Cybersecurity fraud encompasses a broad array of hacks, breaches, phishing attempts - and now fraud within government contracting. Since 2021, the Civil Cyber-Fraud Initiative has incentivized those who work in cybersecurity to come forwards to report data breaches and non-compliance with federal standards in exchange for a reward.

If you have information regarding a government contract and cyber fraud, you might be eligible to receive 15% to 30% of the government's total settlement, inclusive of penalties imposed per violation. Speaking up protects American data from government contractors that are not protecting government data from hackers and foreign actors, as well as protects American taxpayer funds from being misspent on companies that do not meet minimum cybersecurity standards.

Common Examples of Fraud in Cyber Security

If you have information about cyber fraud, you can report it through a qui tam lawyer for a possible financial reward as well as protections against retaliation from your employer. You may even be able to report all of the following anonymously when you work through a qui tam law firm. Common examples of fraud in cyber security include, but are by not limited to:

• Failing to report security breaches in a timely manner

• Obscuring past threats and vulnerabilities when bidding on government contracts

• Non-compliance with federal standards such as NIST 800-171 for storage and safe handling of Controlled Unclassified Information (CUI)

• Contracting with the Department of Defense and failing to comply with Defense Federal Acquisition Regulation Supplement (DFARS)

• Failing to maintain safe storage, transfer and handling standards for federal financial and credit card information under the Payment Card Industry Data Security Standard (PCI DSS)

• Selling vulnerable information technology

• Misuse of government funds, or misallocation of government contract spending

• Lack of encryption on sensitive data, such as health information, geographic markers or protected military data

• Misrepresentation of cybersecurity protocols

• Failure to maintain comprehensive standards involving multi factor authentication (MFA), endpoint detection response (EDR) solution, and security information and event management (SIEM)

The Civil Cyber-Fraud Initiative and the False Claims Act

In October of 2021, Deputy Attorney General Lisa Monaco announced the Civil Cyber-Fraud Initiative (CCFI). This enforcement policy works through the powerful reach of the False Claims Act in order to reward whistleblowers and extend fraud recovery policies to the field of cybersecurity.

Government contractors have always been required to meet certain minimum cybersecurity standards in order to do business with federal entities. Under the CCFI, failure to comply with these standards or falsely certifying compliance with these standards can result in liability of up to treble damages and penalties per claim. The CCFI shows how serious the federal government is about maintaining cybersecurity standards, as the False Claims Act is one of the most powerful tools available for anti-fraud enforcement and recovery.

• It is important to note that at this time, the federal government's reach into FCA cybersecurity enforcement only extends to companies that contract with or receive funds from government sources. Examples might include DoD contractors, healthcare companies, federal grant recipients, research facilities, and more. Other kinds of data protection failures may also be reportable and the individual making the report may be entitled to a whistleblower reward under Sarbanes-Oxley (Pub L. 107-204), governing publicly traded companies data protection policies.

Recent Whistleblower Cases Under the Civil Cyber-Fraud Initiative

The Civil Cyber-Fraud Initiative may be a relatively new evolution of fraud reporting under the False Claims Act, but it has already generated substantial settlements and recovery of misspent contract funds. Some recent examples of whistleblower cases under the CCFI include:

• Emergency Rental Assistance Program (ERAP) fraud: In June of 2024 two major consulting services, Guidehouse Inc., of McLean, Virginia, and Nan McKay and Associates (Nan McKay), from El Cajon, California, paid over $11,000,000 combined in order to settle allegations that they did not meet minimum data protection standards as part of their contract to provide a secure platform for lower income New Yorkers to find housing and emergency financial assistance during covid-19. The platform, ERAP, ended up leaking many applicants' personally identifiable information online. Both Guidehouse and Nan McKay acknowledged that had either of them conducted the cybersecurity testing that the federal government had paid them to perform, the information security breach could have been prevented.

• Penn State DoD and NASA settlement: Penn State paid $1,250,000 in October of 2024 to resolve allegations that they did not use an external cloud service provider that met DoD’s security requirements for covered defense information, and misrepresented the dates by which they would be in compliance with required cybersecurity standards for their contracts with the DoD and NASA.

• Virginia Medicare data protection settlement: In October 2024 Virginia company ASRC Federal Data Solutions LLC (AFDS) paid a settlement including $306,722 in fines to settle allegations that they and a third party subcontractor stored sensitive health information of Medicare beneficiaries on their server using screenshots. The subcontractor’s server was breached by a third party in October 2022 and the unencrypted screenshots were allegedly compromised during that breach. AFDS knowingly billed CMS during the period where they were in violation of minimum data protection policies.

• Georgia Tech DoD whistleblower case: In August of 2024 a case was filed against Georgia Tech's research facility Georgia Tech Research Corp. (GTRC). The lawsuit alleges that the facility submitted a false cybersecurity assessment score to DoD for the Georgia Tech campus. In addition, the team failed to install or run anti-virus or anti-malware tools on desktops, laptops, servers and networks at the lab under the request of a professor. The lawsuit was filed by two whistleblowers who were identified as senior members of the Georgia Tech cybersecurity compliance team.

How to File a Qui Tam Lawsuit If You Discover Cyber Security Fraud

Cybersecurity professionals are not the only ones who can report cyber fraud, although they are often some of the best whistleblowers because of their insider knowledge and advanced understanding of data protection protocols as well as immediate access to the facts of the situation. However, anyone with information about a data breach that has been covered up, lack of minimum data protection protocols in place, or false certification of compliance to a federal agency can speak up.

In order to report cyber security fraud, speak to a qui tam lawyer. You will need to follow certain steps in order to qualify for protections against retaliation, as well as a possible reward. Reporting internally, or speaking to the media, are not the same as filing a claim with a qui tam firm, and do not grant you any of the same protections.

In order to file under the CCFI/FCA for a possible reward and protections against retaliation, you will need to:

• Gather evidence. This can look like records of the contractor's knowledge of cybersecurity failures, unreported or unmitigated breaches, internal memos, reports, or any other method that you have for documenting the situation. When in doubt, do not take anything that would not have already come across your desk, and consult with a qui tam attorney if you have questions. When dealing with military contracting or personal health data there may be some kinds of classified or protected information that are off-limits within the scope of your clearance to share. Taking these kinds of information may jeopardize your claim.

• File your claim within the appropriate timeline, with supporting documents and details. Your claim will remain sealed while it is under initial investigation by federal agencies. Your claim must be unique and contain previously undisclosed information in order to qualify.

• Communicate clearly with federal investigators in order to qualify for a potential reward. You must cooperate and come forward willingly in order to receive a whistleblower reward under the FCA.

• Wait for resolution. It may take several months or a year for your claim to be resolved and for you to receive a reward. Your firm can handle the details during this time, so your own career is not sidelined by the legal process. During this time you will be advised about how to interact with further requests for information.

• Follow up on your claim should it be denied by investigators. You may be able to file on your own through a qui tam firm and qualify for the maximum possible award percentage should your case be successful.

Good cybersecurity professionals know that taking data protection seriously is no longer optional in today's interconnected world. By reporting violations of these minimum standards under the CCFI, cybersecurity whistleblowers hold companies and contractors accountable who do not share these same values and pay rewards to qualified whistleblowers.