In a recent speech, Department of Justice (DOJ) Acting Assistant Attorney General Brian Boynton provided the first glimpse into DOJ's False Claims Act (FCA) enforcement priorities under the Biden Administration. While much of the speech predictably focused on pandemic-related fraud and opioid enforcement efforts, a few measures announced by the AAG were less expected. In particular, AAG Boynton highlighted DOJ's increased focus on violations of cybersecurity requirements and made clear that FY 2020's increase in cases brought directly by DOJ is a trend we should expect to continue.

Unsurprisingly, pandemic and opioid-related fraud top DOJ's priority list. The AAG anticipated that the FCA will be a primary enforcement vehicle for what he called the "inevitable fraud schemes" stemming from COVID-19 relief programs, including the CARES Act and loans through the Paycheck Protection Program (PPP). As we previously reported, just last month, DOJ announced the first civil settlement involving PPP-related fraud allegations—likely the first of many. The FCA will also continue to be one of the primary enforcement tools to hold companies liable for improperly promoting the sale and use of opioids. Opioid-related enforcement produced a blockbuster recovery earlier this year when DOJ announced in October 2020 a $3 billion-plus FCA settlement with Purdue Pharma (part of an $8 billion global criminal and civil settlement).

AAG Boynton also explained that we are likely to continue to see more cases brought directly by DOJ. DOJ's FY 2020 stats showed that DOJ filed more direct cases last year than ever before. We now have a better understanding of why that is. AAG Boynton stated that DOJ is looking to "expand its own efforts to identify potential fraudsters" by leveraging its "sophisticated data analytics" system. This is not the first instance of DOJ aiming to enhance its data analytics. You may recall that last year, DOJ announced that it was initiating a data-driven approach to PPP enforcement and investigation. AAG Boynton also explained that DOJ is using data analytics "to identify patterns across different types of health care providers – giving us a way to identify trends and extreme outliers." He said that the data allows DOJ to "see where the highest risk physicians are located in each state and federal district, and how much they are costing" the government. Expect more to come on this front.

Also noteworthy from the AAG's speech was DOJ's heightened focus on using the FCA to police compliance with cybersecurity requirements. DOJ has already started to lay the groundwork for enforcement in this area. In the much-discussed decision of United States ex rel. Markus v. Aerojet Rocketdyne Holdings, Inc., No. 15-cv-2245, 2019 WL 2024595 (E.D. Ca. May 8, 2019), the court upheld the government's enforcement action against a firm that represented it was in compliance with the cybersecurity standards in its Department of Defense (DoD) contract when it allegedly knew these representations were inaccurate. Subsequently, in July 2019, another contractor agreed to an $8.6 million settlement to resolve allegations that it sold cybersecurity-vulnerable software to federal, state, and local government agencies in violation of contractual requirements. This was the first reported settlement based on FCA allegations related to cybersecurity noncompliance—but it is unlikely to be the last.

Defense contractors (and subcontractors) subject to the Defense Federal Acquisition Regulation Supplement (DFARS)—a newer and more expansive version of the requirements that formed the basis of the Aerojet case—are now being evaluated on their cybersecurity practices in procurements going forward and will soon be required to obtain a third party certification (the CMMC) in order to engage in business with DoD. All federal contractors are also currently subject to "basic safeguarding" requirements in the Federal Acquisition Regulation (FAR), 48 C.F.R. 52.204-21, and we expect a significant expansion of these requirements over the next few years. Most of these requirements recognize that contractors will be on a spectrum of compliance and may need to implement improvement plans to reach the relevant standards imposed by contract. But, contractors should take care that in reporting their current status and their plans of action to reach compliance, they are complete, accurate and realistic.

© Arnold & Porter Kaye Scholer LLP 2021 All Rights Reserved. This blog post is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.