A unit of telecommunications giant Verizon agreed to pay approximately $4.1 million to settle allegations levied by the Department of Justice (DOJ) regarding false claims caused by failure to fully implement cybersecurity controls required of a government contractor.

Verizon Business Network Services violated the False Claims Act when it “failed to completely satisfy certain cybersecurity controls in connection with an information technology service provided to federal agencies,” the DOJ said in a press release Tuesday.

Of the total Verizon agreed to pay, approximately $2.7 million is restitution, according to the settlement agreement.

The details: Between 2017 and 2021, Verizon’s internet protocol service failed to satisfy three required cybersecurity controls with respect to General Services Administration (GSA) contracts, including:

  • Having a trusted internet connection (TIC) regarding domain name security extensions;
  • Real-time header and content capture of all inbound and outbound traffic with storage capacity to retain at least 24 hours of data generated at full TIC operating capacity; and
  • Certain encryption requirements to Federal Information Processing Standards.

“We will continue to pursue knowing cybersecurity-related violations under the department’s Civil Cyber-Fraud Initiative and to provide credit in settlements to government contractors that disclose misconduct, cooperate with pending investigations, and take remedial measures, all of which are critically important to protecting the nation against cyber threats,” said Michael Granston, deputy assistant attorney general of the Civil Division’s Commercial Litigation Branch, in the DOJ’s release.

Compliance considerations: The DOJ acknowledged Verizon took steps to cooperate with the government’s investigation, including a written self-disclosure, initiating an independent investigation and compliance review, and providing the government with multiple detailed supplemental written disclosures.

Company response: “In 2020, Verizon proactively identified and disclosed to the GSA a potential issue with a managed security service that it sells to some federal government agencies,” a Verizon spokesperson said in an emailed statement. “At no time did the potential issue that Verizon identified result in a security or data breach. The settlement concludes that disclosure and reflects Verizon’s commitment to being a responsible government contractor.”

Verizon did not admit liability in reaching settlement.