US Gov’t Will Slap Contractors With Civil Lawsuits For Hiding Breaches

from ars technica

In a groundbreaking initiative announced by the Department of Justice this week, federal contractors will be sued if they fail to report a cyber attack or data breaches. The newly introduced “Civil Cyber-Fraud Initiative” will leverage the existing False Claims Act to pursue contractors and grant recipients involved in what the DOJ calls “cybersecurity fraud.” Usually, the False Claims Act is used by the government to tackle civil lawsuits over false claims made in relation to federal funds and property connected with government programs.

More here.

Posted in Law and tagged , , .

5 Comments

  1. As is becoming more and more common in our digital age, the United States has seen a wave of data breaches in recent years with no signs of slowing down. As every process of our daily lives becomes more digital and more embedded within various internet networks, our data becomes more and more vulnerable to hacking. There has been much controversy around consumer data especially recently in the 2020s more so even than in the 2010s. Recently, tech companies have been under pressure to be more transparent about the data that they collect and how it is used by or sold to third parties. With data breaches, this means more data available to potential hackers and more that could possibly be exposed for consumers. All sorts of information like credit card numbers, home addresses, phone numbers, or even personal spending habits can be exposed in a data breach.

    In terms of business law, more and more cybersecurity attacks like these might lead to stronger regulation in this area. In the future, I expect businesses to be required to be much more transparent with the data that they collect and how what customers do affect what data is kept by any given company. This might mean publishing reports for customers or allowing for more user choice in what data is collected. Recently, some companies have been moving towards giving customers the ability to choose which data companies may use for marketing or data analytics purposes and I expect this trend to continue in the future. In addition to this, I expect laws to get stronger concerning what data businesses may collect and use. In the past, businesses have not been subject to much legislation and the data of the digital world and much of the internet has been out in the open and only minimally regulated. However, recently more and more laws have been passed and policies put into place by both governmental and private organizations relating to how data should be collected and shared. Governments concerned with protecting the privacy of their citizens along with businesses wishing to protect their customers have been clamping down on data protection and online privacy. Most recently, governments have moved to force businesses to report data breaches to their customers via the False Claims Act. As time goes on, it will be important to watch how the landscape changes from a business law perspective. Governments and businesses alike will likely continue to fight data breaches and set more rules or guidelines concerning data protection and how customer data is shared. Overall, data breaches will likely occur well into the future and it will be up to the regulatory environment as well as businesses and consumers to protect data and to minimize the risk of exposure through data breaches.

  2. Cybersecurity has been an important concept with growing concern over the past decade or so due to the rapid growth of technology. Many companies now rely on technology for their daily operations which means the people who do business with them must trust that their personal information is secured. With the newly established “Civil Cyber-Fraud Initiative”, the public is provided with an added level of protection along with a sense of knowing what is really going on within the company that is storing their information. Before this initiative was launched, companies would try to hide things and keep them a secret as Deputy Attorney General Lisa O. Monaco explains, “‘For too long, companies have chosen silence under the mistaken belief that it is less risky to hide a breach than to bring it forward and to report it.’” Since a breach can directly impact many people, the company should inform them of this occurrence, so that they know what to expect and that their information is in danger. This initiative will help with creating this sense of transparency since it forces the company to disclose this type of information, and failure to do so will result in them being sued. Also, ever since the pandemic began, there has been a significant increase in the number of cybercrimes which is something the article also touches on, “The development comes at a time when cyberattacks are rampant and advanced ransomware gangs repeatedly target critical infrastructures, such as the Colonial Pipeline and health care facilities.” Essentially, cyberattacks have always been a problem, but with how common they have become, this initiative was established at a good time and will effectively prevent the companies from being silent. I also found it interesting how The Civil Cyber-Fraud Initiative protects whistleblowers, “‘The act includes a unique whistleblower provision, which allows private parties to assist the government in identifying and pursuing fraudulent conduct and to share in any recovery and protects whistleblowers who bring these violations and failures from retaliation,’ explained the DOJ in a press release.” I think that these provisions are appropriately included because whistleblowers are critical to any case/lawsuit that comes about and should therefore be protected from retribution. This will also encourage individuals to want to help and expose the crime being committed because they will not have as much fear to do so. This initiative would have been useful in the past few years, especially during the pandemic, but it is better late than never, and companies will now have to adjust and be more transparent with the public in order to avoid facing a lawsuit.

  3. I think that this article shows a step in the right direction for protecting the information of people who use electronic platforms. As the article mentions, it is easier for companies to dismiss a cyber attack or data breach than to let the public know that one has occurred in their database. This illustrates the flaw with most companies in the cyberspace industry: they are more concerned about their reputation and their ability to make money off of their customers rather than the safety of those who use their platforms. It is great that the government wants to help protect the identities and privacy of those who use these platforms. It is unfortunate that this will get companies to seriously focus on upgrading the security of their platforms since they can not be held legally accountable for not disclosing when there was a security breach on their platforms. However, despite how positive this change is, I think the government should also intervene in other ways.
    The main thing the government should consider is mandating how much information about consumers these companies can use or have access to. Customer privacy, along with security is often an issue in the cyberspace industry. The security systems of these platforms are likely to experience breaches and other issues no matter how much effort these companies put into protecting their consumers. However, if less information about consumers was available to hackers, this will minimize the issues that occur because of these breaches.
    Another thing that the government could do is force these companies to constantly remind consumers what information of theirs is being collected. The reason for this is that many electronic contracts made by these platforms are often long so that their users do not read all of the terms and conditions or they do not let people who use these platforms know how these companies are gaining information about them to make money. If these companies are forced to be more transparent, their consumers will no longer be manipulated and know the potential risks of what could happen to them if there is a cyber attack or data breach.

  4. This article was particularly intriguing to me as I am currently doing a research project heavily based around the False Claims Act. While my research is largely around companies who operate under fraudulent fronts in an effort to win certain government jobs, I quickly realized how Cybersecurity Fraud would fall into this category.

    I have been interning/working for a company for around 4 years now that solely deals with federal contracting. In that relatively short time, I have seen just how many rules come with working for the federal government. I was shocked to read that this initiative is only being introduced now. When companies are working with highly sensitive information, it seems like reporting a breach would be a given. Given the world we live in today, I was floored to learn that cybersecurity attacks have simply been pushed under the rug.

    Federal contractors are exposed to an almost unbelievable amount of highly classified data in one way or another. The work they do, even if it is remediation on an old base or reserve sight, hold details that could, at the least, jeopardize government information. On the other hand, companies who work with even more classified projects, hold very sensitive information. Which, if it were to find its way into the wrong hands, could lead to very deadly consequences. To be knowingly negligent in reporting a cybersecurity breach, is something that I personally believe should be met with a large fine. Additionally, I feel a further investigation into business operations and activities is not unwarranted either. As previously stated, it seems mind boggling that someone wouldn’t report a cybersecurity attack. Government data aside, it seems as though business owners would want to know how their cybersecurity system failed them so as to prevent another breach.

    Having said this, the opening statement of the article, made by Deputy Attorney General Lisa O. Monaco, caught my attention. She stated “This is a tool that we have to ensure that taxpayer dollars are used appropriately…” While working for my current company, I have had the opportunity to go through several active and inactive military bases. While there, the team I work for tests for bio and environmental hazards (lead, asbestos, etc.) that may be an issue for those who currently work there or an upcoming building demo. While walking through inactive bases, it doesn’t take a trained eye to see the several hundreds of thousands of dollars in equipment, utilities, technology, and even information that is left behind. Who pays for all of the abandoned “stuff” you ask? Tax payers. Tax payer dollars are just sitting in buildings waiting to be demolished. To me, this statement made me laugh, as I have seen first hand how the government “utilizes” tax payer dollars.

  5. This article was a bit eye-opening for me. As a Computer Science major, I was a little bit shocked to find out that government contractors were hiding cybersecurity breaches. This was also shocking because there is no benefit in hiding this kind of information. The impact is the same in all scenarios. If the company tells the public and makes the breach public information then they lose customers, but if the company hides the breach and it gets out later, then they lose customers. Furthermore, I think that the new initiative will be beneficial for all. The world of cybersecurity is still majorly unexplored territory. No one knows what laws to make, etc. This initiative is the change that aspiring cybersecurity professionals have been waiting to see.
    2019 and 2020 have been busy years for hackers. However, no one was surprised. Technology is only getting more and more sophisticated and with this new innovation, there is a significant lack of security, The 2019 CPR, also known as Check Point Research, has released the 2021 cybersecurity report. This report along with the 2020 report go hand in hand because the predictions from 2019 are exactly what happened in 2020. We say an increase in targeted ransomware attacks, a shift in phishing schemes to beyond the mobile domain, and much more. Ransomware attacks saw a large increase due to more and more companies actually paying the ransom, so the introduction of the Ransomware Act should encourage companies to think about the consequences of their actions before jumping and paying a ransom. Yet, this should not need to be done because the report also divulges that most companies that pay the ransom do not even get their data back. The 2020 report even talks about the unreliability of the cloud. Actually, the cloud creates more risk than anything else. However, the overall theme of both reports is that companies need to focus on preventing zero-day threats and an increase in zero-tolerance security policies.
    This initiative to have government-funded companies report security breaches, in my eyes, will aid in the government’s ability to do their job and also to create legislation to hold attackers accountable. Technology is advancing rapidly, but government legislation and security measures are not. Until something is done, attackers will continue to run rampant and I think that handing out lawsuits to companies that do not report cybersecurity breaches is a good place to start because legislation cannot be made and the government cannot do their job if they do not know about the breaches that are taking place.

Leave a Reply

Your email address will not be published. Required fields are marked *