The United States Department of Justice (DOJ) recently announced another settlement agreement showing that DOJ continues to prioritize cybersecurity enforcement under the False Claims Act (FCA). According to the press release, government contractor Illumina Inc. (Illumina) agreed to pay $9.8 million to settle its FCA matter, which arose from allegations related to the company’s cybersecurity practices in connection with government contracts—a priority area we have seen increasingly highlighted in recent DOJ settlements.
The Illumina Settlement
Illumina is a biotechnology company that manufactured and sold genomic sequencing systems—technology used in genetic testing to determine organisms’ DNA sequences—to various federal agencies. llumina’s former Director of Portfolio and Program Management filed the qui tam suit in September 2023 after she was allegedly terminated by Illumina for raising certain cybersecurity concerns.
According to the Settlement Agreement, Illumina’s genomic sequencing systems operated with Local Run Manager (LRM) and/or Universal Copy Service (UCS) software, which suffered from cybersecurity vulnerabilities, and Illumina did not have the product security program or quality measures necessary to identify and address these vulnerabilities. As has been in the case in other recent FCA cybersecurity settlements, there was no allegation that an actual cybersecurity breach had occurred in connection with Illumina’s products. But DOJ still considered Illumina’s claims for payment by these federal agencies for its products to be false, alleging that Illumina (i) knowingly failed “to incorporate product cybersecurity in its software design”; (ii) “failed to properly support and resource” its product security efforts; (iii) “failed to adequately correct design features that introduced cybersecurity vulnerabilities” in the products; and (iv) falsely represented that the software adhered to certain cybersecurity standards.
Illumina denies these allegations but agreed to pay nearly $10 million to settle the claims, of which the relator will receive $1.9 million as the qui tam relator.
The conduct giving rise to the settlement occurred between 2016 and 2023. Notably, the Complaint alleged that Illumina had previously disclosed security vulnerabilities in two of its products to the government in connection with certain recalls in 2022 and 2023, but that these vulnerabilities predated these disclosures and remained in other Illumina products afterwards, threatening the integrity of the products’ testing data and compromising patient confidentiality.
推薦の言葉
Government contractors and other recipients of federal funds should consider the following steps to enhance cybersecurity compliance and reduce FCA risk:
- 政府が課すすべてのサイバーセキュリティ基準の目録を作成し、コンプライアンスを監視する。組織内のすべてのサイバーセキュリティ要件と対象システムの包括的なリストを作成する。これらの要件は、政府とのプライム契約だけでなく、下請け契約、補助金、またはその他の連邦政府プログラムからもたらされる場合もある。これには、組織の契約に関する継続的な知識だけでなく、組織のサイバーセキュリティプログラムを継続的に監視・評価して、脆弱性を特定してパッチを適用し、契約上のサイバーセキュリティ基準への準拠を評価することも含まれる。この評価では、第三者との関係も考慮する必要がある。
- Develop and maintain a robust and effective compliance program that addresses cybersecurity issues. In many companies, the compliance program and information security functions are not well integrated. An effective compliance program will address cybersecurity concerns and encourage employees to report such concerns. When concerns are identified, it is critical to escalate and investigate them promptly. And companies should take care to ensure that there is no retaliation against employees who report concerns in good faith.
- Where non-compliance with cybersecurity standards is identified, organizations should evaluate potential next steps. This includes whether to disclose the matter to the government and cooperate with government investigators. Organizations should work with experienced counsel in this regard. Proactively mapping out a strategy for investigating and responding to potential non-compliance can instill discipline to the process and streamline the organization’s approach. And a proactive approach may mitigate the impact of consequences down the line.
サイバーセキュリティと偽請求法に関するご質問は、著者またはフォーリー&ラードナーの弁護士にお問い合わせください。
