The Law Offices of Mary N. Chaney, P.L.L.C.
The Cyber Security Law Firm of Texas

Mary's Blog

The Breach Whisperer

About Mary....

Mary N. Chaney, Esq., CISSP, CIPP/US is a former Special Agent for the FBI where she investigated cybercrime, a seasoned corporate executive that built and operated information security teams and now a cybersecurity attorney.

As a self-described “Breach Whisperer” our firm can train your company to properly prepare for your eventual breach!

The overall goal of our firm is to use our wealth of knowledge and expertise to help support, translate and advise, Boards of Directors, CIO's, CISO's and General Counsel's on how to legally protect their company from cyber related risk.

Blog Entries


 

When Just Checking The Box May Lead To Contract Fraud

See Article Here

The attached article discusses an interesting case brewing in California regarding the False Claims Act. In a nut shell there was an aerospace company that was bidding on a government contract. As required by DoD policy the company had to state it was compliant with DoD cybersecurity regulations. The company’s senior director of cybersecurity refused to sign a statement saying that the company was compliant. He was then fired. The company was awarded the contract and began providing rockets to the government. 

The employee not only sued for wrongful termination, but also sued under the False Claims Act, saying that the company “defraud[ed] the U.S. government under the False Claims Act by submitting and conspiring to submit false certifications that the company was compliant with… federal cybersecurity requirements.” Whoa! Really? To level set here the False Claims Act has historically been used when a company has defrauded the government out of money. To have a former employee assert that the company acted fraudulently by checking that box that says “sure we are compliant” is new and exciting (only to attorneys) area. 

This brings a whole new dimension to government regulations and government contractors. If successful, the precedent can be set that if a company certifies compliance with cybersecurity regulations and there is “fudging” going on, they could be found to have committed fraud. It also opens the flood gate for plenty of litigation concerning what “knowingly” means, however, the concept of intent is always an issue in litigation. Whatever the result of the case, government contractors, need to take heed that the days of self-certification, i.e. checking the box, may be coming to an end.