Cybersecurity Risk Management and False Claims: A University’s Legal Dilemma
Rick Lemieux – Co-Founder and Chief Product Officer of the DVMS Institute
The intersection of cybersecurity and legal liability is a complex and increasingly relevant issue for research universities. As these institutions rely more on digital infrastructure to conduct their research and operations, the risk of cyberattacks and data breaches has grown significantly. In recent years, the U.S. Department of Justice (DOJ) has taken a more aggressive stance against entities failing to protect sensitive information, including universities. In particular, the DOJ has pursued false claims cases against universities that have received federal grants but have allegedly misrepresented their cybersecurity practices.
The False Claims Act (FCA) is a federal law that allows individuals to sue on behalf of the government and recover damages for false claims submitted to the federal government. While the FCA has traditionally been used to target fraud and waste in government contracting, it has also been applied in cases involving cybersecurity breaches. The DOJ has argued that universities that receive federal grants must protect the government’s interests and that failure to do so can constitute a false claim.
The DOJ has several theories of liability in false claims cases involving cybersecurity. One theory is that universities may make false claims by misrepresenting their cybersecurity practices in grant applications or progress reports. For example, a university may claim to have implemented specific security measures, which may need to be improved or more present. Another theory of liability is that universities may be liable for false claims if they fail to disclose known cybersecurity vulnerabilities or breaches to the government.
The DOJ has also pursued false claims cases against universities that have suffered data breaches involving sensitive government information. In these cases, the DOJ has argued that the universities’ failure to protect the data constitutes a false claim because it deprives the government of the full benefit of its grant.
The potential consequences of a false claims case can be severe for universities. In addition to monetary damages, universities may face reputational harm, loss of federal funding, and even criminal charges. To avoid being charged with a false claim, universities must take proactive steps to strengthen their cybersecurity risk management practices.
Here are some key considerations for universities seeking to mitigate their legal risk:
- Conduct a thorough cybersecurity risk assessment. This assessment should identify potential threats and vulnerabilities and their possible impact on the university’s operations and research activities.
- Develop a comprehensive cybersecurity plan: The plan should outline the steps the university will take to mitigate identified risks, including policies, procedures, and technologies.
- Implement strong security controls: These may include firewalls, intrusion detection systems, encryption, and access controls.
- Provide cybersecurity training to employees: Employees should be trained to recognize and report phishing attempts, malware, and other cyber threats.
- Regularly monitor and test cybersecurity systems: Regular monitoring and testing can help identify and address vulnerabilities before they are exploited.
- Report cybersecurity incidents to the government: If a university experiences a data breach or other cybersecurity incident involving government data, it must report the incident to the appropriate government agency.
- Foster a culture capable of mitigating cyber risk: Cybersecurity culture is a top risk for all businesses. Universities must ensure that their culture can protect their digital business performance, resilience, and trust in the government.
By taking these steps, universities can significantly reduce their risk of being charged with a false claim. However, it is essential to note that cybersecurity is an ongoing process, and universities must continually adapt their practices to address emerging threats.
About the Author
Rick Lemieux
Co-Founder and Chief Product Officer of the DVMS Institute
The DVMS Institute teaches organizations of any size, scale, or complexity an affordable approach to mitigating cyber risk to protect digital business performance, resilience, and trust.
Rick has 40+ years of passion and experience creating solutions to give organizations a competitive edge in their service markets. In 2015, Rick was identified as one of the top five IT Entrepreneurs in the State of Rhode Island by the TECH 10 awards for developing innovative training and mentoring solutions for boards, senior executives, and operational stakeholders.
® DVMS Institute 2024 All Rights Reserved
