Be prepared for this uptick in False Claims Act enforcement

A recent case highlights the importance of accurate self-attestations by organizations outside the government contractors and subcontractors that we typically think of as falling under the False Claims Act.

A government lawsuit against Penn State claims that at least 20 documents related to its NIST 800-171 self-assessment and other attestations were falsified. Despite claiming to be compliant since January 2018, the university had NEVER achieved compliance.

In this case, the whistleblower was an interim Chief Information Officer at Penn State's Applied Research Laboratory who was assigned as part of a team to review compliance in early 2022.

Discoveries that highlight the level of deception:

*Template documentation was uploaded when questions were raised about missing compliance documentation to "check the box."

*The University migrated protected data from the FedRAMP-authorized platform.

*Conversations with university staff uncovered that a team was working on a Systems Security Plan that should have already been in place for compliance, and team members were raising concerns about the school's actual state of compliance.

On September 5th, Verizon agreed to a $4M settlement to resolve False Claims Act allegations that it failed to completely satisfy specific cybersecurity controls in connection with an information technology service provided to federal agencies.

Verizon received significant credit for disclosing the issue, initiating an independent investigation and compliance review, and providing supplemental written disclosures. Verizon also cooperated with the government's investigation and took prompt and substantial remedial measures.

Key Takeaways

1. Review and Confirm Understanding of Cybersecurity Obligations and Practices:Organizations should conduct a comprehensive review of their cybersecurity posture and ensure that they fully understand their obligations and practices.
2. Build a Strong Compliance and Audit/Monitoring Function:Organizations must not only understand their cybersecurity obligations but also actively follow the required standards. Implement strong policies, procedures, and controls to ensure compliance with cybersecurity regulations. Regular and ongoing reviews and audits are crucial to identify and address potential gaps in compliance.
3. Promptly Investigate Internal Complaints:Take all internal complaints seriously, as they may be legitimate concerns. Consider hiring legal counsel or independent consultants to conduct thorough investigations into internal concerns. Expect significant increases in enforcement actions, both initiated by government agencies and by whistleblowers. Organizations that still need to prioritize cybersecurity compliance should recognize the urgency of doing so now.