United States: It's Not Just About Personal Health Information: DOJ Reaches Third Civil Cyber-Fraud Settlement With Cooperating DOD Contractor

Verizon Business Network Services LLC is the first DOD contractor (to our knowledge) to resolve FCA allegations that it failed to follow cybersecurity standards that were unrelated to personal health records. Qui Notes readers will recall that since DOJ announced its Civil Cyber-Fraud Initiative in October 2021, two cases have been resolved—both of which involved allegations of inadequate controls over personal health information. We know that DOJ has been actively investigating cyber FCA matters more broadly and expect to continue to see a greater variety of these types of cases in the future.

Here, Verizon had contracted with the General Services Administration from 2017 to 2021 to provide an information technology service (Managed Trusted Internet Protocol Service, or MTIPS) to provide federal agencies with secure connections to the public internet and other external networks. MTIPS was required to comply with the Office of Management and Budget's Trusted Internet Connections, or TIC, initiative intended to enhance network and data security across the federal government. DOJ alleges that Verizon's MTIPS solution did not completely satisfy three required TIC cybersecurity controls for domain name security extensions, real-time header and content capture of all inbound and outbound traffic, and certain encryption requirements.

While the matter was resolved prior to any litigation so publicly available information is limited, DOJ's press release notes that Verizon "took a number of significant steps entitling it to credit for cooperating with the government." After learning of the issues, Verizon submitted a written self-disclosure, initiated an internal investigation and compliance review of the issues, and provided the government with multiple detailed supplemental written disclosures. The settlement agreement states that Verizon's cooperation included identifying individuals involved in or responsible for the issues; preserving, collecting, and disclosing relevant documents and information; disclosing facts gathered during its investigation; providing regular updates on its investigation; and assisting in the determination and recovery of the losses. Verizon agreed to pay just over US$4 million, but unsurprisingly, DOJ's press release does not provide any details regarding how much credit Verizon received for its cooperation.

This third cyber FCA settlement for US$4 million is moderately larger than the other two that preceded it (the first settled for $1 million and the second for just $293,000), but we expect to see more and potentially larger recoveries as DOJ (and the Relator's bar) continue to focus on the Civil Cyber-Fraud Initiative. We at Qui Notes will continue to monitor and report on these cases as they become public.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.