Is Your Cybersecurity Compliance Program DOJ-Ready: Part I

[Spoiler Alert] Bottom Line, Up Front: When building and assessing a compliance regime, we recommend that a company:

• Review Department of Justice (DOJ) guidance;
• Build a holistic compliance regime around employees; and
• Understand the stakes: DOJ is treating non-compliance with contractual cybersecurity requirements as fraud, subject to treble damages and statutory penalties.

But let's get into the details of these recommendations.

Recommendation 1: Review DOJ Guidance

Is the current federal guidance on cybersecurity regulations sufficiently detailed for companies to comply?

When advising a company regarding whether it has put sufficient compliance measures in place – cybersecurity or otherwise – one place to begin is with what DOJ would call "compliance."

Over the last decade, the DOJ has provided significant guidance regarding its enforcement policies, including:

• The September 9, 2015 "Yates Memo" on Individual Accountability for Corporate Wrongdoing
• The May 7, 2019 Guidance on False Claims Act Matters and Updates to the Justice Manual
• The October 6, 2021 Announcement of the New Civil Cyber Fraud Initiative
• The October 28, 2021 Memo on the Corporate Crime Advisory Group and Initial Revisions to Corporate Criminal Enforcement Policies (Initial Revisions)
• The July 1, 2022 Comprehensive Cyber Review
• The September 15, 2022 Memo on Further Revisions to Corporate Criminal Enforcement Policies Following Discussions with Corporate Crime Advisory Group (Further Revisions)
• The January 2023 Criminal Division Corporate Enforcement and Voluntary Self-Disclosure (VSD) Policy
• The October 2023 M&A Safe Harbor Policy

But what does that say about what the DOJ means by the word "compliance?"

Recommendation 2: Build a Holistic Compliance Regime Around Employees.

In the context of the voluntary self-disclosures (VSD), the DOJ notes that "an effective compliance and ethics program... may include:

1. The company's commitment to instilling corporate values that promote compliance, including awareness among employees that any criminal conduct, including the conduct underlying the investigation, will not be tolerated;
2. The resources the company has dedicated to compliance;
3. The quality and experience of the personnel involved in compliance, such that they can understand and identify the transactions and activities that pose a potential risk;
4. The authority and independence of the compliance function, including the access the compliance function has to senior leadership and governance bodies and the availability of compliance expertise to the board;
5. The effectiveness of the company's compliance risk assessment and the manner in which the company's compliance program has been tailored based on that risk assessment;
6. The reporting structure of any compliance personnel employed or contracted by the company;
7. The compensation and promotion of the personnel involved in compliance, in view of their role, responsibilities, performance, and other appropriate factors; and
8. The testing of the compliance program to assure its effectiveness.

But other guidance provides a sense of how far the DOJ may go if it were to assess a company's compliance in the context of potential misconduct. For example, the DOJ may:

• Expect to look at a company's entire history of misconduct, including other entities within a "corporate family."
• Expect a company to identify all persons involved in any alleged/potential misconduct, and provide all non-privileged information about the conduct on a timely basis.
• Likely will seek to resolve questions of individual liability before resolving claims against a company.
• Expect a company to be able to produce information from employees' personal devices or third-party messaging platforms.
• Expect the company to hold its own employees accountable, including under their employment agreements. (Note: "Clawback" measures employed by a company against an employee engaged in alleged misconduct are incentivized by DOJ).

Recommendation 3: Understand the Stakes: DOJ is Treating Non-Compliance With Contractual Cybersecurity Requirements as Fraud, Subject to Treble Damages and Statutory Penalties.

So, what does the DOJ say about cybersecurity compliance in particular? Here is a quick passage that should trouble CIO/CTOs, CLO/GCs and CEO/COO's alike in ANY industry doing business with the federal government:

Does DOJ's Civil Division's Fraud Section really need to ensure that "new [FAR cybersecurity contract] provisions are enforceable in the case of breach?" The Civil Division's Fraud Section does not handle breach of contract matters – that is the stuff of DOJ's National Courts Section. Rather, the Civil Division's Fraud Section wields the mighty club of the False Claims Act, which it has used to obtain more than $75 billion in settlements and judgments since 1986.

Most recently, on February 22, 2024, Principal Deputy Assistant Attorney General Brian M. Boynton delivered remarks at the 2024 Federal Bar Association's Qui Tam Conference, announcing the DOJ's False Claims Act enforcement priorities for 2024. The first priority he mentioned was cybersecurity.

The DOJ's continued focus on cybersecurity heightens the scrutiny and raises stakes for companies and their compliance programs.

* * *

The False Claims Act cybersecurity cases to-date will be reviewed, as well as the DOJ's efforts outside the courtroom to improve its litigation position, as the analysis of cybersecurity compliance programs that are DOJ-Ready continues in Part 2: Regulating and Contracting around Escobar.

Be sure to check back soon for Part 2 of this Government Contracts Insight series! In the meantime, to learn about Fluet's Government Contracts Practice, click here.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.