1. Insights
  2. Publications
  3. Alerts

Top DOJ False Claims Act Official Confirms 'Significant Upward Trajectory' in Cybersecurity Enforcement

February 9, 2026

Reading Time : 4 min
Jump to
View Authors' DetailsView Related Services, Sectors, and Regions

By: Sara McLean, Angela B. Styles, Marta A. Thompson, Evan D. Wolff, Laura Hill, Alexis Ward

In remarks delivered on January 28, 2026, at the American Conference Institute’s Advanced Forum on False Claims and Qui Tam Enforcement, Deputy Assistant Attorney General Brenna Jenny highlighted the Administration’s achievements and continued commitment to civil cyber-fraud enforcement.

Jenny, the political official overseeing nationwide False Claims Act enforcement, noted the U.S. Department of Justice (DOJ) recovered $52 million across nine FCA cyber settlements last year, a “significant upward trajectory.” She observed whistleblowers have continued to play a large role in cyber-fraud cases specifically. And she explained, cyber-fraud cases are “not about data breaches,” but are instead “premised on misrepresentations.”

Her remarks confirm Akin’s own experience, including that of partner Sara McLean who led and supervised DOJ civil cyber-fraud enforcement before joining the firm in November 2025.

The Civil Cyber-Fraud Initiative

When the prior administration launched the Civil Cyber-Fraud Initiative in October 2021, it announced that it planned to use the FCA and its treble damages and penalties, to pursue those who knowingly make or cause false claims to the government through violations of cybersecurity obligations of government contractors and grantees. DOJ gave examples of the misconduct it planned to pursue:

  • Providing deficient cybersecurity products or services
  • Misrepresenting cybersecurity practices or protocols
  • Violating obligations to monitor and report cybersecurity incidents and breaches

Cyber-Fraud Enforcement a Focus of This Administration

Jenny’s remarks underscore that, although the administration changed, civil cyber-fraud enforcement remains more active than ever at DOJ. Since October 2021, DOJ has settled fifteen civil cyber-fraud cases. Over half of those were announced in this administration, more than during all preceding years since the announcement of the Civil Cyber-Fraud Initiative. The administration trumpeted these achievements, not just in Jenny’s recent remarks, but in its recent announcement of its FY 2025 False Claims Act accomplishments. There, it cited cyber-fraud cases as examples of the work leading to its unprecedented $6.8 billion in False Claims Act recoveries.

Awareness of cybersecurity obligations is important for all government contractors and grant recipients, including research universities, healthcare benefit administrators and IT services contractors, as well as others in their orbit from assessors to private equity firms. The majority of DOJ’s cyber-related settlements—nine of the fifteen—involved U.S. Department of Defense (DoD) cybersecurity requirements. DoD updated these requirements recently when it finalized the Cybersecurity Maturity Model Certification (CMMC), which for many contractors will mean third-party verifications.

Civilian agencies have also increased scrutiny on contractors’ cybersecurity measures. For instance, in January 2026, the General Services Administration issued its own procedural guide for protecting Controlled Unclassified Information (CUI) on nonfederal contractor systems that similarly provides for extensive third party assessments.

With this increased interest across the executive branch, it is more important than ever for federal contractors to know the applicable rules, invest in the legal and technical expertise needed to meet their cybersecurity obligations and make a good faith effort to comply.

Managing Whistleblower Complaints Critical in Responding to Cybersecurity Allegations

Jenny’s comments acknowledging whistleblowers’ assistance in DOJ’s cyber-fraud enforcement are also an important warning to the industry. False Claims Act enforcement relies heavily on whistleblowers to file complaints and rewards them for coming forward with a share of up to thirty percent of any government recovery. The whistleblowers’ attorneys’ fees are paid by the defendant.

Particularly in the cyber arena, as evidenced by Jenny’s comments and numerous now public qui tam complaints, companies must take internal complaints from employees seriously and manage them appropriately. This includes evaluating and attending to problems that need to be fixed and keeping reporters appropriately informed, consistent with privilege, so that they do not form the impression they have nowhere to go but to file a qui tam complaint. It may also include making disclosures to the government, whether mandatory or voluntary and possibly seeking cooperation credit in the settlement of FCA claims, per DOJ policies that DOJ has implemented more avidly in the cyber arena than in any other area of FCA enforcement.

Representations to the Government Are Key

Finally, Jenny’s admonition that cyber-fraud cases are about misrepresentations, not data breaches, is critical advice for companies seeking to manage their cybersecurity risks. As Jenny made clear, a data breach will not necessarily lead to a civil cyber-fraud case. Breaches happen even when cybersecurity obligations to the government are met. Mistakes are not actionable under the FCA. Knowing misrepresentations are the focus of DOJ’s cyber-fraud enforcement. This includes false statements about cyber-security posture and false claims that may not have an explicit false statement but that the government will argue impliedly represent a company is complying with cybersecurity obligations when it is not. Those doing business with the government should be laser-focused on the truthfulness of their statements to the government. What a company or individual did or did not tell the government can truly make or break a civil cyber-fraud case.

Key Takeaways

  • DOJ is increasingly focused on cyber-fraud, which is no longer a new initiative but now part of the bread and butter of DOJ’s enforcement of the FCA.
  • Federal contractors and grant recipients should continue to invest in legal and technical expertise to ensure compliance.
  • Whistleblowers play a central role in cyber-fraud cases. Companies should take internal complaints seriously and manage them carefully to mitigate risk of future False Claims Act qui tam claims.
  • Representations made to the government are critical in the cybersecurity arena. Companies and individuals should ensure that their statements to the government are truthful and recognize that what they did or did not tell the government may make or break a civil cyber-fraud case. They should carefully consider disclosure obligations and opportunities when confronted with a potential cybersecurity violation.

Akin’s False Claims Act, government contracts and cybersecurity, privacy & data protection teams are actively monitoring DOJ enforcement in this area.

Share This Insight

Related Services, Sectors, and Regions

© 2026 Akin Gump Strauss Hauer & Feld LLP. All rights reserved. Attorney advertising. This document is distributed for informational use only; it does not constitute legal advice and should not be used as such. Prior results do not guarantee a similar outcome. Akin is the practicing name of Akin Gump LLP, a New York limited liability partnership authorized and regulated by the Solicitors Regulation Authority under number 267321. A list of the partners is available for inspection at Eighth Floor, Ten Bishops Square, London E1 6EG. For more information about Akin Gump LLP, Akin Gump Strauss Hauer & Feld LLP and other associated entities under which the Akin Gump network operates worldwide, please see our Legal Notices page.