With DOJ's fiscal year 2025 ending on September 30, now is the right time to assess how False Claims Act enforcement priorities have shifted over the past twelve months. The review reveals that while healthcare fraud continues to generate the largest dollar settlements, DOJ opened three distinct new enforcement fronts that signal a fundamental expansion of FCA liability. Trade and tariff fraud, civil rights compliance violations, and cybersecurity failures emerged as fully operational battlegrounds, complete with major settlements, new task forces, and explicit invitations to whistleblowers to bring more cases.
During FY 2025, DOJ secured settlements in each area and created enforcement infrastructure—including a dedicated Trade Fraud Task Force and a Civil Rights Fraud Initiative—designed to sustain these efforts for years to come. If you represent companies that do business with the federal government, import goods into the United States, or receive federal funding, your clients now face FCA exposure in areas that barely registered on the enforcement radar two years ago.
Trade and Tariff Fraud: A New Task Force and Explicit Whistleblower Invitation
In August 2025, DOJ launched a cross-agency Trade Fraud Task Force with the Department of Homeland Security. The announcement made clear that DOJ intends to aggressively pursue FCA cases against importers who evade tariffs and customs duties. More significantly, DOJ explicitly invited whistleblowers to use the qui tam provisions of the False Claims Act to report customs fraud. (For more information on the Trade Fraud Task Force CR blog post: New Trade Fraud Task Force Raises FCA Risks - The Suarez Law Firm, P.A.)
That whistleblower invitation represents a deliberate strategy to leverage insider knowledge about import practices that government investigators would struggle to uncover on their own. DOJ announced multiple civil settlements during FY 2025 involving allegations of improperly evaded customs duties across a wide range of products including wood flooring, plastic resin, extruded aluminum, and quartz surfaces.
At the Federal Bar Association's Annual Qui Tam Conference in February 2025, Deputy Assistant Attorney General, Michael Granston, made DOJ's new approach explicit, stating: "You can expect the Department to continue to use the False Claims Act to enforce these trade laws," and describing enforcement efforts as "aggressive."
The theory underlying these cases is that when importers submit customs declarations, they're making claims to the government about their products—claims about country of origin, proper tariff classification codes, and accurate valuations. If those representations are knowingly false and result in reduced duties, they violate the FCA.
Defense attorneys need to understand the common fraud patterns DOJ is targeting. These include misrepresenting a product's country of origin to avoid tariffs on goods from specific countries, undervaluing imported products to reduce duty payments, misclassifying products under the wrong harmonized tariff schedule codes (harmonized tariff schedule codes is the classification system that determines what duty rates apply) to secure lower rates, and falsely claiming products aren't subject to antidumping duties when they are.
For companies that import goods, this development demands immediate attention to compliance programs. Customs classifications are complex, and honest mistakes happen. But under the FCA's knowledge standard, companies can face liability for deliberate ignorance or reckless disregard of import regulations. The presence of internal warnings about compliance issues that management ignored can transform a civil dispute into an FCA case with treble damages.
Civil Rights Fraud Initiative: A Novel Theory with Broad Implications
In May 2025, DOJ announced its Civil Rights Fraud Initiative, extending FCA liability to a completely new area: civil rights compliance. The theory, articulated in a memorandum from Deputy Attorney General, Todd Blanche, holds that the FCA is implicated when federal contractors or funding recipients knowingly violate civil rights laws and falsely certify compliance with those laws.
This isn't a minor policy tweak. It's a fundamental expansion of FCA enforcement into territory that was previously the province of Title VI, Title IX, and other civil rights enforcement mechanisms. The initiative makes civil rights compliance certifications—boilerplate language that appears in countless federal contracts and grant agreements—into potential FCA predicates.
The memorandum itself provided specific examples that signal enforcement priorities. According to the Deputy Attorney General, a university accepting federal funds could violate the FCA when it "encourages antisemitism, refuses to protect Jewish students, allows men to intrude into women's bathrooms, or requires women to compete against men in athletic competitions." The memo also indicated that certain diversity, equity, and inclusion policies could trigger FCA liability if they constitute unlawful discrimination.
The implications ripple far beyond universities. Any entity receiving federal funding—healthcare providers, research institutions, state and local governments, contractors, nonprofits—potentially faces FCA exposure if their civil rights compliance certifications prove false. And because the FCA allows private whistleblowers to bring qui tam cases, disgruntled employees or other insiders can trigger investigations based on their perceptions of civil rights violations.
From a defense perspective, this initiative raises troubling questions about the intersection of FCA liability and unsettled civil rights law. Civil rights compliance often involves contested legal questions without clear answers. When a university's speech policies or a company's DEI program becomes the subject of legitimate legal debate, should that debate expose the institution to FCA treble damages based on compliance certifications?
Defense attorneys representing educational institutions, healthcare providers, and other federal funding recipients need to work with clients now to review civil rights compliance programs and certification language. The key question isn't just "are you complying with civil rights laws?" It's "if a whistleblower or DOJ challenges your compliance, can you demonstrate that you had a reasonable good-faith basis for your interpretation of ambiguous legal requirements?"
Cybersecurity Enforcement: No Breach Required
DOJ's cybersecurity-focused FCA enforcement continued its aggressive trajectory through 2025, with settlements totaling more than $40 million in recent months. The cases share a critical common feature that defense counsel must understand: actual data breaches aren't required for FCA liability.
In February 2025, Health Net Federal Services and its parent company Centene Corporation paid $11.2 million to resolve allegations that Health Net falsely certified compliance with cybersecurity requirements in its Defense Department contract to administer TRICARE. DOJ alleged that the company failed to timely scan for and remedy cybersecurity vulnerabilities, ignored independent auditor reports about cybersecurity risks, and falsely attested compliance with at least seven security controls.
In September 2025, Georgia Tech Research Corporation settled FCA allegations for $875,000 based on failing to meet cybersecurity requirements in its government contracts. The Assistant Attorney General for DOJ's Civil Division stated explicitly: "Together with DoD and other agency partners, the Department of Justice will continue to pursue and litigate violations of cybersecurity requirements to hold contractors accountable when they violate their cybersecurity commitments." (See our blog article: Government Contractors Face Rising Risk: Georgia Tech Settles Cybersecurity False Claims Act Case for $875,000 - The Suarez Law Firm, P.A.)
These cases make three points clear. First, cybersecurity certifications in government contracts are enforceable through the FCA. Second, liability attaches to failures in cybersecurity practices and controls, not just to successful breaches. Third, DOJ views this as a priority enforcement area that is likely to continue regardless of which administration occupies the White House.
For defense attorneys, the cybersecurity cases highlight the danger of treating compliance certifications as administrative boilerplate. When your client signs a contract certifying compliance with NIST standards, DFARS cybersecurity requirements, or other technical security frameworks, those aren't just contract terms—they're potential FCA predicates.
The defense challenge in these cases often involves technical complexity. Cybersecurity requirements frequently incorporate industry standards by reference, creating compliance obligations that require specialized expertise to interpret and implement. When a company certifies compliance with "NIST 800-171" or similar standards, management may not fully understand what that certification means in technical terms.
Companies holding government contracts need to implement three protective measures. First, engage qualified cybersecurity professionals to assess actual compliance against contractual requirements—don't rely on in-house assessments unless you have genuine expertise. Second, document compliance efforts thoroughly, including remediation timelines for identified vulnerabilities. Third, consider qualified or conditional compliance certifications that accurately reflect your current security posture rather than making blanket certifications that may prove false.
Practical Guidance Across All Three Areas
These three enforcement initiatives share common elements that should inform defense strategy. Each involves transforming what companies might view as regulatory compliance issues into FCA cases with treble damages and civil penalties. Each relies heavily on whistleblower qui tam actions to surface potential violations. And each targets representations that companies make routinely without necessarily understanding their FCA implications.
For defense counsel, the practical guidance is straightforward but demanding. First, audit your clients' government contracts, grant agreements, and funding applications to identify every certification and representation they make. Don't limit your review to obvious areas like billing accuracy—look at trade compliance certifications, civil rights assurances, and cybersecurity attestations.
Second, verify that your clients have actual programs in place to ensure compliance with those certifications. A certification without supporting compliance infrastructure creates exactly the kind of reckless disregard that satisfies the FCA's knowledge standard.
Third, implement robust internal controls and documentation practices. When FCA cases arise, your ability to demonstrate good faith compliance efforts can mean the difference between a declination and a multi-million-dollar settlement.
Fourth, consider the whistleblower risk. Employees who are angry about trade practices, civil rights policies, or security lapses may have the information and incentive to file qui tam cases. The best defense against whistleblower cases is having compliance programs that give potential whistleblowers confidence that issues are being addressed appropriately.
