What is the False Claims Act?
The False Claims Act is intended to reach all fraudulent attempts to cause the Government to pay out sums of money or to deliver property or services. The FCA imposes liability on any person (or entity) who knowingly presents, or causes to be presented, a false or fraudulent claim to the government.
Many of the Fraud Section’s cases are suits filed under the False Claims Act (FCA), 31 U.S.C. §§ 3729 – 3733, a federal statute originally enacted in 1863 in response to defense contractor fraud during the American Civil War. The FCA provided that any person who knowingly submitted false claims to the government was liable for double the government’s damages plus a penalty of $2,000 for each false claim. The FCA has been amended several times and now provides that violators are liable for treble damages plus a penalty that is linked to inflation. In addition to allowing the United States to pursue perpetrators of fraud on its own, the FCA allows private citizens to file suits on behalf of the government (called “qui tam” suits) against those who have defrauded the government. Private citizens who successfully bring qui tam actions may receive a portion of the government’s recovery. Many Fraud Section investigations and lawsuits arise from such qui tam actions.
The Department of Justice obtained more than $5.6 billion in settlements and judgments from civil cases involving fraud and false claims against the government in the fiscal year ending Sept. 30, 2021. More information about those recoveries can be found here and the 2021 FCA statistics can be found here.
Source: The False Claims Act (justice.gov)
How does the False Claims Act relate to Cybersecurity?
On October 6th, 2021, the U.S. Department of Justice (DOJ) announced the launch of its new Civil Cyber-Fraud Initiative — an effort designed to harness the department’s knowledge in civil fraud enforcement, government procurement and cybersecurity to combat emerging (and escalating) cyber threats. The initiative comes on the heels of the DOJ’s comprehensive, 120-day review into its cybersecurity strategy for defending and deterring cyber threats. According to the announcement, the initiative’s aim is to “hold accountable” those entities and individuals that put sensitive U.S. information at risk by failing to comply with federal cybersecurity requirements.
The DOJ’s tool of choice? The civil False Claims Act (FCA). The FCA imposes liability on any person (or entity) who knowingly presents, or causes to be presented, a false or fraudulent claim to the government. As applied to cybersecurity, the initiative will use the FCA to prosecute those who:
- knowingly provide deficient cybersecurity products or services
- knowingly misrepresent their cybersecurity practices or protocols, or
- knowingly violate obligations to monitor and report cybersecurity incidents and breaches
For purposes of the FCA, the “knowing” and “knowingly” standard means that a person 1) has actual knowledge of the information; 2) acts in deliberate ignorance of the truth or falsity of the information; or 3) acts in reckless disregard of the truth or falsity of the information. 31 U.S.C. § 3729(b). Importantly, no proof of specific intent to defraud is required.
The DOJ’s announcement is part of the federal government’s larger effort to improve the nation’s cybersecurity. Other efforts include President Joe Biden’s Executive Order on Improving the Nation’s Cybersecurity, issued in May 2021, in which President Biden declared “bold changes and significant investments” were needed in order to defend and protect information systems that process, store or transmit sensitive federal information – whether cloud-based, on-premises or hybrid. (See Holland & Knight’s previous blog post, “Cybersecurity for All: President Biden Issues Sweeping Cybersecurity Executive Order,” May 13, 2021). The president issued the Executive Order in response to a wave of recent cyberattacks, such as those against SolarWinds. The U.S. Department of Defense (DoD) is also in the process of reviewing its Cybersecurity Maturity Model Certification (CMMC) program that would require all DoD contractors and subcontractors not selling commercial off-the-shelf (COTS) products to obtain a third-party cybersecurity certification. As it is now, certain DoD contractors are required to comply with cybersecurity self-certification requirements.
However, FCA cybersecurity actions aren’t (that) new. There has been an uptick in cybersecurity-based FCA actions in recent years, predominantly qui tam actions filed by former employees that “blew the whistle” on their company’s deficient cybersecurity standards and practices.
Department of Justice – Office of Public Affairs- FOR IMMEDIATE RELEASE- Wednesday, October 6, 2021
Deputy Attorney General Lisa O. Monaco Announces New Civil Cyber-Fraud Initiative
Deputy Attorney General Lisa O. Monaco announced today the launch of the department’s Civil Cyber-Fraud Initiative, which will combine the department’s expertise in civil fraud enforcement, government procurement and cybersecurity to combat new and emerging cyber threats to the security of sensitive information and critical systems.
“For too long, companies have chosen silence under the mistaken belief that it is less risky to hide a breach than to bring it forward and to report it,” said Deputy Attorney General Monaco. “Well that changes today. We are announcing today that we will use our civil enforcement tools to pursue companies, those who are government contractors who receive federal funds, when they fail to follow required cybersecurity standards — because we know that puts all of us at risk. This is a tool that we have to ensure that taxpayer dollars are used appropriately and guard the public fisc and public trust.”
The creation of the Initiative, which will be led by the Civil Division’s Commercial Litigation Branch, Fraud Section, is a direct result of the department’s ongoing comprehensive cyber review, ordered by Deputy Attorney General Monaco this past May. The review is aimed at developing actionable recommendations to enhance and expand the Justice Department’s efforts against cyber threats.
Civil Cyber-Fraud Initiative Details
The Civil Cyber-Fraud Initiative will utilize the False Claims Act to pursue cybersecurity related fraud by government contractors and grant recipients. The False Claims Act is the government’s primary civil tool to redress false claims for federal funds and property involving government programs and operations. The act includes a unique whistleblower provision, which allows private parties to assist the government in identifying and pursing fraudulent conduct and to share in any recovery and protects whistleblowers who bring these violations and failures from retaliation.
The initiative will hold accountable entities or individuals that put U.S. information or systems at risk by knowingly providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cybersecurity incidents and breaches. The benefits of the initiative will include:
- Building broad resiliency against cybersecurity intrusions across the government, the public sector and key industry partners.
- Holding contractors and grantees to their commitments to protect government information and infrastructure.
- Supporting government experts’ efforts to timely identify, create and publicize patches for vulnerabilities in commonly-used information technology products and services.
- Ensuring that companies that follow the rules and invest in meeting cybersecurity requirements are not at a competitive disadvantage.
- Reimbursing the government and the taxpayers for the losses incurred when companies fail to satisfy their cybersecurity obligations.
- Improving overall cybersecurity practices that will benefit the government, private users and the American public.
The department will work closely on the Initiative with other federal agencies, subject matter experts and its law enforcement partners throughout the government.
Report Cyber-Fraud
Tips and complaints from all sources about potential cyber-related fraud, waste, abuse and mismanagement can be reported by accessing the webpage of the Civil Division’s Fraud Section, which can be found here.
DoD Uses False Claims Act to Stop 800-171 Contractor Fraud
As part of the CMMC roll-out, DoD subcontractors must now audit their cybersecurity and post scores and PoAM info to the Supplier Performance Risk System. Department of Defense (DoD) contractors have been required (by law) to be 100% compliant with the NIST SP 800-171 regulation since December 2017 and contractors have been “self-certifying” their compliance with that requirement. Thus the DoD has been forced to implement the Cybersecurity Maturity Model Certification (CMMC) program which requires contractors to have their cybersecurity programs certified by a third party before they can be awarded any DoD contracts. But the sheer enormity of the U.S. Defense Industrial Base (DIB) and the complexity of cybersecurity means that it will take up to 5 years to fully implement the CMMC. All Companies that do business with the DoD will have to fully certify their CMMC compliance by October 1, 2025, passing an audit performed by a DoD accredited auditor. Level 1 is where the DoD expects most firms to be currently, with select practices being documented where required. Therefore over the last 18 months, the Defense Contract Management Agency (DCMA) has been auditing contractors for NIST SP 800-171 compliance.
But what is truly different (and most significant) about this particular audit process is that all contractors now must post their cybersecurity audit scores to the DoD Supplier Performance Risk System (SPRS) portal for all agencies to view. And not only do contractors have to post their cybersecurity audit scores, they must also post the date that they intend to be 100% NIST SP 800-171 compliant based on a written plan of action with milestones (PoAM).
And the Department of Justice is using the False Claims Act to crack down on contractors who are exposed as fraudulently claiming that their security practices meet 800-171 requirements. The Department of Justice recovered $5.6B in 2021 using the False Claims Act as its hammer.
Source: DoD Uses False Claims Act to Stop 800-171 Contractor Fraud – EIN Presswire (einnews.com)
Takeaways and Considerations
For contractors, now is a good time to review your organization’s cybersecurity practices and ensure they are in compliance with federal regulations. Take a close look at your federal prime and subcontracts — any of the following could potentially serve as a basis for an FCA enforcement action:
- FAR 52.204-21, Basic Safeguarding of Covered Contractor Information Systems: Requires contractors to employ certain “basic” security controls, such as limiting access, authenticating users and identifying system flaws in a “timely manner.
- DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting: Requires contractor information systems to comply with the cybersecurity requirements in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171. The clause also requires reporting of “cyber incidents” within 72 hours and other mitigation measures.
- DFARS 252.204-7020, NIST SP 800-171 DoD Assessment Requirements: Applies to covered contractor information systems that are required to comply with NIST SP 800-171, in accordance with the -7012 clause. This clause requires contractors to provide access to their facilities, systems and personnel necessary for the government to conduct a NIST SP 800-171 DoD Assessment, as described in NIST SP 800–171 DoD Assessment Methodology (latest version, version 1.2.1 (June 24, 2020)).
- DFARS 252.204-7019, Notice of NIST SP 800-171 DoD Assessment Requirements: Requires offerors, as a prerequisite for award, to perform and hold a current (i.e., not more than three years old) NIST SP 800-171 DoD Assessment for each covered contractor information system that is relevant to the offer, contract, task or delivery order. This can initially be accomplished by entering NIST SP 800-171 compliance information within the DoD-operated Supplier Performance Risk System (SPRS) database.
- DFARS 252.204-7021 Contractor Compliance with the CMMC Level Requirement: Requires contractors to have a current CMMC certificate at the CMMC level required by the contract, and to maintain that certificate for the duration of the contract. CMMC only builds upon DFARS 252.204-7012 and having the security measures required by DFARS -7012 (i.e., NIST SP 800-171 requirements) in place is the first step toward CMMC certification.
These clauses are aimed at ensuring contractors implement robust cybersecurity measures to protect sensitive federal information residing in their information systems. Where these protections are a material requirement of payment under a government contract, the knowing failure to implement such protections or report vulnerabilities could give rise to liability under the FCA.
Although DOJ’s Civil Division is launching the initiative, it does not preclude parallel government enforcement actions, including criminal prosecutions, where potential criminal liability is found. It is not uncommon for the DOJ to initiate criminal proceedings based off the same factual allegations underlying qui tam complaints and DOJ civil fraud investigations, especially as the FCA shares elements in common to criminal statutes where there is criminal intent. For example, 18 U.S.C. § 287, criminalizes making false, fictitious or fraudulent claims upon the United States or conspiring to do so. As a result, this Civil Cyber-Fraud Initiative could lead to increased coordination between the criminal and civil divisions in the cyber arena.
For more information on the DOJ’s Civil Cyber-Fraud Initiative, the FCA or any of the issues raised above, contact the authors.
Source: False Claims Act Meets Cybersecurity: DOJ’s New Civil Cyber-Fraud Unit | Insights | Holland & Knight (hklaw.com)
The Current Version of the False Claims Act Prohibits Seven Types of Action
The current version of the False Claims Act identifies seven violations, any of which is a violation of the False Claims Act:
- False Claims – Presenting, or causing the presentment, of a false claim for payment or approval. 31 U.S.C. §§ 3729(a)(1)(A).
- False Records or Statements – Making, using, or causing others to make or use, a false record or statement that is material to a false or fraudulent claim. 31 U.S.C. §§ 3729(a)(1)(B).
- Conspiracy – Conspiring to violate the False Claims Act. 31 U.S.C. §§ 3729(a)(1)(C).
- Conversion – Failing to return government property. 31 U.S.C. §§ 3729(a)(1)(D).
- False Receipts – Making or delivering a receipt of government property without completely knowing that the information in it is true. 31 U.S.C. §§ 3729(a)(1)(E).
- Unlawful purchase of Government Property – Buying public property from a government employee who may not lawfully sell it. 31 U.S.C. §§ 3729(a)(1)(F).
- Reverse False Claims – Making, using, or causing to be made or used, a false record or statement material to an obligation to pay money to the government; or conceals, avoids, or decreases an obligation to pay money to the government. 31 U.S.C. §§ 3729(a)(1)(G).
Congress Explained That Many Different Fraudulent Actions Violate the False Claims Act
In 1986, as part of major revisions of the False Claims Act. The Senate issued a report explaining how the law worked and how it was supposed to work. Congress explained that False claims under the statute take many forms the most common being a claim for goods or services not provided, or provided in violation of contract terms, specification, statute, or regulation. S. Rep. No. 99-345, at 9-10, reprinted in 1986 U.S.C.C.A.N. at 5274.
The report also offers several examples of actions that congress believed would violate the False Claims Act.
- In Health Care – A false claim for reimbursement under the Medicare, Medicaid or similar program.
- A false application for a loan from a Government agency.
- A false claim in connection with a sale financed by Government Agencies such as the Agency for International Development or Export-Import Bank.
- Any claims made by individuals ineligible to participate in a program.
- Cashing a Government check, which was wrongfully or mistakenly obtained.
- A fraudulent attempt to pay the Government less than is owed in connection with any goods, services, concession, or other benefits provided by the Government is also a false claim under the act.
S. Rep. No. 99-345, at 9-10, reprinted in 1986 U.S.C.C.A.N. at 5274. Further, these claims may be false even though the services are provided as claimed. This can happen when someone is is ineligible to participate in the program, or obtains loans based on false statements.
Source: False Claims Act Violations & Prohibitions Explained – Whistleblower Law (whistleblowerllc.com)
Federal and State Law Protects Employee Whistleblowers Who Expose Fraud Against the Government.
Not only is your employer prohibited by law from firing you for reporting illegal activity – but you may also be entitled to a monetary reward from the government for exposing fraud.
Federal and state laws prohibit companies from defrauding the government, including healthcare fraud (e.g, Medicare, Medicaid, TRI-CARE, and more), defense contractor fraud, insurance fraud, securities regulation and financial fraud (e.g, fraud on shareholders), tax fraud, fraud on farm and education programs, and more.
Because nobody wants companies to be able to steal from taxpayer coffers, individuals who report fraud on the government are protected as whistleblowers under state and federal laws, such as the False Claims Act, Dodd-Frank Wall Street Reform and Consumer Protection Act, Sarbanes-Oxley, and more. These whistleblowers (sometimes called “relators”) are entitled to monetary rewards for exposing the fraud.
Violations of these laws and their state equivalents can result in serious monetary penalties. For example, in the case of the False Claims Act, judgments can be up to three times the amount of losses sustained by the government, plus civil fines. Additionally, people and companies can be subject to criminal prosecution for their perpetuation of the fraud.
Many of the Fraud Section’s cases are suits filed under the False Claims Act (FCA), 31 U.S.C. §§ 3729 – 3733, a federal statute originally enacted in 1863 in response to defense contractor fraud during the American Civil War.
The FCA provided that any person who knowingly submitted false claims to the government was liable for double the government’s damages plus a penalty of $2,000 for each false claim. The FCA has been amended several times and now provides that violators are liable for treble damages plus a penalty that is linked to inflation.
In addition to allowing the United States to pursue perpetrators of fraud on its own, the FCA allows private citizens to file suits on behalf of the government (called “qui tam” suits) against those who have defrauded the government. Private citizens who successfully bring qui tam actions may receive a portion of the government’s recovery. Many Fraud Section investigations and lawsuits arise from such qui tam actions.
The Department of Justice obtained more than $5.6 billion in settlements and judgments from civil cases involving fraud and false claims against the government in the fiscal year ending Sept. 30, 2021. More information about those recoveries can be found here and the 2021 FCA statistics can be found here.
Who can be a Whistleblower?
The False Claims Act allows any individual to act as a whistleblower and sue a company or other person who is defrauding the government on behalf of the federal and/or state governments. In such cases, the whistleblower is referred to as a “relator,” and these cases are known as qui tam lawsuits. Qui tam is a latin for roughly, “in the shoes of the king.”
Any person who has evidence of a fraud occurring against state or federal government may act as a protected whistleblower pursuant the False Claims Act. Very often, individuals with the most knowledge are current employees of companies that are systematically committing the fraud.
For example, a billing or accounting specialist might be aware that a company is billing a government program or entity for services or products not actually provided. Another example might be where an employee is instructed by company management to routinely “up-charge” the government by billing for more than the service or product purchased.
Dodd-Frank, Sarbanes-Oxley, and more protect and allow for individuals who have information about violations of federal securities laws to be protected as whistleblowers. Such individuals may even be also entitled to monetary rewards for exposing securities violations.
For example, a salesperson at a publicly-traded company might discover that company management is lying to investors in an effort to drive up the company’s stock value. If this salesperson follows the proper steps to gain whistleblower status, they may receive a significant monetary reward for doing so.
How does a whistleblower report fraud against the government?
The False Claims Act requires that individuals who wish to file a qui tam lawsuit to hire an attorney. The attorney will the work with the whistleblower to prepare the lawsuit and the information to be disclosed to the government. Qui tam lawsuits are initially filed “under seal,” meaning that nobody but the federal court, the U.S. government, and the whistleblower and their attorney know of the lawsuit.
During the “seal period,” the government investigates the allegations made in the lawsuit and works with the whistleblower and their attorney to gather more information. At some point, the government makes a decision as to whether or not to “intervene” in the lawsuit and prosecute the wrongdoers itself. If the government does not choose to do so, the seal is lifted and the whistleblower and their attorney may decide whether or not to prosecute the action alone.
For other types of fraud against the government actions, including for violations of federal securities laws, there are various different ways to gain whistleblower status (e.g., a tip to the SEC’s Office of the Whistleblower).
Individuals who are concerned that their employer or some other organization is committing fraud against the government should consider contacting an attorney who specializes in whistleblower law, so as to ensure that they are acting in accordance with all applicable state and federal laws and to ensure that their whistleblower status is protected.
What are the monetary rewards for reporting fraud on the government?
A successful whistleblower who exposes fraud on the government may be entitled to a monetary reward in the form of a percentage (ranging from 15 to 30 percent) of the total amount the government recovers as a result of the tip.
Representative Case
Madia Law represented Danielle Ailts Campeau in United States of America, et al., ex rel. Danielle Ailts Campeau v. NeuroScience, Inc., et al., 13-811 (W.D. Wis.).
In October 2013, Madia Law contacted the FBI and the Department of Health and Human Services regarding Osceola, WI-based defendants Pharmasan Labs, Inc., NeuroScience, Inc., and Gottfried Kellermann (the founder and owner of the companies). Ms. Campeau alleged that the defendants were committing fraud on the United States and on the States of Wisconsin, Minnesota, and New York by selling illegitimate laboratory testing services, reporting illegitimate test results, and then using those baseless tests and test results to sell nutritional supplements under a different business name.
Madia Law subsequently filed, under seal, a lawsuit that led to a settlement and criminal plea deal. After three years of working with various federal agencies to investigate and prosecute the case, NeuroScience and owner Gottfried Kellermann pled guilty to felonies.
As part of the settlement agreement, the defendants paid a total of $6,188,769 to the United States government, of which Ms. Campeau and her attorneys collected a combined total of over $1.3 million. Additionally, NeuroScience and Kellermann were required to pay criminal fines, and Kellermann was ordered incarcerated via electronic home monitoring.
Healthcare fraud is a serious problem threatening public health and the integrity of taxpayer funds across the country. Employees of companies engaging in illegal activity in order to pad their coffers are in a unique position. Not only are these employees legally protected if they blow the whistle on their employer, but the government will reward them for doing so—in the form of sometimes-significant monetary compensation. Madia Law remains committed to assisting whistleblower employees like Ms. Campeau, who are critical in alerting the government to unsafe and fraudulent activity by healthcare providers and related services.
31 U.S. Code § 3729 – False claims Specifics
(a)Liability for Certain Acts.—
(1)In general.—Subject to paragraph (2), any person who—
(A) knowingly presents, or causes to be presented, a false or fraudulent claim for payment or approval;
(B) knowingly makes, uses, or causes to be made or used, a false record or statement material to a false or fraudulent claim;
(C) conspires to commit a violation of subparagraph (A), (B), (D), (E), (F), or (G);
(D) has possession, custody, or control of property or money used, or to be used, by the Government and knowingly delivers, or causes to be delivered, less than all of that money or property;
(E) is authorized to make or deliver a document certifying receipt of property used, or to be used, by the Government and, intending to defraud the Government, makes or delivers the receipt without completely knowing that the information on the receipt is true;
(F) knowingly buys, or receives as a pledge of an obligation or debt, public property from an officer or employee of the Government, or a member of the Armed Forces, who lawfully may not sell or pledge property; or
(G) knowingly makes, uses, or causes to be made or used, a false record or statement material to an obligation to pay or transmit money or property to the Government, or knowingly conceals or knowingly and improperly avoids or decreases an obligation to pay or transmit money or property to the Government, is liable to the United States Government for a civil penalty of not less than $5,000 and not more than $10,000, as adjusted by the Federal Civil Penalties Inflation Adjustment Act of 1990 (28 U.S.C. 2461 note; Public Law 104–410[1]), plus 3 times the amount of damages which the Government sustains because of the act of that person.
(2) Reduced damages.—If the court finds that—
(3)Costs of civil actions.—
(b)Definitions.—For purposes of this section—
(1)the terms “knowing” and “knowingly”—
(A)mean that a person, with respect to information—
(2)the term “claim”—
(A)means any request or demand, whether under a contract or otherwise, for money or property and whether or not the United States has title to the money or property, that—
(ii)is made to a contractor, grantee, or other recipient, if the money or property is to be spent or used on the Government’s behalf or to advance a Government program or interest, and if the United States Government—
(I)
(II)
(c)Exemption From Disclosure.—
(d)Exclusion.—