A False Claims Act (FCA) settlement recently announced by the U.S. Department of Justice stands at the intersection of two evolving trends: DOJ’s increasing focus on cybersecurity lapses by government contractors as part of its Civil Cyber-Fraud Initiative, and DOJ policies incentivizing corporations to voluntarily self-disclose violations of federal law.
On September 5, 2023, DOJ announced a $4 million settlement with Verizon Business Network Services LLC (Verizon) addressing allegations that Verizon violated the FCA because certain telecommunications services it provided to federal agencies under its General Services Administration (GSA) contracts did not comply with applicable cybersecurity requirements, namely the Office of Management and Budget’s Trusted Internet Connections (TIC) initiative. DOJ specifically alleged that Verizon’s Managed Trusted Internet Protocol Service (MTIPS)—an information technology service that allows federal agencies to securely connect to public internet and external networks—did not comply with three security controls in the Department of Homeland Security’s TIC Reference Architecture Document, including a control that required the use of FIPS 140-2 validated cryptography. The Verizon settlement represents the latest example of DOJ’s continued focus on cybersecurity cases, a trend that we believe will only continue to escalate going forward.
Verizon’s Cooperation Credit
What makes this resolution particularly interesting is the discussion in the settlement agreement and the DOJ press release about the various steps that Verizon took that entitled the company to credit for cooperating with the government. For instance, the recitals in the settlement agreement explicitly state that Verizon received credit under DOJ’s guidelines for taking disclosure, cooperation, and remediation into account in False Claims Act cases as set forth in § 4-4.112 of the Justice Manual. As described below, the recitals shed some light on the sorts of steps that could be awarded credit in these circumstances.
After learning of the potential issues with the implementation and maintenance of certain security controls, Verizon provided GSA’s Office of Inspector General (GSA-OIG) with a written self-disclosure. The company also initiated an independent investigation and compliance review of those issues and provided GSA-OIG with multiple detailed and thorough supplemental written self-disclosures.
The recitals note that Verizon cooperated with the government’s investigation of the issues in several ways, including by identifying individuals responsible for the issues; disclosing facts gathered during its independent investigation, with attribution to specific sources; and assisting in the determination and recovery of the losses caused by the issues.
Verizon took prompt steps to remediate the issues, including by implementing compensatory security controls for its MTIPS solution; implementing a compliance program to avoid a reoccurrence of similar issues and conduct; making substantial capital investments in its governance, risk, and compliance platforms; reviewing and updating its MTIPS system security plan and related internal documentation; establishing a Compliance Center of Excellence to maintain and improve its cybersecurity compliance framework; and disciplining or replacing those employees Verizon identified as responsible for the issues.
Value of the Cooperation Credit
While not stated explicitly in the press release, Verizon’s cooperation appears to have affected the amount of the total settlement. There is no one-size-fits-all approach to settlements of FCA liability; however, it is not unusual for defendants to pay around 2x the amount of the single damages in settlements with DOJ’s Civil Fraud Section. Any number of factors can influence that multiplier, from the perceived strength of the claims and defenses, the overall value of the matter, and more. Here, the settlement agreement identified $2,727,545 as the single damages (i.e., restitution) amount and $4,091,317 was the negotiated settlement total. This means that Verizon paid 1.5x the single damages amount to settle the case with DOJ Civil Fraud. When compared with the 2x multiplier that typically applies to an FCA settlement, the credit that Verizon presumably received for its cooperation was worth more than $1.3 million. The agreement does not provide any details as to how the restitution amount itself was calculated.
What Comes Next?
The § 4-4.112 Guidelines were adopted in 2019, but to date they have received little publicity from DOJ Civil Fraud. This stands in marked contrast to other DOJ components, which have frequently and prominently touted similar policies both before and after an initiative announced by Deputy Attorney General Lisa Monaco in September 2022 to provide Department-wide guidance for development of policies that incentivize voluntary self-disclosures. For example, the DOJ Criminal Division, and the Criminal Fraud Section in particular, regularly incorporates statements about its voluntary self-disclosure policy in public speeches and announcements of case resolutions. In contrast, the § 4-4.112 Guidelines have remained largely under the radar, but the Verizon settlement highlights the potential financial benefits for companies that take steps to disclose misconduct, cooperate with the government’s investigation, and implement remedial measures. It remains to be seen whether the Verizon settlement will be touted by DOJ leadership as an example of the benefits of self-disclosure in an effort to encourage more companies to take similar steps.
The Verizon settlement is a reminder of DOJ’s continued focus on using the FCA to enforce cybersecurity requirements as part of the Civil-Cyber Fraud Initiative and of DOJ’s cooperation guidelines in the face of potential FCA issues. Corporations that uncover evidence of FCA violations, including cybersecurity lapses that may implicate FCA liability, should consider whether to undertake voluntary disclosures as a measure of compliance and to obtain potentially valuable credit in resolving such matters.