Justice Muse

When faced with the question of whether to self-disclose, companies often question the benefit of such a disclosure. There are a few important takeaways here.

First, this resolution is a great example of what a [seemingly] successful self-disclosure looks like. Based on the settlement and the press release, it appears that Verizon identified issues related to compliance with certain cybersecurity controls; provided the Government with a written self-disclosure; initiated an independent investigation and compliance review of the issues; and, provided the Government with detailed subsequent written disclosures. Apparently, Verizon also identified individuals involved in or responsible for the issues, assisted in the damages analysis, and remediated the identified issues, among other things. Verizon is demonstrating here what true cooperation looks like and how such cooperation can result in better results for the company. And, as a result of this level of cooperation, Verizon paid a 1.5 multiplier—substantially less than its potential exposure under the False Claims Act, which can be 3x the loss to the Government plus penalties.

Second, clients often ask about what makes a case criminal versus civil. By self-disclosing in a timely manner where the misconduct is clear, and cooperating with an investigation, the company can often avoid criminal liability. Once company management is made aware of misconduct, by continuing to engage in the conduct and failing to disclose such conduct (similar to the allegations set forth in the Booz Allen qui tam complaint), management exposes the company to civil and, possibly, criminal liability. In contrast, when companies voluntarily disclose such conduct, they can elect the venue of that disclosure, like whether to the approach the contracting agency directly or DOJ’s Civil Division. Likewise, by disclosing conduct, a company may avoid severe administrative remedies like suspension or exclusion.

Third, though we don’t know when Verizon submitted this self-disclosure, it appears that this process took less than 2 years given that the conduct ended in 2021—substantially shorter than most investigations initiated by qui tam complaints. This translates to lower (gasp) legal and expert costs for the company and, generally, lower reputational costs to the company and, ultimately, shareholders.

Finally, this resolution further demonstrates the Department’s commitment to the Cyber-Fraud Initiative that the Government launched in 2021. Meeting cybersecurity controls and requirements continues to be an area of the focus for the Government—companies should make sure they are staying abreast of their obligations of under their respective agreements to avoid pitfalls and disclose issues as necessary.

A link to the press release is provided here.