Cyberfraud: A New Era of False Claims Act Liability Risk

Top Five Takeaways from IAPP’s Webinar

1. False Claims Act (FCA) cybersecurity enforcement has emerged as a Department of Justice (DOJ) priority under the second Trump Administration. In the first nine months of the Trump Administration, seven cyberfraud related FCA settlements have been announced totaling more than $51 million, surpassing recoveries under the Biden Administration’s Civil Cyberfraud Initiative. These settlements – and the warnings issued by DOJ officials in the accompanying press statements – dispel any notion that corporate defendants would receive leniency when they fail to adhere to cybersecurity requirements. Cybersecurity noncompliance is clearly in DOJ’s crosshairs and that of the plaintiff’s whistleblower’s bar.
2. Targets of cyberfraud FCA enforcement actions have not been limited to defense contractors. Any organization that contracts with, or sells products or services to, a federal agency is fair game and could face scrutiny. FCA enforcement actions have greatly expanded to include healthcare service providers, IT service providers, higher education institutions, medical device companies, and private equity firms. A data breach is not required to trigger FCA liability; DOJ has targeted companies based upon allegations that they violated their contractual cybersecurity obligations, provided inadequate oversight of third-party vendors, or submitted false certifications to the government. Further, as data has become more critical to U.S. national security, the information contractors must protect from cyber threats and intrusions has broadened. No longer is the government only concerned with the security of government data such as controlled unclassified information (CUI); it demands that organizations also safeguard American’s personal information, including personally identifiable information (PII) and protected health information (PHI).
3. The Final Cybersecurity Maturity Model Certification (CMMC) Rule, effective November 2025, raises the bar for cybersecurity compliance. It increases the reporting, attestation requirements, and assessment standards for government contractors. Liability risks exist with every submission or statement to the government. Even prior to this rule, submitting invoices or bills to the government constituted a certification of compliance with the material terms of the underlying contract. Now in addition to those fillings, a contractor’s affirming official will be required to complete annual affirmations of compliance with their contractual cybersecurity requirements under the Federal Acquisition Regulations (FAR) or Defense Federal Acquisition Regulations (DFARS). Further, the Department of Defense will no longer be accepting cybersecurity self-assessments for contracts involving sensitive defense information. Those contractors must pass an assessment performed by a certified third-party assessment organization or by the government.
4. DOJ’s first-of-its-kind $9.8 million FCA Settlement with Illumina over alleged cybersecurity vulnerabilities in genomic sequencing systems signals heightened scrutiny of software and medical devices sold to the government. This was the first time that DOJ held a company liable under the FCA for selling products with cybersecurity deficiencies. DOJ alleged that Illumina failed to incorporate adequate cybersecurity measures into its product design, lacked effective monitoring controls, and misrepresented compliance with cybersecurity standards. Medical device makers and software vendors, especially in healthcare and life sciences, should be prepared to face increased scrutiny and governmental investigations of cybersecurity flaws. Organizations should therefore assess compliance with applicable cybersecurity standards (both industry guidance and contract requirements) and implement controls to ensure the accuracy of all cybersecurity representations and certifications made to the government.
5. DOJ’s July 2025 settlement with Aero Turbine, Inc. (ATI), and its private equity owner, Gallant Capital Partners LLC, underscores the value of making a voluntary self-disclosure pursuant to DOJ’s updated corporate enforcement policy. Even though DOJ found that ATI had violated cybersecurity requirements under DFARS 252.204-7012 and had shared sensitive defense information with an Egyptian subcontractor, it only imposed damages of $1.75 million because ATI had made several written self-disclosures, cooperated with the government’s investigation, and took prompt remedial action. Accordingly, when organizations uncover potential violations of cybersecurity requirements, they should immediately conduct an internal investigation, consider making a voluntary self-disclosure, and implement remedial measures before a whistleblower reports suspected FCA violations to DOJ.

To learn more, you can view the full IAPP Webinar recording here.