A Tale of Two Investigations: The Value of Voluntary Disclosure

On July 31, 2025, the Department of Justice’s (“DOJ’s”) Civil Fraud Section announced two False Claims Act (“FCA”) settlements relating to violations of cybersecurity requirements. 

In one case, where there was no evidence of voluntary disclosure or cooperation, the company settled an investigation for about 2.3 times the government’s claimed restitution amount. In the other case, the companies voluntarily disclosed the violation, “took significant steps entitling them to credit for cooperating with the government,”[1] and only paid about 1.5 times the government’s claimed restitution amount. These settlements compellingly demonstrate why the economic value of voluntary disclosure and cooperation should not be overlooked.     

Illumina Inc. Settlement

Illumina Inc. (“Illumina”) agreed to pay $9.8 million to resolve allegations that it violated the FCA when it submitted, or caused to be submitted, claims to many government agencies, including defense and non-defense agencies, for payment for the purchase of genomic sequencing systems. Specifically, the government claimed the genomic sequencing systems operated with software that “had cybersecurity vulnerabilities, and Illumina did not have an adequate product security program and sufficient quality systems to identify and address cybersecurity vulnerabilities.”[2] According to the government, Illumina falsely represented the software adhered to certain cybersecurity standards, including the International Organization for Standardization and National Institute of Standards and Technology (“NIST”). The government contended that the claims were false, regardless of whether any actual cybersecurity breaches occurred. Illumina did not admit any wrongdoing and settled the allegations for $9.8 million, of which $4.3 million was restitution. The investigation arose out of a qui tam action filed in the United States District Court for the District of Rhode Island in September 2023, and the relator share amounted to $1.9 million. 

ATI and Gallant Settlement

In a separate investigation, aerospace company Aero Turbine, Inc. (“ATI”) and its controlling investor, private equity firm Gallant Capital Partners, LLC (“Gallant”), settled allegations that ATI’s repair and maintenance of turbojet engines involved the use of an information system that violated its contractual cybersecurity obligations to the Air Force and the FCA. Specifically, its information system contained controlled unclassified information, but did not comply with all required cybersecurity requirements specified by NIST. ATI and Gallant also failed to limit access to certain information to authorized users, thereby permitting a Gallant employee to share information with foreign nationals prohibited from receiving the information. The companies voluntarily disclosed their non-compliance. ATI submitted two written disclosures to the government concerning ATI’s non-compliance with cybersecurity requirements, and ATI and Gallant cooperated with the government by “identifying individuals involved in or responsible for the issues and disclosing facts gathered during its independent investigation, with attribution of the facts to specific sources.”[3] ATI then implemented mechanisms to remediate the identified issues and prevent further similar issues from occurring. As a result, ATI and Gallant received credit under the DOJ’s guidelines in Justice Manual § 4-4.112 “for taking disclosure, cooperation, and remediation into account in False Claims Act cases.”[4] Despite their voluntary disclosure and cooperation, ATI and Gallant, like Illumina, did not admit to liability in the settlement. They settled the allegations for $1.75 million, of which $1.15 million was restitution. As one would expect in a case arising out of voluntary self-disclosure, there is no evidence of a qui tam and none of the settlement amount is allocated to a relator.

Value of Voluntary Disclosure and Cooperation

Under the FCA, violations are punishable by treble damages and civil penalties currently ranging from $14,308 to $28,619 per false claim. While settlements in the range of two times the government’s damages are not unusual, and it is expected that voluntary disclosure and cooperation should lead to even lower settlement amounts, these two settlements represent a timely case study in the difference disclosure and cooperation can make. Both alleged violations relate to software that did not comply with cybersecurity requirements, but in the Illumina case, the settlement represented 2.3 times the government’s alleged damages and in the ATI/Gallant case, the settlement represented only 1.5 times the government’s alleged damages. This is so notwithstanding the allegation in the ATI/Gallant case that the cybersecurity failures contributed to an actual breach of security. Voluntary disclosure also has the benefit of likely avoiding any potential relator share, which further enables the government to accept a lower damages multiplier in FCA settlements.

[1] Press Release, U.S. Dep’t of Justice, California Defense Contractor and Private Equity Firm Agree to Pay $1.75M to Resolve False Claims Act Liability Relating to Voluntary Self-Disclosure of Cybersecurity Violations (July 31, 2025), https://www.justice.gov/usao-edca/pr/california-defense-contractor-and-private-equity-firm-agree-pay-175m-resolve-false

[2] Illumina Settlement Agreement, Recitals ¶ D, https://www.justice.gov/opa/media/1409561/dl

[3] ATI and Gallant Settlement Agreement, Recitals ¶ D, https://www.justice.gov/opa/media/1409651/dl

[4] Id.