The Federal Government continues ramping up enforcement of data security requirements by deploying significant new enforcement theories and tools in support of cyber and data security controls required by federal law. Specifically, the Department of Justice (DOJ) and the Federal Trade Commission (FTC) recently entered into settlements with private companies that underscore these cybersecurity mandates and the additional investment of resources devoted to enforcing them by the Federal Government.
Why are these cases important?
- The DOJ settlement is the first False Claims Act case involving DOJ’s Civil Cyber-Fraud Initiative.
- The FTC settlement involves not only the current owner of the entity that experienced multiple data breaches, but also that entity’s former owner.
First, on March 7, 2022, the DOJ reached a court-approved settlement agreement with Comprehensive Health Services (CHS) to resolve allegations that CHS violated the False Claims Act by falsely representing to the State Department and the Air Force that it complied with contract requirements relating to the provision of medical services at State Department and Air Force facilities. Importantly, according to the DOJ, the factual representations and contractual requirements at issue pertain to CHS’s commitment to provide HIPAA-compliant electronic medical records systems and support for the patient care required by the contract. DOJ alleged that CHS did not abide by these requirements and knew of lapses in data security and system protocols. The DOJ stated that even when the issues came to light, CHS did not address them or report them externally, contrary to HIPAA requirements. A whistleblower, Dr. M. Shawn Lawlor, filed suit against CHS under the qui tam or whistleblower provisions of the False Claims Act on these and other issues. The DOJ joined the case and resolved it in this month’s comprehensive civil settlement. Specifically, the DOJ’s civil settlement resolves two separate actions brought against CHS under the False Claims Act.1
The DOJ statement on these cases emphasized that the “investigation and resolution of this matter illustrates the government’s emphasis on combatting cyber-fraud.” Specifically, on “October 6, 2021, the Deputy Attorney General announced the department’s Civil Cyber-Fraud Initiative, which aims to hold accountable entities or individuals that put U.S. information or systems at risk by knowingly providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cybersecurity incidents and breaches.
Second, on March 15, 2022, the FTC entered into a settlement with the current and former owners of CafePress, an online customized merchandise platform, regarding allegations that CafePress failed to implement “reasonable security measures” to protect consumers’ information and to notify individuals of “multiple” breaches. The FTC alleges that CafePress did not implement encryption, reasonable password protection, threat detection and response, security incident response, and appropriate data deletion. The FTC’s settlement requires CafePress to implement additional security controls, and, notably, requires its former owner, Residual Pumpkin Entity, LLC, to pay a half million dollars to compensate small businesses and other victims of the data breaches.
According to the FTC’s statement on the case,2 CafePress knew that it had vulnerabilities in its systems as early as January 2018, when CafePress determined that certain accounts had been hacked, at which time CafePress took no other action besides closing the accounts at issue and charging the victims a $25 account closure fee. Further, the FTC stated that CafePress used consumers’ email addresses for marketing, even though its consumer policies stated that consumer information would only be used to fulfill orders.
The Federal Government will utilize a strong and growing array of tools to enforce cybersecurity mandates and requirements, whether in the federal contractor community or the private sector as a whole. The Government also indicates that this stepped-up enforcement will continue. As such, the Government will inevitably find out if a company does not have adequate data security controls or did not provide notifications as required by federal law in the event of a data breach and can be expected to take action against any and all entities involved in the lack of compliance, including both current and former business owners. As such, at a minimum, these cases show the importance of:
- Ensuring a robust data security compliance program that implements all applicable data security requirements;
- Making complete and accurate representations of fact about data security when bidding for government contracts (or other contracts) and in the course of undertaking administration and performance of such contracts;
- Maintaining and following a thorough incident response and breach notification plan;
- Reviewing all government contract requirements related to data security and prioritizing compliance with such requirements; and
- Responding to employee reports and complaints about data security in a meaningful way.
1 See United States ex rel. Lawler v. Comprehensive Health Servs., Inc. et al., Case No. 20-cv-698 (E.D.N.Y.), and United States ex rel. Watkins et al. v. CHS Middle East, LLC, Case No. 17-cv-4319 (E.D.N.Y.).
2 See FTC listserv announcement on March 15, 2022, regarding