Navigating Cybersecurity and Traditional Compliance

 Do your organizational policies and procedures adhere to cybersecurity and traditional compliance regulations? In today’s interconnected world, organizations face a dual challenge: maintaining traditional compliance with legal and regulatory frameworks while safeguarding against cyber threats. The Department of Justice (DOJ) has been increasingly vigilant in addressing both cybersecurity compliance and traditional Federal Acquisition (FAR) and Defense Federal Acquisition Regulations Supplement (DFARS) compliance failures. The Insight Global LLC settlement underscores the critical need for organizations and individuals to address both aspects effectively.

The Insight Global Settlement – Cybersecurity Compliance and Traditional Compliance Implication

In May the DOJ announced that Insight Global agreed to pay $2.7 million to resolve allegations under the False Claims Act (FCA)[1]. Can your company afford such a monetary assessment? Could you survive the investigation? Insight Global is an international staffing and consulting firm that faced allegations of improper billing practices and inadequate cybersecurity protections used during COVID-19 contact tracing in violation of its contractual agreement with the Pennsylvania Department of Health (PADOH).

Cybersecurity Compliance Implications of Insight Global

While the monetary fines seem daunting, the Insight Global settlement provides a valuable lesson: cybersecurity and overall contractual compliance is vital for any organization. Compliance programs must align with federal and state laws, industry standards, and best practices: anything less is undertaken at a company’s own risk.

While under contract with PADOH, Insight Global failed to exercise necessary security measures to protect sensitive data while performing its work for PADOH. Despite the contractual requirements for Insight Global to keep the personal information acquired through its services in a “confidential and secure” manner, along with federal PHI safeguarding compliance obligations, Insight Global failed to conform and comply with applicable regulations and constraints. Amongst those failures, the DOJ alleged in the Settlement Agreement that:

  • “staff provided by Insight Global pursuant to the contract received certain PHI and/or PII of contact tracing subjects in the body of unencrypted emails, including emails sent by government personnel to Insight Global;
  • Insight staff shared passwords used to access such information with each other;
  • Insight Global stored and transmitted such information using Google files that were not password protected and were potentially accessible to the public via internet links; and
  • Insight Global’s lack of regular vulnerability assessments left them exposed to cyber threats.”[2]

Even more damaging to Insight Global is that despite early reports by their staff concerning the unsecured PHI/PII on or about November 2020 through January 2021, the company failed to respond timely and properly and rapidly remediate such issues until April 2021. By delaying the remediation of highly valid and significant problems presented to Insight Global, its breach responses were determined inadequate. Such inadequacies could lead to foreseeable data leaks and unauthorized access to confidential information. Such breaches and high potential exposures will undoubtedly result in financial losses, customer trust erosion, and brand damage.

Traditional FARS/DFARS Compliance Considerations

Intertwining with cybersecurity regulations, traditional FAR/DFARS compliance regulations play a pivotal role in maintaining order, security, and fairness. These regulations provide a framework for businesses, organizations, and individuals to operate ethically and transparently. By adhering to these rules, companies can protect sensitive data, ensure consumer privacy, and foster trust with their stakeholders.

In the Insight Global Settlement Agreement, the DOJ re-emphasized its heightened focus on traditional FAR/DFARS compliance failures. On the first page of the Statement of Work (SOW), in Section I.B.iv., Insight Global represented that it “recognizes and accepts that the contact tracing workforce will have access to personal health information of contact tracing subjects and must ensure that and all other such information related to the services being provided must be kept confidential and secure.”[3] Compliance with such contractual language here was necessary. The SOW clearly and concisely states Insight Global’s obligations to comply with the contract terms and maintain information acquired in furtherance of the contract with PADOH as confidential and secure; however, Insight Global failed to comply with the standards it put forward, and those included in the contract terms. The DOJ made it clear that companies need to dedicate resources and staff to compliance by plainly chastising Insight Global and noting: “Insight Global should have (and could have) provided more data-security resources and training to its Managed Services Division, who was the department that implemented the contract with PADOH.”[4]

Insight Global faced additional allegations related to improper billing practices – a well-known FAR/DFARS compliance risk. The DOJ determined their compliance program lacked effective oversight, allowing billing irregularities to persist. While the industry is keenly focused on cybersecurity, DOJ appears dedicated to combining multiple allegations of non-compliance so contractors should be wary of traditional FAR/DFARS compliance requirements. Now is the time to get ahead and implement a compliance strategy.

Mitigation Strategies for Government Contractors

Considering the glaring cybersecurity and traditional compliance failures of Insight Global, it is imperative to highlight the mitigation strategies that companies and individuals should apply to avoid being a party to an unfortunate dispute like the Insight Global fiasco.

First and foremost, companies should review their written policies and procedures to be sure that they are up to date and embrace the most recent legislative changes. Second, companies should work with experts to conduct an objective review of the company’s overall compliance with traditional FAR/DFARS and cyber requirements. An inadvertent oversight in one area will generally result in a wider review so companies should be prepared. Third, companies should obtain or provide tailored employee training based on the employees’ role in the organization. While a company’s procurement professionals need to understand sourcing compliance, human resources professionals need to fully understand federal labor standards. A one-size-fits-all training approach will not prepare functional teams.

Conclusion

The Insight Global settlement serves as a wake-up call for businesses. Balancing the formation and execution of internal cybersecurity policies and procedures with the long-standing traditional FAR/DFARS compliance policies and procedures is critical to avoid legal repercussionsAs organizations navigate these consistently evolving compliance requirements, proactive measures are crucial to safeguard corporate integrity and continued success.

While cybersecurity compliance focuses on security protocols, traditional compliance covers a broader range of regulatory requirements, and the DOJ is analyzing them both. Compliance on all fronts is essential to effective risk management and overall organizational health.

Organizations must prioritize compliance to effectively mitigate risks and safeguard client data to avoid becoming the next Insight Global.

[1] The False Claims Act. https://www.justice.gov/civil/false-claims-act

[2] https://www.justice.gov/opa/media/1350311/dl?inline pg. 2

[3] Id. pg. 1-2

[4] Id pg. 2


Source(s):  Dunlap, Bennett, Ludwig, received via JD Supra, on July 11, 2024.