In October 2021, the Department of Justice (“DOJ”) announced a new initiative under the False Claims Act: The Civil Cyber-Fraud Initiative (“CCFI”). (LINK to DOJ News Release on the CCFI). DOJ Deputy Attorney General Lisa Monaco announced that the CCFI “will hold accountable entities or individuals that put U.S. information or systems at risk by knowingly providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cybersecurity incidents and breaches.” (LINK to National Law Review Article on CCFI). The DOJ will still rely on whistleblowers in this new Initiative, and a whistleblower stands to recover a significant percentage of the “very hefty fines” issued under the CCFI. (LINK to JD Supra Article on CCFI).
In March, we were able to see the DOJ successfully use the CCFI to combat cyber fraud perpetrated against the government. Jelly Bean Communications Design LLC and its CEO agreed to pay $293,771 to resolve False Claims Act allegations that they failed to secure personal information on a federally funded children’s health insurance website that Jelly Bean created, hosted, and maintained. (LINK to DataBreaches.Net Article on the Settlement). Attorney General Monaco stated, “For too long, companies have chosen silence under the mistaken belief that it’s less risky to hide a breach than to bring it forward and to report it.” It is apparent that the DOJ will continue to use the CCFI to pursue money judgments against entities that attempt to conceal from the government data breaches or compromised cybersecurity.