The Justice Department recently refreshed policy for using a potent stick to prod federal contractors. Or maybe whack them upside the head. The Civil Cyber Fraud initiative’s club is the False Claims Act. The deputy attorney general promises very heft fines, her words, for companies that, for instance, fail to quickly report cyber incidents. For some advice on how to avoid these fines, hefty or heftier, Federal Drive with Tom Temin turned to Jenner and Block partner David Robbins.
Tom Temin: David, good to have you back.
Insight by Carahsoft: This exclusive e-book demonstrates just how far agencies have come and where they still need to go to take fully advantage of DevSecOps to drive modern capabilities to their customers.
David Robbins: Thank you very much, certainly appreciate the chance to be here.
Tom Temin: So this did take a lot of contractors, I think by surprise, the fact that they could be in a false claims violation. And those can add up quickly, $10,000 per violation or whatever it is. What’s your best advice for contractors to stay out of hot water here?
David Robbins: It really did take a lot of contractors by surprise, especially because the rule itself that contractors have to follow requires 72 hour notification of cyber incidents. That’s really hard. You don’t even know what happened in the first 72 hours. And it’s absolute chaos. So the way to handle this is be ready with policies and procedures for these worst case scenarios. Have a tear sheet you can follow in terms of what you need to do. And also keep up with employee turnover. I know we’re all experiencing it in key industries like IT and contracts, make sure they know what to do, and go a step farther than that. Actually game it out, run tabletop exercises, make sure these notification requirements imposed by government contracts, they’re front of mind. And this can be really hard Tom because legal, IT, information security, contracting, they all play a role and they all speak different languages. That’s why gaming it out helps you prevent from talking past each other.
Tom Temin: And if you have all those procedures in place, I guess in a legal sense, and you can tell me, is that it shows your intent was correct. It shows that you weren’t willful in disregarding something should something come up, it shows you are serious about it.
David Robbins: That’s exactly right. The False Claims Act punishes two things relevant here. One is knowing misconduct defined at a minimum as reckless disregard, more than mere negligence, you have to be reckless in your disregard. So having these policies, these practices, and using best efforts to comply goes a long way to defeating that. And the other part, which goes beyond your comment but still important, is you have to submit a claim an invoice, a request for money. This is where your legal department can come in, or your contracts department can come in, and say wait until we notify anybody, let’s pause on submitting any invoices. Absent that that can be no false claims that liability.
Tom Temin: And there’s another fuzzy factor in here. And that is that it’s unlikely that say the contracting officer that you deal with as a contractor would be the one to call you out on false claims. These tends to originate with whistleblowers, either in the federal government or sometimes in your own company. And so you’ve got to do a sell job that is apparent to those that are not part of the direct contracting process, so that they understand and believe that you are trying to comply here.
David Robbins: Absolutely right. And internal communications are often really rushed in these scenarios, given all the chaos going on. But ceding those almost defenses, we’ve got our policies, we’re notifying customers, we’re protecting all of you employees who are rightfully concerned about your information. That’s all really important messaging from day one.
Tom Temin: Now you have written here in the Jenner and Block blog, that this interim rule introduced the CMMC, the cybersecurity maturity model certification requirements into contracts. Did that kind of sneak in, or were people expecting that?
David Robbins: I think the reference to that is that your cyber compliance writ large is going to be subject to potential False Claims Act scrutiny. And among the many recent changes is the CMMC implementation. I know that’s on hold. They’re rethinking it in the government and what that actually looks like when it comes out again, we don’t know. But that will be one element of compliance, you have to have squared away if you’re going to be scrubbed for False Claims Act violations by the Department of Justice.
Tom Temin: We’re speaking with David Robbins, he’s a partner at the law firm Jenner and Block. And most False Claims Act violations findings traditionally have been about pricing. And even those can be inadvertent errors by the contractor. But nevertheless, if you didn’t give the government the right price, or there was some calculation wrong, you’re stuck. Therefore the monetary damages relate to the degree to which you were erroneous in your pricing. How are they, so called to say, pricing the violations of cybersecurity under this initiative?
David Robbins: That’s an excellent question. And I’m not sure anyone has a good answer for that, and that’s one of the area of risks that contractors face. The government can come forward with novel theories of the price, the cost, it’s different for goods or services and notifications. So you just got to be ready to roll with it. The best prevention, though, is not to come up on the False Claims Act radar in the first place. Anyone can suffer a cyber breach, as we know it’s how you react that makes all the difference in the world.
Tom Temin: And did they specify the mechanism by which you report, I mean, who do you report to and what is it you tell them?
David Robbins: Yeah, contracts will have different information for you to report depending on the sensitivity of the work. The sensitivity of the agency involved, but generally you’re raising your hand to the contracting officer in the first instance, or if there’s different contractual language, they may point you to other information security sites across the government.
Tom Temin: And deputy attorney general Lisa Monaco has been widely quoted here, and I quoted her at the top, is seeking to impose very hefty fines on contractors. That sounds kind of course, in relations between government and industry, putting it that way. What’s your take on why publicly she’s using that type of language? I mean, it’s not like they’re going around shooting people.
David Robbins: No, certainly not. It does reflect the Justice Department punitive mindset. When I worked with the Air Force at a very senior legal role. Our acquisition professionals and the senior most acquisition heads would go out of their way to say the vast majority of contractors are ethical, and honest and try very hard to do the right thing. I think you should read it. With that in mind, should you come up on the Justice Department’s radar with egregious misconduct? I think they’re right in saying you’ll be punished for it. But there’s a lot of room between an initial cyber breach and hefty fines.
Want to stay up to date with the latest federal news and information from all your devices? Download the revamped Federal News Network app
Tom Temin: And besides early reporting, what else is part of this rule that could invoke false claims,
David Robbins: you have to have proper policies, procedures in place certain internal controls in place, an awful lot like many hundreds of little checkboxes and requirements, you have to meet their self assessment requirements. It is, as you know, and you’ve covered so well, on your show, the hottest area in government contracting, it’s evolving by the quarter, if not the month, and this requires an all hands on deck effort to understand what the rules are, and to comply with them. And now we have some or else coming from the government’s mouth in the form of deputy attorney general Monica.
Tom Temin: Yes, and of course, the big companies that publicly traded companies, but even large private companies, you know, in the last 20 years, they have new positions called compliance officers, sometimes there’s a Chief Compliance Officer, sometimes they’re, you know, equal on par with a chief counsel at some of the companies, but small companies may not, you know, have that position. It’s expensive. And so is there a way that subcontractors can somehow glom on to the expertise of the primes?
David Robbins: Yes, there are a number of trade associations and industry associations out there that share best practices for compliance. There’s information security and cyber security focused events all the time. This is a great way to share knowledge and a great way to glom on to mentors for lack of a better phrase, and see what can be learned because we’re all in this together. A breach anywhere along the chain is a problem for all contractors receiving goods and services from any contractor in their supply chain.
Tom Temin: And prior to this latest initiative on cyber, what’s the trend you were seeing with respect to False Claims Act proceedings in the first place? Were they on the rise already?
David Robbins: Yes, they were on the rise. I think that’s a function of the pandemic receding a bit and people getting back to work. I think there are a lot of things that just did not happen over the last year to 18 months, and I’ve seen already a rather substantial increase in False Claims Act activity, civil investigative demands investigations. This will only add pressure over time as this policy takes root in the system and cause more risk for contractors.
Tom Temin: So while you’re at it, tighten up your cybersecurity procedures, but tighten up anything else that might result in false claims, including your pricing mechanisms and all of that, your cost accounting.
David Robbins: Absolutely.
Tom Temin: David Robbins is a partner at the law firm Jenner and Block. Thanks so much.
David Robbins: Thank you, Tom.