Caveat 2.24.22
Ep 114 | 2.24.22

The False Claims Act (FCA) as it relates to cybersecurity.

Transcript

Stacy Hadeka: Many companies who don't think of themselves in the traditional sense as a government contractor or grant recipient may actually be a subrecipient or subcontractor that would still be subject to the False Claims Act.

Dave Bittner: Hello, everyone, and welcome to Caveat the CyberWire's privacy, surveillance law and policy podcast. I'm David Bittner, and joining me is my co-host, Ben Yelin, from the University of Maryland's Center for Health and Homeland Security. Hello, Ben. 

Ben Yelin: Hello, Dave. 

Dave Bittner: Today, Ben has the story of a tech firm offering facial recognition technology to city governments to help them ID homeless people. I share the struggles of digital libraries in a world of stringent copyright laws. And later in the show, my conversation with Mike Theis and Stacy Hadeka from Hogan Lovells. We're discussing the False Claims Act and how it relates to cybersecurity. While this show covers legal topics and Ben is a lawyer, the views expressed do not constitute legal advice. For official legal advice on any of the topics we cover, please contact your attorney. 

Dave Bittner: All right, Ben, let's share some stories here. You're up first, what do you got? 

Ben Yelin: So mine comes from our old friend Joseph Cox at Motherboard by Vice. It's been a while since we've done a Joseph Cox article. 

Dave Bittner: (Laughter). 

Ben Yelin: I feel like we have some sort of quota, so... 

Dave Bittner: (Laughter) That right. 

Ben Yelin: ...I'm glad we're going back to him. 

Dave Bittner: I have to put him on the payroll. 

Ben Yelin: Exactly. 

Dave Bittner: Yeah. 

Ben Yelin: So the article is entitled "Tech Firm Offers Cops Facial Recognition to ID Homeless People." This is about a firm called ODIN Intelligence. They have a fantastic Viking-themed logo... 

Dave Bittner: (Laughter). 

Ben Yelin: ...If I might say so myself. 

Dave Bittner: OK. 

Ben Yelin: And they are selling to police departments across the country the capability to identify and pull up information on people experiencing homeless. And they would do that through facial recognition technology. Seemingly, the benefits of this technology would accrue to homeless people themselves. So the name of this, which sounds kind of Orwellian, frankly, is the homeless management information system. I think the original impetus behind this is, you know, you could better manage your homeless problem by seeing which people were in shelters, which people were violating their parole. You know, you can get information on, you know, people who have outstanding warrants. So if you're doing, you know, that type of surveillance and using facial recognition technology, that might help you solve crimes. 

Dave Bittner: Yeah? 

Ben Yelin: The way this organization is selling this to police departments is kind of saying, this is a way to help solve your homelessness problem in terms of policy. So they have a slide here. And this was all, I think, leaked to this document by a source. And the slide has a what's the problem section. And they discuss, you know, why homelessness is a problem - crime, unchecked predatory behavior, poor hygiene, parentheses, (use street as a restroom), panhandling and petty crimes. So that's the pitch to these city governments. You're getting, you know, people who are degradating your city's culture, potentially, off the streets. You can identify them. And, you know, that's your way to, as a policy, help solve this homelessness difficulty. With something as pervasive as this, you run the risk of pretty severe violations of civil liberties. 

Ben Yelin: So for example, you know, we've heard about Google collecting images on homeless people - or Google contractors, rather - scanning unhoused people to help accumulate data for their own facial recognition software to help augment that software. So, you know, the fact is that this information could be used for those nefarious purposes without the consent of homeless people who are being surveilled - you know, and then there's, of course, the civil liberties concerns of subjecting people who don't have homes to this level of electronic surveillance. You know, one of the hallmarks of our Fourth Amendment is a person's home is his or her castle, meaning there is an extra layer of protection - constitutional protection - within one's home. And there's only so much the government can do without a warrant to spy on people in their own homes. 

Ben Yelin: So you have this major issue here where you have a population of people who don't have that. They don't have that proverbial castle. And now, you know, they are being subjected to a pretty invasive method of electronic surveillance, supposedly for their own good. But I just think it's something I would certainly be concerned about from a policy perspective. 

Dave Bittner: Can I play devil's advocate here and just, you know... 

Ben Yelin: Always, yeah. 

Dave Bittner: ...Wonder that - 'cause I could see there being the ability of a city to keep tabs on the movement of this group of people. Who's staying where? Where are they sleeping? You know, what facilities are they using? - so on and so forth. If you are trying to have a good faith approach to helping this population, that would be useful data, wouldn't it? 

Ben Yelin: Absolutely. And not only is it useful, potentially, for these cities. You know, I think there really are benefits to homeless people themselves, as long as they are consenting to it. 

Dave Bittner: Right. 

Ben Yelin: So, you know, it does offer - if a homeless person has access to a smartphone, they could download an application. You could check in from the street, and you can have a bed reserved at a shelter, potentially. So, you know, this isn't a situation where you have a piece of technology that has no beneficial use. You mentioned some of the benefits to a city or a city government. And there are benefits for the homeless person themselves. It is a homeless person management system. So, you know, if it provides people information, you know, based on your GPS data of the nearest shelter and whether there's bed availability, that could certainly be useful. 

Dave Bittner: Yeah. 

Ben Yelin: You know, I think it's important to flag, though, because with every type of technology like this, there always is the potential for abuse. And here, we're literally talking about some of the most marginalized people who don't have the resources to fight back if their images are used, you know, for purposes that aren't, you know, pursuant to their own consent. 

Dave Bittner: Right. 

Ben Yelin: So that would be my concern here. 

Dave Bittner: It's a fascinating thing. I must admit that I never really pondered the notion of how much of our rights are tied to our homes... 

Ben Yelin: Right. 

Dave Bittner: ...That the - so many things about being searched and privacy - your right to privacy is tied to the ability to go inside your home, your apartment, wherever you live and close the door. 

Ben Yelin: Right, exactly. 

Dave Bittner: And if you don't have that, you lose a lot of what I think many people would agree are fundamental rights as U.S. citizens. 

Ben Yelin: Right. I mean, you really don't have a reasonable expectation of privacy. You know, our common law going back centuries really associates privacy with, as you say, one's home. And we have this public view doctrine where if you are seen in public, you really don't have a reasonable expectation of privacy. But if you don't have a place to go, if you don't have your own property or any rental property, then you are, by definition, constantly in public and might be, you know, confined to a situation where you're facing 24-7 surveillance. 

Dave Bittner: Right. 

Ben Yelin: The other thing I'll mention here is, you know, is this actually the best use of our resources, as this company claims, for solving the homelessness problem? And they talked to Chris Gilliard, a research fellow with the Technology and Social Change Research Project at Harvard. They talked to Motherboard for this article. And he's basically saying, this is, you know, just not the most efficient use of money that could actually be used to house people. We know what people need - stable, permanent housing. 

Dave Bittner: Right. 

Ben Yelin: We've seen in social science experiments that pretty much just giving people housing is the best way to solve the homelessness problem. 

Dave Bittner: Yeah. 

Ben Yelin: So, you know, in his view, we are using what he refers to as a tech-laden scheme to solve a problem where we already know what works. So even if this technology is intended to transcend hardship, you know, if we really wanted to transcend hardship, we would just cut out this middleman and just give people housing. 

Dave Bittner: Get rid of the hardship. 

Ben Yelin: Exactly. 

Dave Bittner: Don't - yeah - symptoms versus cause, right? 

Ben Yelin: Right. And then we wouldn't have these privacy problems. If we were to house homeless people... 

Dave Bittner: Right? 

Ben Yelin: ...Then everybody would have a home that is their castle and would be afforded those privacy protections. 

Dave Bittner: Yeah. 

Ben Yelin: So it's just - it's about a population that, frankly, we don't think about enough and we don't think about enough in the context of the surveillance state. So I thought it was a really interesting article to shine light on that issue. 

Dave Bittner: Yeah, absolutely. All right. Well, we will have a link to that in the show notes. 

Dave Bittner: My story this week comes from ZDNet. This is an article written by Chris Freeland, and it's titled "Librarian's lament: Digital books are not fireproof." And it sort of leads off talking about how, you know, we've seen - lately, there have been a lot of school boards and lawmakers who've been on a bit of a tear banning books from libraries in public schools. 

Ben Yelin: Yup. 

Dave Bittner: And so there's been this push for what a gentleman named Jason Perlow referred to as a freedom archive, which is a digital repository of banned books. The notion being that you can't burn a digital book. But really what this article gets to is that there are online attempts at repositories - the Internet Archive probably being the best-known one, who tries to do exactly what their name is, you know, archive all of the world's stuff - books, media, images, all that kind of stuff. And that comes up against copyright law. And some of these publishers use copyright law to keep these online libraries from housing the things they want to house, from being able to share them. This is fascinating to me, Ben, because as a lover of libraries and having, you know, grown up in a community... 

Ben Yelin: Absolutely. 

Dave Bittner: ...Be fortunate enough to have grown up in a community that places a lot of value on libraries and so has invested in high quality libraries, I have wondered as we've continued our journey, you know, down this digital road, if we didn't have libraries and the notion of libraries were brought up today - I don't think we could have libraries. 

Ben Yelin: Never. We would get these attacks on, you know, how can you give these things out for free? This is a waste of government resources. 

Dave Bittner: Right. 

Ben Yelin: Yeah. 

Dave Bittner: If someone wants to read a book, they should buy a book - and because it's not fair to the publisher or the author. 

Ben Yelin: Exactly. It's their intellectual property. 

Dave Bittner: Right. 

Ben Yelin: Why are giving this away for free? Exactly. 

Dave Bittner: Right. Right. 

Ben Yelin: Now, luckily, our legal system has taken that into account. Under our copyright law, there is this fair use doctrine. 

Dave Bittner: Yeah. 

Ben Yelin: Fair use doctrine allows you to not publish - but to make content available under a variety of exceptions to the Copyright Act. So, for example, you know, parody is generally fair use. 

Dave Bittner: Right. 

Ben Yelin: Using something for academic purposes, highlighting somebody else's work without the intention to profit off of it generally qualifies as fair use. The fair use doctrine has allowed libraries to flourish because it is fostering the ability of people who don't have access - financial resources to buy books or, you know, just people who don't have access to books in the first place the ability to read those books. And that's why libraries have been able to serve the public despite these copyright laws. 

Ben Yelin: But now we had this instance last year or a couple of years ago now where the COVID pandemic hit, public libraries, the physical locations were closed. They were trying to allow people to check out digital versions of books. And they were subject to these lawsuits from major publishers saying, you know, we have an intellectual property interest in this publication, and this is a violation of our intellectual property rights. And you can see, I think what this article is getting at is, you know, the slippery slope there where, you know, digital publications might be a saving grace to help us have access to some of our most notorious pieces of literature in the event that the physical copies are sequestered or censored. And so I think it's important to maintain that capability. 

Dave Bittner: Yeah. A couple of things come to mind here for me. I mean, one, with our own library system - my wife is a big user of our library system and particularly some of the digital capabilities that they have. And so she can sign out books, you know, online, read them on her digital device, and it works great. But one of the things that at least the way that our library system works is that they have a limited number of copies of even the digital books. 

Ben Yelin: Right. 

Dave Bittner: So you have to sign them out and you have to check them back in. And this seems to be reasonable to me. Like, I would imagine that our library system is paying the publishers for X number of books to be put into circulation the same way that they would pay the publisher to have X number of books on the shelf. And you can sign up to be on a waiting list for that, you know, hot new novel that came out, right? 

Ben Yelin: The newest "Harry Potter." 

Dave Bittner: Yeah. Right. So it seems to me like that part of this is manageable. The other side, though, that kind of bugs me is that if I buy a book at a bookstore and I enjoy the book and I say, oh, you know what? I would love to share this book with my friend Ben. When I'm done with the book, I can hand the book to you. You can take the book home. You can read the book. No more money spent on that book. I can't do that with a digital copy. 

Ben Yelin: Right. I mean, at this point, no, you cannot. You can't just let somebody borrow it. 

Dave Bittner: Right. 

Ben Yelin: Yeah. I mean, you'd have to either do things that might violate somebody else's copyright protection or just not give that book to somebody else. 

Dave Bittner: Yeah. 

Ben Yelin: There is that restriction on sharing that you don't see in, you know, the physical copy of books. 

Dave Bittner: Yeah. 

Ben Yelin: I think what he mentions here is you're fearful of a situation where some local government entity, whether it's a school board or a city council, bans a book or forbids a book from being taught in schools. That could potentially be pulled from a digital library's bookshelf. And then you have a situation where, in effect, you are censoring digital books. You are able to burn digital books. And then you use that sort of resource of last resort, which is books available even if they've been banned in physical form. And I think that's kind of a problem that needs to be addressed. I'm glad that there are organizations out there like the Internet Archives that are trying to address this problem. 

Dave Bittner: Yeah. Yeah, absolutely. All right. Well, it's an interesting article. Again, it's from Chris Freeland over at ZDNet. We will have a link to that in the show notes. We would love to hear from you. If you have a story you'd like us to cover or a question for me or for Ben, you can send us an email. It's caveat@thecyberwire.com. Ben, I recently had a really interesting conversation with Mike Theis and Stacy Hadeka from law firm Hogan Lovells, and we discussed the False Claims Act. Boy, did I get a really - education on the False Claims Act and specifically how it relates to cybersecurity. I really enjoyed this one. Here's my conversation with Mike Theis and Stacy Hadeka. 

Mike Theis: So the Federal False Claims Act is actually a statute that is very familiar to companies that do business with the federal government. But for those who are not familiar with the act, it is the primary tool used by the United States Department of Justice to pursue enforcement against people who present false claims to the United States for payment. So the act was originally enacted during the Civil War, signed into law by President Lincoln in 1865. 

Mike Theis: And back in the Civil War, it was used for what you might expect, companies that were selling shells to the United States that had gunpowder or had sawdust instead of gunpowder, lame mules, rancid meat being sold to the Union Army, that sort of thing. And over the last 150, 160 years, it has been applied to every type of government procurement, grants, programs. basically anything that involves federal dollars can result in investigations and enforcement under the Federal False Claims Act. 

Dave Bittner: And, Stacy, how would someone typically find themselves running afoul of the FCA? 

Stacy Hadeka: Yes. So the False Claims Act, at least with respect to government procurement, usually contractors or grantees when they have requirements as part of their contract end up not complying with those specific requirements and then submit false claims for payment. And of course, Mike understands kind of the more nuances of that or the more technical aspects of that. But ultimately, if the company is representing itself as being compliant but in turn is not compliant and it results in a misrepresentation, that type of entity could find itself subject to False Claims Act liability because it's induced the federal government to give it funds, even though, ultimately, it wasn't compliant with the requirements in order to get those funds. 

Dave Bittner: So we want to focus on some of the elements of the False Claims Act that could be applied to cybersecurity. As we make our way through 2022, is it fair to say that there's an enhanced focus on cybersecurity from the Department of Justice? 

Mike Theis: Absolutely. The Biden administration and the Department of Justice, under Attorney General Merrick Garland, has clearly made it a priority to encourage American companies, and especially those who do business with the federal government, to harden their defenses against computer intrusions, breaches and cyberattacks. And the way that they have gone about doing that is by announcing an initiative for civil cyber-fraud enforcement. Back in October of '21, they rolled out this initiative. And the idea is to, you know, sort of roll out the red carpet for private whistleblowers to come forward with information about failures of companies to comply with their cybersecurity requirements in terms of software and defenses and other things that may be required by contract, regulation or other law - and to use the False Claims Act as the way of incentivizing companies to making sure that they comply. 

Mike Theis: So the way that that works is, as you may know, the False Claims Act does and has, since the Civil War, included provisions for private citizens to file suit. The so-called qui tam provisions of the False Claims Act created financial incentives for people to come forward and file suit on behalf of the United States. The United States investigates and can either take over the case and handle it itself or can decline and let the private citizen go forward with the suit. The False Claims Act was overhauled in 1986 to substantially enhance those private whistleblower provisions. And since 1986, the Department of Justice has had a really extraordinary record of successes in enforcement under the False Claims Act. And so the idea was to take that tool, which is very effective, and combine it with the skills that the department has in investigating procurement fraud more generally and to create strong incentives for companies to be compliant, and to make sure that they are doing the things that are required under their contracts or by regulation, with respect to cybersecurity and defenses against intrusions breaches. 

Stacy Hadeka: I was just going to mention that there's already been a few cybersecurity False Claims Act cases that we've seen and, of course, we think the government certainly going to leverage as they pursue False Claims Act allegations and investigations going forward. And two of those - one involved a leading IT company, where a whistleblower actually alleged vulnerabilities in certain computer systems that were furnished to the federal government. That case was ultimately dismissed. But there is currently an ongoing case with respect to a leading defense contractor in the aerospace industry sector, also with respect to whistleblower allegations. It was alleged that the company made false statements regarding its compliance with respect to DOD and NASA cybersecurity requirements. And so again, we've already kind of seen a playbook laid out for some cases in this area, where DOJ, of course, can leverage as it moves forward with new investigations. And the case I was mentioning with respect to the leading aerospace and defense contractor, that's currently ongoing and survived a round of motions to dismiss, and then summary judgment motions, and is moving forward onto the merits. 

Mike Theis: I should also say, Dave, that in rolling this initiative out, the department expressly said that there would be three specific areas that they would be looking at for enforcement. One is companies who knowingly provide deficient cybersecurity products or services. Second is knowingly misrepresenting cybersecurity practices or protocols. And then third is knowingly violating obligations to monitor and report security incidents and breaches. And each of those presents a different manner in which enforcement can take place. But I think it's important to underscore that the department has also made clear that they're not going to wait for a breach before they go after a company under the False Claims Act. 

Mike Theis: These requirements may be specifically spelled out in the contractual requirements of the procurement contract. The Department of Defense may be buying a weapon system or an aircraft or something else. But if there are cybersecurity requirements built into that contract, as there are in virtually all Department of Defense contracts, and the contractor fails to deliver the cybersecurity measures that are called for, they can be investigated and sued under the False Claims Act, notwithstanding the fact that there hasn't been a breach yet, you know? 

Mike Theis: Certainly, I think the public is generally familiar with, you know, some of the very significant breaches and intrusions that have taken place in really almost every industry in the United States. And there can be significant ramifications for those breaches. And I think where they take place, the department will also be looking at possible enforcement under the False Claims Act. But what they are trying to emphasize is if you fail to deliver the security you promised under your contract or that is required by regulation, you know, you can be subject to investigation and enforcement under the False Claims Act even without an actual breach taking place. 

Mike Theis: Interesting. Can you give us some insights as to what is considered to be the basic level of cybersecurity required? And part of my question is that obviously companies who are providing cybersecurity services have to meet the obligations of their contract. But if I'm supplying something to the government that isn't directly cybersecurity related, if I'm making hammers or nails or, you know, something like that, to what degree do I need to be concerned about this? 

Mike Theis: Yeah. I think that's a good one for you to take, Stacy. 

Stacy Hadeka: Yeah. No, I'm happy to answer. And so currently there is no government-wide standard for cybersecurity requirements. There is a FAR clause under the Federal Acquisition Regulations. It's a safeguarding clause that does apply to the majority of government contractors. That relates to specific information called federal contractor information. And certain contractors are actually exempt for those requirements, which - those that provide commercially available off the shelf items, so what we call COTS items. And so those types of contractors are not subject actually to the FAR safeguarding requirements. And those best practices are about 15 NIST 800-171 standards or safeguards that the federal government has identified as what should be the baseline best practices for all contractors. 

Stacy Hadeka: Of course, as Mike was mentioning, at DOD, you still may have contractors that do sell boots, for instance, and you would think that they may not have to be subject to such stringent requirements because on the DOD side of the house, you have the Defense Federal Acquisition Regulation Supplement, the DFARS clause that imposes adequate security requirements that are at a heightened level than those found in the Federal Acquisition Regulations. But I've heard a lot of scenarios, for instance, where that boot manufacturer, as we're getting into the smart world, there may be a chip in those boots one of these days that might be able to actually track those military personnel of where they're being located or how they're moving on the ground to get certain types of information. And so even those manufacturers of items that you may not think would actually be subject or should be subject to various cybersecurity requirements, the DOD has identified those types of manufacturers still as being important and subject to the various requirements. 

Mike Theis: Yeah. I think, Dave, your question is a really good one because I think there might be a tendency to look at this initiative and say, well, you know, we don't manufacture computers or IT infrastructure and sell it to the United States government. And so we don't need to worry about this. And I don't think that's correct. In other words, there are requirements imposed on all kinds of companies that do business with the government. And I'll just give you a couple of examples. You know, think of an institution of higher education, a college or university that is doing research for the United States, you know, a highly sensitive topic, whether it is related to national security or defense or health or anything else. There may be, you know, very specific requirements imposed on that college or university in terms of what kinds of defenses they need to have against breaches and intrusions. And if they don't deliver, they are vulnerable to investigation and enforcement. 

Mike Theis: You know, same thing with a - an insurance company or a contractor in the health care space that is doing business for the federal government, a Medicare contractor that's processing claims for the United States. Well, it turns out that that health information that's being processed by a contractor like that is also highly sensitive and confidential and highly desirable for the kinds of people who engage in these intrusions and breaches, you know, for their own criminal enterprises. And so there are very specific requirements that are imposed on a company like that. And again, if they fail to meet the cybersecurity requirements that are imposed on them by contractor regulation, they're vulnerable to investigation and enforcement. 

Stacy Hadeka: Of course, there are - I mentioned the regulations that government contractors would potentially be subject to based on FAR and DFARS clauses that are included in their contracts, but a lot of the federal agencies, especially on the civilian side, impose ad hoc requirements. And so again, to Mike's point, no matter what industry you're in, you may be handling taxpayer information in processing payments for tax refunds. That particular type of company will still be subject to unique cybersecurity requirements. And, of course, the IRS, for instance, has imposed and implemented its own requirements outside of those standard foreign DFARS clauses. 

Stacy Hadeka: And so companies from all different industries, all levels of federal contracting and getting - and also grant recipients, of course, should be paying attention to this initiative, as it also doesn't just impact a prime government contractor, direct grant recipient. But that can also impact those subcontractors or sub-recipients that are also working under a federal contractor grant. And so many companies who don't think of themselves in the traditional sense as a government contractor or a grant recipient may actually be a sub-recipient or subcontractor that would still be subject to the False Claims Act. And those cybersecurity requirements tend to flow down. 

Mike Theis: Yeah, that's a great point, Stacy. Just to expand on that a little bit, the reach of the False Claims Act is extensive. It extends not only to those companies that are doing business directly with the United States government but to anyone who causes a false claim to be presented to the United States. And so, as Stacy said, that can mean vendors or subcontractors to the prime contractors to the United States who may have these requirements imposed on them as well by contractor regulation or otherwise. 

Dave Bittner: So is it fair to say that, in terms of companies assessing how they need to approach this, that this is more of a risk-assessment exercise rather than a kind of a checkbox, black-and-white, hey, we did this, and now we're good sort of thing? 

Mike Theis: Yeah, I think that's right. I think that this is, you know, something else that needs to be added to the chief compliance officer's list of items to be auditing, checking for, conducting internal investigations, especially before they get into a situation where there is an intrusion or breach. In other words, this is part of the, you know, good business hygiene that companies in this current environment have to engage in to make sure that they are taking appropriate steps to guard against breaches and intrusions, that they are careful with the sensitive or confidential data that they handle and fulfilling the obligations that they have to deliver cybersecurity to the United States government when they are contracting with them. 

Mike Theis: Department of Justice is very deliberately unleashing the forces of the private sector, motivated by the financial incentives that are created by the Qui Tam provisions of the False Claims Act, you know, to get people to come forward and report these things. And so individual employees of companies that do business with the federal government now have a - you know, an open invitation to come forward and report their companies. And so chief compliance officers and, you know, legal and regulatory teams at companies that do business with the government should be looking at, what are we doing to make sure that we are living up to the expectations that the government has in terms of software, cybersecurity defenses, taking steps to ensure that we protect our data? 

Stacy Hadeka: Yeah, and following up on that, too, I don't think there is a one-size-fits-all approach here, especially because, as you noted, that there is some companies that may be providing items that pose less risk to the federal government. Of course, where I would recommend companies start is really with the contract itself and understanding what federal business and work it has. A lot of times, companies that are working with the federal government have a small fraction of federal government work when they may have a larger commercial presence. And so taking what those government contracts, personnel, security personnel, are saying, I think, is kind of a culture that needs to be addressed from the top down. And so companies, as Mike was saying, and their compliance regime need to ensure that they're understanding what government obligations they have and also recognizing that they need to take these seriously. 

Dave Bittner: You know, Ben, I think you could tell from this conversation how fascinating it was to me. I had no idea that the False Claims Act went all the way back to the Civil War and that it was actually Abraham Lincoln who was - who put it into action. 

Ben Yelin: Yeah, you wouldn't think it is a law from the 1860s. It is our government's tool to combat fraud perpetrated against the government. 

Dave Bittner: Yeah. 

Ben Yelin: And, you know, there are a lot of causes of action based on the False Claim Act. That's usually what we see when we see a whistleblower coming forward. They're usually, you know - and they're usually initiating something that will eventually lead to a cause of action under the False Claims Act. 

Dave Bittner: Yeah. 

Ben Yelin: And it's led to, you know, a lot of really interesting legal cases, really interesting settlements. It allows the government to collect money from large corporations, organizations, based on misrepresentations to consumers. 

Dave Bittner: Yeah. 

Ben Yelin: And, you know, it's also - even though it was instituted in the 1860s, we've seen it amended a number of times. 

Dave Bittner: Right, right. It's fascinating that it can, that - I don't know. Obviously, at its base, you can see the necessity of it. But to see it evolve and still be relevant from the Civil War to now and being applied to cybersecurity - really fascinating. 

Ben Yelin: Absolutely. 

Dave Bittner: Yeah. All right. Well, my thanks to Mike Theis and Stacey Hadeka for joining us. We do appreciate them taking the time. 

Dave Bittner: That is our show. We want to thank you all for listening. The "Caveat" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co building the next generation of cybersecurity teams and technologies. Our senior producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner. 

Ben Yelin: And I'm Ben Yelin. 

Dave Bittner: Thanks for listening.