The U.S. Justice Department’s new Civil-Cyber Fraud Initiative announced its first settlement last month in a novel action that brought false claims allegations over infosec failures against, notably, a sole proprietor. The case, which resulted in a nearly $300,000 penalty for the Florida-based web hosting company Jelly Bean Communications Design and its one full-time employee, suggests that the federal government’s clampdown on cybersecurity lapses and misdeeds will spare no offenders, irrespective of size.
The Jelly Bean settlement also underscores the government’s wide array of mechanisms to enforce cybersecurity violations and misrepresentations. It resolves civil charges under the False Claim Act (FCA) for Jelly Bean’s failure to provide HIPAA-compliant website hosting for a federally funded program that offers health insurance to Florida children. Contracts the company had signed included a line item for those services, but it was ultimately found to have neglected maintaining the site – which in part resulted in a hack in December 2020 that exposed more than half a million insurance applications.
“We will use the False Claims Act to hold accountable companies and their management when they knowingly fail to comply with their cybersecurity obligations and put sensitive information at risk,” Brian Boynton, Principal Deputy Assistant Attorney General, said in a press release.
The $293,771 penalty accounts for $130,565 in restitution, plus civil penalties for each false claim and “treble” damages, by which the government and other civil plaintiffs can recoup up to three times the amount it would take to essentially make them “whole.” Though it was not relevant to this particular case, the FCA also contains a whistleblower provision, which incentivizes employees with knowledge of falsifications or wrongdoing to alert the government. Under the FCA, whistleblowers are entitled to anywhere between 15 and 30% of the amount recovered, depending on whether the government intervenes—or decides to pursue—the case.
Whistleblowers have previously come forward in cybersecurity related cases, most notably in United States ex rel. Markus v. Aerojet Rocketdyne Holdings, Inc., a first-of-its-kind case from last year in which the defendant agreed to pay more than $9 million for FCA violations related to allegations that it had lied about its ability to comply with network security obligations in order to secure contracts with the Department of Defense and NASA. The company’s former senior director of cybersecurity brought the suit, with backing from the government, seeking more than $19 billion in damages. Although the Cyber-Fraud Initiative was not directly involved, the Justice Department, which declined to pursue the case in 2018, filed a statement of interest opposing Aerojet’s motion for summary judgment in October 2021 – just two weeks after the Cyber-Fraud Initiative was announced.
The Cyber-Fraud Initiative’s recent activity, and assertiveness, is also significant in that it indicates one way in which the government might police non-compliance with forthcoming CMMC regulations. That proposed framework, which sets cybersecurity standards that must be met in order to work with the Department of Defense, has been hung up in rule-making purgatory for years, but is ultimately expected to begin appearing in federal contracts as early as next year.
For more on the CMMC and the steps that must be taken to comply with it, watch Apptega’s recent presentation with Valiant-X Enterprise, a CMMC 2.0 certified RPO.