $44.7 billion was paid out from qui tam lawsuits, then somewhere between what, four and 12 billion went to the private parties who brought those suits. Right?

Kip: Mm-hmm (affirmative). Yeah. Oh, that's a good point. Thank you. Thank you for putting that back into my field division. Right.

Jake: That's a big deal.

Kip: Yeah. This isn't just the government has to fan a bunch of agents out into the field.

Jake: Nope.

Kip: No, no, no, no. So that does add another wrinkle to it. It makes it even more serious. Okay. But I feel like I understand this pretty well. Any last words, Jake?

Jake: No, I think this one is wrapped up. I think that it will be really interesting to see if this does change the game. I suspect it will, but I think you're right. We have to wait and see.

Kip: Yeah. Okay. Well, okay. So then let's wrap it up. This episode of the Cyber Risk Management Podcast is here by closed. But today we learned about the False Claims Act and how the Department of Justice is planning to use it, to keep the nation safer from cyber criminals, cyber adversaries. And they're going to do that by holding government contractors liable for not making good on their cybersecurity related claims. And that's going to ultimately, we think ripple throughout the entire economy. Thanks for being here. And we'll see you next time.

Jake: See you next time.

Announcer: Thanks for joining us today on the Cyber Risk Management Podcast. If you need to overcome a cyber security hurdle, that's keeping you from growing your business profitably, then please visit us at cr-map.com. Thanks for tuning in. See you next time.

Headshot of Kip BoyleYOUR HOST:

Kip Boyle
Cyber Risk Opportunities

Kip Boyle is a 20-year information security expert and is the founder and CEO of Cyber Risk Opportunities. He is a former Chief Information Security Officer for both technology and financial services companies and was a cyber-security consultant at Stanford Research Institute (SRI).


Jake Bernstein
K&L Gates LLC

Jake Bernstein, an attorney and Certified Information Systems Security Professional (CISSP) who practices extensively in cybersecurity and privacy as both a counselor and litigator.