Important Takeaways from Insight Global's $2.7 Million Cybersecurity Settlement
By Bill Josey
Recently, the United States Department of Justice issued a press release publicizing a $2.7 million settlement payment extracted from staffing agency Insight Global, proclaiming:
Insight Global LLC, headquartered in Atlanta, Georgia, has agreed to pay $2,700,000 to resolve allegations that it violated the False Claims Act by failing to provide adequate cybersecurity to protect health information obtained during COVID-19 contact tracing.
Data breach liability is a new legal frontier. I previously reported on recent class actions arising out of data breaches involving personal information. In these cases, class action lawyers often struggle to find a way to recover significant dollars when the individuals they represent did not suffer an ascertainable loss due to the breach. To date, theses lawyers have not been particularly successful (by class action standards), but do not underestimate their ability to get help in the future from state legislatures.
The Insight Global settlement brings to light a path that can lead to large cybersecurity payouts, even if no actual harm results - the federal False Claims Act. You do not have be a contractor or subcontractor with a federal agency to face this exposure. It is enough that federal money went into the project you contracted to work on (your contract documents often contain tipoffs in this regard). Notably, as illustrated by this case, there does not even have to be an actual data breach for False Claims Act exposure to attach, just a situation in which poor cybersecurity leads to potential exposure of protected data on a federally funded project.
Background
During the pandemic, a number of staffing firms performed COVID - related services. Insight Global was one of these companies, contracting with the State of Pennsylvania to conduct state-wide contact tracing and notification, funded to a degree by the Federal Government. According to news reports, Insight Global made approximately $29 million on the project, during which the firm hired around 900 contact tracers. Can you say "windfall?"
The contract signed by Insight Global contained this awkwardly written cybersecurity provision:
the contact tracing workforce will have access to personal health information of contact tracing subjects and must ensure that and all other such information related to the services being provided must be kept confidential and secure.
As an aside, contractual promises to "ensure" performance should be avoided if possible (and when negotiating with staffing clients, this may not be possible). This provision can lead to automatic liability if something goes wrong, because there is no requirement of fault. A better approach would be to promise "commercially reasonable efforts," which at least gives your defense lawyer something to work with. A promise to "ensure" data security is especially dangerous in a world where even the most sophisticated companies routinely become victims of cyber-crime.
The Insight Global Settlement Agreement (attached below) describes how the company violated the cybersecurity provision:
[S]taff provided by Insight Global pursuant to the contract received certain personal health information and/or personally identifiable information of contact tracing subjects in the body of unencrypted emails, including emails sent by government personnel to Insight Global; shared passwords used to access such information with each other; and stored and transmitted such information using Google files that were not password protected and were potentially accessible to the public via internet links.
That's it. There is no allegation that the personal information was actually released or viewed by outside parties. It was just insecure, and potentially accessible by others, as stated in the Justice Department's press release:
The United States ... alleged that from November 2020 through January 2021, Insight Global managers received complaints from Insight Global staff that such information was unsecure and potentially accessible to the public, but Insight Global failed to start remediating the issue until April 2021. At that point, Insight Global addressed the issue, including by securing such information, investigating the cause and scope of the incident, strengthening internal controls and procedures, adding more data-security resources, and issuing a public notice regarding the scope of the potential exposure and offering free credit monitoring and identity protection services to those affected.
It is likely that the lengthy delay in responding to the weakness contributed to the DOJ's interest in pursuing this case. Any company with suspected exposure of personal data should immediately treat the situation as an emergency and contact a knowledgeable attorney or data security consultant.
The False Claims Act
Federal funding brings with it exposure to the False Claims Act, a federal statute that allows private citizens to file lawsuits (called “qui tam” suits) on behalf of the government and receive a portion of any recovery that ensues as a reward. Recoveries can be large, because the FCA allows for treble damages. It was originally enacted during the Civil War to help combat fraud by suppliers to the Union army, and it is often referred to as a fraud-fighting tool. However, as we shall see, it can cover conduct that you might not think of as fraud in the ordinary sense. Use of the FCA is on the rise. In 2023, a record was set for FCA recoveries:
Included in this number was an increasing number of cybersecurity- related awards:
Anyone can file a lawsuit under the FCA, but the goal is not for the plaintiff (known as the "Relator" in legal jargon) to litigate the case. The goal is to get the interest of the local U.S. Attorney and have them step in and take over the lawsuit. Then all the Relator does is sit back and wait for their reward.
The Insight Global lawsuit
The case began with a False Claims Act lawsuit against Insight Global by an individual. The plaintiff, Terralyn Williams Seilkop, is a former Business Intelligence contract worker (independent contractor) for Insight Global. The DOJ's press release characterizes her as a "whistleblower," but that description is not accurate if you consider a whistleblower to be someone who comes forward to expose a concealed wrong. Seilkop filed her False Claims Act lawsuit on July 30, 2021, some three months after Insight Global voluntarily disclosed the security weaknesses and remediated them. And it paid off - Seilkop will receive a $499,500 False Claims Act reward from the settlement proceeds, plus $86,200 for attorney's fees and legal expenses.
The government's motive
Insight Global did the right thing, albeit belatedly, remediating the weak security and making public disclosure. Nevertheless, the company lost the contract with Pennsylvania and received a considerable amount of negative publicity. But the punishment wasn't over. What would motivate the federal government to come down so hard on what appears to be a "no harm-no foul" situation? This sentence in the DOJ's press release provides the answer:
On October 6, 2021, the Deputy Attorney General announced the Department’s Civil Cyber-Fraud Initiative, which aims to hold accountable entities or individuals that put sensitive information at risk by knowingly providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cybersecurity incidents. Information on how to report cyber fraud can be found here.
The keystone to Civil Cyber-Fraud Initiative is the False Claims Act:
The Civil Cyber-Fraud Initiative will utilize the False Claims Act to pursue cybersecurity related fraud by government contractors and grant recipients. The False Claims Act is the government’s primary civil tool to redress false claims for federal funds and property involving government programs and operations.
As far as the federal government is concerned, unreported deficient cybersecurity can be "cyber security fraud" that subjects a company to False Claims Act liability. Clearly, the Feds are out to send a message about cybersecurity, and the Insight Global FCA lawsuit provided them with an opportunity to do just that. No doubt a big factor here was the delay in responding to the weaknesses after they were reported by employees.
Could Insight Global have fought the case and won with an argument that the circumstances did not rise to the level of a false claim? Perhaps, but those of us who have litigated against federal agencies with limitless resources know that prudence often dictates a graceful surrender. The full Settlement Agreement is attached below.
The takeaways
- Companies performing on federally funded contracts have significant exposure to cybersecurity lawsuits and damages under the False Claims Act.
- The Justice Department's Civil Cyber-Fraud Initiative is on the hunt for cases to pursue, and actions are on the rise.
- Taking the Civil Cyber-Fraud Initiative to its extreme, any data security weakness might lead to FCA liability. But late (or no) reporting/remediation of a known weakness or breach is most likely what the DOJ is after.
- Many, if not most, cybersecurity lapses are caused by lack of employee training, not technical system shortfalls.
Want up to date reports on staffing industry legal affairs delivered to your inbox? Give SLN a try:
Member discussion