Search:

Recent Posts

Popular Topics

Contributors

Archives

Legal developments in data, privacy, cybersecurity, and other emerging technology issues

Lessons From Verizon's Cybersecurity FCA Self-Disclosure

On Sept. 5, the U.S. Department of Justice announced its settlement with Verizon Business Network Services LLC, a Verizon Communications Inc. subsidiary, in which Verizon agreed to pay $4.1 million to settle certain False Claims Act allegations related to cybersecurity.

The settlement resolves allegations that Verizon's Managed Trust Internet Protocol Service, or MTIPS, which was designed to provide federal agencies with secure connections to public internet and other networks, did not satisfy certain cybersecurity controls related to contracts with the U.S. General Services Administration from 2017 to 2021.

According to the settlement agreement, Verizon was awarded three GSA contracts to provide various telecommunications services, including MTIPS. Because of the nature of the services provided, the GSA required, among other things, that the contracts comply with all critical capabilities set forth in the U.S. Department of Homeland Security's relevant reference architecture document for Trusted Internet Connections.[1]

Simply put, Verizon was obligated to meet certain cybersecurity requirements under the GSA contracts, and allegedly failed to do so. But, instead of burying its head in the sand upon discovering these issues, Verizon promptly took action to mitigate its exposure by submitting a written self-disclosure of potential issues to the GSA.

Likewise, Verizon initiated an independent investigation and compliance review of the problems at issue, and provided the GSA with supplemental written self-disclosures. This article explores the interplay between this settlement, the DOJ's Civil Cyber-Fraud Initiative and the department's self-disclosure focus.

The Civil Cyber-Fraud Initiative

Notably, this is only the fourth public resolution since Deputy Attorney General Lisa Monaco announced the department's Civil Cyber-Fraud Initiative in October 2021. As you may recall, the department launched the initiative with the intention of combining "the department's expertise in civil fraud enforcement, government procurement and cybersecurity to combat new and emerging cyber threats to the security of sensitive information and critical systems."[2]

Yet, despite the fanfare stoked by law firm articles and publications about the new initiative, thus far the department has only announced four resolutions.[3] One of these was the 2022 settlement of U.S. v. Aerojet Rocketdyne Holdings Inc., in the U.S. District Court for the Eastern District of California, in which the DOJ actually declined to intervene.

Altogether, settlements under the initiatives total just over $14 Million — less than 1% of the department's total FCA recoveries received in 2022. Despite that statistic, the Verizon resolution is arguably proof that the department's initiative is working.

Indeed, had the DOJ not stressed its cybersecurity focus, it is unclear whether companies like Verizon would have deemed their failures sufficiently material to warrant a self-disclosure, and, there are undoubtedly other nonpublic cybersecurity cases or resolutions in the pipeline at the DOJ that also demonstrate this point.

Next, it is worth noting that under the initiative, the DOJ has resolved allegations that arose in both the health care and the procurement context, demonstrating that cybersecurity fraud — or allegations of such — is not limited to procurement.

A Self-Disclosure Success

Finally, the Verizon resolution is unique because it also demonstrates the DOJ's commitment to another potential area of contention — self-disclosure — and shows the interplay between the DOJ's professed prioritization of cyber-fraud and whether a company should self-disclose.

As you may know, the DOJ's self-disclosure policy has been the subject of much discussion since September 2022 when the Criminal Division published its memorandum entitled "Further Revisions to Corporate Criminal Enforcement Policies Following Discussions with Corporate Crime Advisory Group." The memo provided detailed guidance about timely self-disclosures to the department, among other things.

Most relevant here, the memo noted a corporation may come to the department and disclose misconduct once it becomes aware of misconduct by employees, before that conduct is publicly reported or otherwise known to the department.[4]

Prior to this memo, in May 2019, the fraud section of the DOJ's Civil Division updated its self-disclosure and cooperation policies. There, the civil fraud section similarly stressed the importance of self-disclosure and cooperation, noting that entities "or individuals that make proactive, timely, and voluntary self-disclosure to the department about misconduct will receive credit during the resolution of an FCA case."[5] But the revision of the DOJ's criminal policies in Fall 2022 has undoubtedly renewed focus among legal practitioners — and clients — as to whether self-disclosure is appropriate.

Indeed, when faced with whether to self-disclose, companies often question the prudence of such a disclosure. The Verizon settlement highlights a few important takeaways: (1) the extent of cooperation and self-disclosure; (2) the importance of setting the venue of the self-disclosure; and (3) the potential for decreasing the financial ramifications of the misconduct on the company's bottom line.

Determining Extent of Cooperation and Self-Disclosure

Based on the settlement and the press release, it appears that Verizon identified issues related to compliance with certain cybersecurity controls, provided the government with a written self-disclosure, initiated an independent investigation and compliance review of the issues, and provided the government with detailed subsequent written disclosures.

Apparently, Verizon also identified individuals involved in or responsible for the issues, assisted in the damages analysis and remediated the identified issues, among other things. Verizon is demonstrating here what true cooperation looks like and how such cooperation can result in better results for the company.

As a result of this level of cooperation, Verizon paid a 1.5 multiplier — substantially less than its potential exposure under the FCA, which can be three times the loss to the government plus penalties.

Setting the Venue

Clients often ask about what makes a case criminal versus civil. By self-disclosing in a timely manner where the misconduct is clear, and cooperating with an investigation, the company can often avoid criminal liability.

Once company management is made aware of misconduct, by continuing to engage in the conduct and failing to disclose such conduct — similar to the allegations set forth in the 2017 qui tam suit filed in the U.S. District Court for the District of Columbia in U.S. v. Booz Allen Hamilton Inc. — management exposes the company to civil and, possibly, criminal liability.[6]

In contrast, when companies voluntarily disclose such conduct, they can elect the venue for that disclosure — for example, whether to approach the contracting agency directly or go to the DOJ's civil fraud division.

Likewise, by disclosing conduct, a company may avoid severe administrative remedies like suspension or exclusion.

Decreasing the Financial Ramifications

Though we do not know when Verizon submitted this self-disclosure, it appears that this process took less than two years, given that the conduct ended in 2021 — a substantially shorter time than most investigations initiated by qui tam complaints. This translates to lower legal and expert expenses for the company and, generally, lower reputational costs to the company and, ultimately, shareholders.

Also, Verizon's self-disclosure and show of good faith in its dealings with the government may ultimately result in more revenue for the company through additional contracts with the GSA and other government agencies.

Though a company's strategic approach for alleged FCA misconduct is case- and fact-specific — undoubtedly, self-disclosure is not necessarily the correct approach for many FCA investigations — this settlement is nonetheless an example of a self-disclosure gone right.


[1] According to TIC Core Guidance Volume 2, TIC is a federal cybersecurity initiative established in 2007 that is intended to improve network and boundary security across the entire federal Government. See Cybersecurity and Infrastructure Security Agency, TIC Core Guidance Volume 2: Reference Architecture, July 2020, https://www.cisa.gov/sites/default/files/2023-02/cisa_tic_3.0_vol._2_reference_architecture.pdf.

[2] DOJ Office of Public Affairs, Deputy Attorney General Lisa O. Monaco Announces New Civil Cyber-Fraud Initiative, October 6, 2021, https://www.justice.gov/opa/pr/deputy-attorney-general-lisa-o-monaco-announces-new-civil-cyber-fraud-initiative.

[3] The DOJ has announced four (4) resolutions under the initiative: Comprehensive Health Services ($930,000), Aerojet Rocketdyne ($9 million), Jelly Communications Design ($293,771), and Verizon ($4.1 million).

[4] Deputy Attorney General Lisa Monaco, Further Revisions to Corporate Criminal Enforcement Policies Following Discussions with Corporate Crime Advisory Group, September 15, 2022, https://www.justice.gov/opa/speech/file/1535301/download.

[5] See Justice Manual § 4-4.112, Guidelines for Taking Disclosure, Cooperation, and Remediation into Account in False Claims Act Matters, updated at May 2019, https://www.justice.gov/jm/jm-4-4000-commercial-litigation#4-4.110.

[6] See Amended Complaint, U.S. ex rel. Feinberg v. Booz Allen Hamilton Inc., No. 1:16-cv-01911 (D.D.C. July 28, 2017).

Jump to Page

Necessary Cookies

Necessary cookies enable core functionality such as security, network management, and accessibility. You may disable these by changing your browser settings, but this may affect how the website functions.

Analytical Cookies

Analytical cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.