In a recently announced settlement agreement with the U.S. Department of Justice (“DOJ”), Illumina, Inc. (“Illumina”) agreed to pay $9.8 million to resolve claims arising from alleged cybersecurity vulnerabilities in genomic sequencing systems that the company sold to federal agencies.  The case is the latest in a series of False Claims Act (“FCA”) settlements under the current administration that evidence DOJ’s continued focus on cybersecurity obligations for government contractors, particularly those that maintain sensitive data and personal information on behalf of federal customers.

Case Summary[1]

The case, which was filed by a former employee under the qui tam provisions of the FCA (31 U.S.C. § 3730(b)), alleged that Illumina submitted, or caused to be submitted, false claims under its government contracts for genomic sequencing systems which were allegedly susceptible to certain cybersecurity vulnerabilities and lacked an “adequate product security program and sufficient quality systems” to identify and address vulnerabilities.  Specifically, DOJ claimed that the company knowingly failed to:

  • Incorporate product cybersecurity into software design, development, installation, and on-market monitoring;
  • Properly support and resource personnel, systems, and processes tasked with product security; and
  • Adequately correct design features that introduced cybersecurity vulnerabilities into its genomic sequencing systems.

Furthermore, DOJ alleged that the company falsely claimed that its software adhered to unspecified cybersecurity standards promulgated by the International Organization for Standardization and National Institute of Standards and Technology.

Takeaways

  • Civil Cyber-Fraud Remains in Focus.  As we have discussed in prior blog posts and other publications, an increasing focus on civil cyber-fraud cases under the Biden Administration raised the stakes for many government contractors across various industries.  While the Trump Administration has signaled a shift in other enforcement areas, the Illumina settlement and other recent cases suggest that the momentum of civil cyber-fraud enforcement will continue under the current Administration.  
  • Risk to Health-Related Data is a Priority.  The case reiterates that DOJ’s FCA enforcement priorities extend beyond defense contractors and traditional IT service providers to include biotechnology companies, medical device manufacturers, and other organizations that maintain personal information, including health-related data.  In the accompanying press release, DOJ specifically underscored the sensitivity of genetic information and emphasized its commitment to protect sensitive data from cyber threats.
  • DOJ Does Not View Lack of Cyber Breach as a Defense. DOJ asserted that the company’s claims were false, “regardless of whether any actual cybersecurity breaches occurred,” as a result of alleged cybersecurity vulnerabilities in genomic sequencing systems.  This underscores the DOJ’s view that cybersecurity noncompliance need not result in a breach or other cyber-incident in order to trigger FCA liability, and further indicates that DOJ will not consider cyber breach as a gating issue when deciding whether to intervene in a qui tam action.  This fact, however, should clearly have an impact on whether damages can be proven, and how any damages may be calculated.

Looking Ahead

DOJ’s continued focus on cyber-related false claims comes at a time when cybersecurity obligations for government contractors continue to expand in scope and complexity.  For instance, the U.S. Department of Defense Cybersecurity Maturity Model Certification (“CMMC”) Program was issued late last year, and the procurement rule that will apply the CMMC program to federal contractors is expected in the near future.  In addition, the White House issued a Cybersecurity Executive Order in June, which included several directives that could flow down to government contractors, including for software supply-chain security and post-quantum cryptography.   As the cybersecurity landscape continues to evolve, contractors should regularly assess their compliance with cybersecurity requirements.  As a practical step, contractors can facilitate communications and alignment between their IT, InfoSec, Product and Delivery teams, and Legal functions, as appropriate, to ensure their organizations understand and address regulatory and contractual cybersecurity obligations.  Organizations may also consider implementing or enhancing procedures that enable employees to raise cybersecurity concerns internally and take appropriate steps to investigate and address instances of potential noncompliance.

[1] Source: Illumina, Inc. Settlement Agreement.

Photo of Susan B. Cassidy Susan B. Cassidy

Susan Cassidy is co-chair of the firm’s Aerospace and Defense Industry Group and is a partner in the firm’s Government Contracts and Cybersecurity Practice Groups. She is Chambers rated in both Government Contracts and Government Contracts Cybersecurity. Susan previously served as in-house counsel…

Susan Cassidy is co-chair of the firm’s Aerospace and Defense Industry Group and is a partner in the firm’s Government Contracts and Cybersecurity Practice Groups. She is Chambers rated in both Government Contracts and Government Contracts Cybersecurity. Susan previously served as in-house counsel for two major defense contractors and advises a broad range of government contractors on compliance with FAR and DFARS requirements, with a special expertise in supply chain, cybersecurity and FedRAMP requirements. She has an active investigations practice and advises contractors when faced with cyber incidents involving government information, as well as representing contractors facing allegations of cyber fraud under the False Claims Act. Susan relies on her expertise and experience with the Defense Department and the Intelligence Community to help her clients navigate the complex regulatory intersection of cybersecurity, national security, and government contracts. Chambers USA has quoted sources stating that “Susan’s in-house experience coupled with her deep understanding of the regulatory requirements is the perfect balance to navigate legal and commercial matters.”

Her clients range from new entrants into the federal procurement market to well established defense contractors and she provides compliance advice across a broad spectrum of procurement issues. Susan consistently remains at the forefront of legislative and regulatory changes in the procurement area, and in 2018, the National Law Review selected her as a “Go-to Thought Leader” on the topic of Cybersecurity for Government Contractors.

In her work with global, national, and start-up contractors, Susan advises companies on all aspects of government supply chain issues including:

Government cybersecurity requirements, including the Cybersecurity Maturity Model Certification (CMMC), DFARS 7012, and NIST SP 800-171 requirements,
Evolving sourcing issues such as Section 889, counterfeit part requirements, Section 5949 and limitations on sourcing from China
Federal Acquisition Security Council (FASC) regulations and product exclusions,
Controlled unclassified information (CUI) obligations, and
M&A government cybersecurity due diligence.

Susan has an active internal investigations practice that assists clients when allegations of non-compliance arise with procurement requirements, such as in the following areas:

Procurement fraud and FAR mandatory disclosure requirements,
Cyber incidents and data spills involving sensitive government information,
Allegations of violations of national security requirements, and
Compliance with MIL-SPEC requirements, the Qualified Products List, and other sourcing obligations.

In addition to her counseling and investigatory practice, Susan has considerable litigation experience and has represented clients in bid protests, prime-subcontractor disputes, Administrative Procedure Act cases, and product liability litigation before federal courts, state courts, and administrative agencies.

Susan is a former Public Contract Law Procurement Division Co-Chair, former Co-Chair and current Vice-Chair of the ABA PCL Cybersecurity, Privacy and Emerging Technology Committee.

Prior to joining Covington, Susan served as in-house senior counsel at Northrop Grumman Corporation and Motorola Incorporated.

Read more about Susan B. Cassidy
Show more Show less
Photo of Ashden Fein Ashden Fein

Ashden Fein is a vice chair of the firm’s global Cybersecurity practice. He advises clients on cybersecurity and national security matters, including crisis management and incident response, risk management and governance, government and internal investigations, and regulatory compliance.

For cybersecurity matters, Ashden counsels…

Ashden Fein is a vice chair of the firm’s global Cybersecurity practice. He advises clients on cybersecurity and national security matters, including crisis management and incident response, risk management and governance, government and internal investigations, and regulatory compliance.

For cybersecurity matters, Ashden counsels clients on preparing for and responding to cyber-based attacks, assessing security controls and practices for the protection of data and systems, developing and implementing cybersecurity risk management and governance programs, and complying with federal and state regulatory requirements. Ashden frequently supports clients as the lead investigator and crisis manager for global cyber and data security incidents, including data breaches involving personal data, advanced persistent threats targeting intellectual property across industries, state-sponsored theft of sensitive U.S. government information, extortion and ransomware, and destructive attacks.

Additionally, Ashden assists clients from across industries with leading internal investigations and responding to government inquiries related to the U.S. national security and insider risks. He also advises aerospace, defense, and intelligence contractors on security compliance under U.S. national security laws and regulations including, among others, the National Industrial Security Program (NISPOM), U.S. government cybersecurity regulations, FedRAMP, and requirements related to supply chain security.

Before joining Covington, Ashden served on active duty in the U.S. Army as a Military Intelligence officer and prosecutor specializing in cybercrime and national security investigations and prosecutions — to include serving as the lead trial lawyer in the prosecution of Private Chelsea (Bradley) Manning for the unlawful disclosure of classified information to Wikileaks. Ashden is a retired U.S. Army officer.

Read more about Ashden Fein
Show more Show less
Photo of Christina Kuhn Christina Kuhn

Christina Kuhn advises medical device, pharmaceutical, and biotech companies on a broad range of FDA regulatory strategy and compliance matters. She has experience with cutting-edge and complex medical technologies, including software and digital health products, oncology products, next-generation sequencing, diagnostics, and combination products.…

Christina Kuhn advises medical device, pharmaceutical, and biotech companies on a broad range of FDA regulatory strategy and compliance matters. She has experience with cutting-edge and complex medical technologies, including software and digital health products, oncology products, next-generation sequencing, diagnostics, and combination products.

Christina frequently helps multinational device manufacturers as well as start-up device companies navigate the premarket regulatory process, advising companies on regulatory classification, clinical development strategy, and agency interactions. She also has significant experience counseling medical device companies on postmarket compliance requirements, including those related to advertising and promotion, quality systems and manufacturing, medical device reporting, registration and listing, and recalls. She advises clients on responding to and resolving enforcement actions, such as FDA inspections and Warning Letters as well as Department of Justice investigations.

Christina advises clients on, and performs regulatory due diligence for, corporate transactions, including acquisitions, public offerings, co-development agreements, and clinical trial agreements.

Christina also regularly assists industry associations and medical device and pharmaceutical companies in commenting on FDA guidance documents and rulemaking as well as drafting and analyzing federal legislation.

Christina is a frequent contributor to Covington’s Digital Health and InsideMedicalDevices blogs.

Read more about Christina Kuhn
Show more Show less
Photo of Pamela Forrest Pamela Forrest

Pamela Forrest has over 25 years of experience advising clients on a broad range of FDA regulatory issues. Her practice focuses on FDA medical device matters, including premarket notification, premarket approval, product recalls, Medical Device Reporting (MDR), Quality System Regulation (QSR) compliance, establishment…

Pamela Forrest has over 25 years of experience advising clients on a broad range of FDA regulatory issues. Her practice focuses on FDA medical device matters, including premarket notification, premarket approval, product recalls, Medical Device Reporting (MDR), Quality System Regulation (QSR) compliance, establishment registration and device listing, labeling and promotion, import/export issues, and clinical trial requirements.

Pamela frequently advises medical device manufacturers on responses to FDA enforcement actions, including Form FDA-483 observations and Warning Letters. She has extensive experience working with firms to draft written responses, develop and implement corrective actions, and prepare for re-inspection.

Pamela regularly assists medical device manufacturers, investment banks, and private equity firms with complex due diligence evaluations regarding the FDA compliance status of acquisition targets. She also frequently counsels start-up medical device firms on market entry strategies, and works with firms to identify the appropriate regulatory pathway and shepherd them through the FDA regulatory process.

Pamela has written and spoken extensively on various aspects of FDA regulation of medical devices, and has testified before several State legislative committees regarding medical device legal and regulatory issues.

Read more about Pamela Forrest
Show more Show less
Photo of Peter B. Hutt II Peter B. Hutt II

Peter Hutt represents government contractors in False Claims Act and fraud matters, and accounting, cost, and pricing disputes and counseling matters.

Peter is a leading False Claims Act lawyer in the government contracts arena. He has represented contractors for 35 years in matters…

Peter Hutt represents government contractors in False Claims Act and fraud matters, and accounting, cost, and pricing disputes and counseling matters.

Peter is a leading False Claims Act lawyer in the government contracts arena. He has represented contractors for 35 years in matters alleging cybersecurity noncompliance; cost mischarging; CAS violations; quality assurance deficiencies; substandard products and services; defective pricing; health care fraud; price reduction issues; inadequate subcontractor oversight; and reverse false claims. He has testified before Congress concerning the False Claims Act, and is a thought leader in the field. Peter also conducts internal investigations and advises clients on whether and how to make disclosures of potential wrongdoing.

Peter also represents contractors and grantees in accounting, cost, and pricing matters, and other contract and grant matters. He has addressed issues concerning pensions and post-retirement benefits; TINA and defective pricing; alleged CAS violations; cost accounting practice changes; alleged charging of unallowable and expressly unallowable costs; terminations; contract financing; price reduction clause issues; subcontracting and supply chain compliance; specialty metals compliance; and small business and DBE compliance. He has litigated cost, accounting, and contract breach matters in the Court of Federal Claims and the ASBCA.

Peter is recognized for his work both in False Claims Act and government contract disputes by Chambers USA, which notes that “He is absolutely outstanding. He is thoughtful and client-focused.” Chambers also notes that “Peter’s judgment and problem solving ability is unique. He is a very good False Claims Act lawyer.”

Read more about Peter B. Hutt II
Show more Show less
Photo of John Webster Leslie John Webster Leslie

Web Leslie advises clients on a broad range of challenges and opportunities at the intersection of technology and security, including investigations, regulatory, and transactional matters related to cybersecurity, national security, critical infrastructure, and data privacy.

In his white-collar practice, Web helps clients navigate…

Web Leslie advises clients on a broad range of challenges and opportunities at the intersection of technology and security, including investigations, regulatory, and transactional matters related to cybersecurity, national security, critical infrastructure, and data privacy.

In his white-collar practice, Web helps clients navigate both government and internal investigations. He specializes in complex civil and criminal investigations related to alleged government contracts fraud and other cybersecurity-related allegations under the False Claims Act, FTC Act, and equivalent state laws. Additionally, Web assists clients in responding to a variety of cyber incidents, ranging from intrusions and extortion by advanced persistent threats to business email compromises and large-scale data breaches. Web also helps clients investigate insider threat activity and potential noncompliance with regulatory and contractual cybersecurity requirements.

In his advisory and transactional practice, Web assists clients across a wide range of industries and critical infrastructure sectors manage risk in an evolving regulatory landscape. He regularly advises on cybersecurity compliance and best practices, information security program development, incident response preparedness, insider threat risks, third-party risk management, and international cyber regulations, among other areas. Web also advises clients on a variety of government and industry standards, including the NIST Cybersecurity Framework 2.0, NIST SP 800-53, NIST SP 800-171, FedRAMP and state equivalents (e.g., GovRAMP, TX-RAMP), CJIS, ISO/IEC standards (e.g., ISO 27001), SOC2 Type 2, and other sector-specific requirements (e.g., HIPAA Security Rule, PCI DSS, DFARS Clause 252.204-7012, NERC Critical Infrastructure Protection).

In addition to his regular practice, Web counsels pro bono clients on data breach, immigration, and criminal law matters.

Web previously served in government in different roles at the Department of Homeland Security (DHS), including at the National Protection and Programs Directorate—known today as the Cybersecurity and Infrastructure Security Agency (CISA)—where he specialized in cybersecurity and critical infrastructure protection, public-private partnerships, and interagency cyber operations. He also served as Special Assistant to the Secretary of Homeland Security.

Read more about John Webster Leslie
Show more Show less
Photo of Krissy Chapman Krissy Chapman

Kristen “Krissy” Chapman is an associate in the firm’s Washington, DC office. She represents and advises clients on a range of cybersecurity, data privacy, and government contracts issues, including cyber and data security incident response and preparedness, cross-border privacy law, government and internal…

Kristen “Krissy” Chapman is an associate in the firm’s Washington, DC office. She represents and advises clients on a range of cybersecurity, data privacy, and government contracts issues, including cyber and data security incident response and preparedness, cross-border privacy law, government and internal investigations, and regulatory compliance.

Prior to joining the firm, Krissy served as a consultant in both the private and public sectors, advising clients across a range of industries, including transportation and infrastructure, life sciences and healthcare, and national security.

Read more about Krissy Chapman
Show more Show less