October is Cybersecurity Awareness Month. The Department of Justice has taken note of the occasion by proposing steps that would significantly alter how businesses assess the question of whether to report cyberattacks to law enforcement.
Even since computer crime emerged as a distinct area of criminal investigation and prosecution in the 1990s, businesses and government have tussled over whether businesses should report computer intrusions to law enforcement. From the government’s perspective, businesses should report cyberattacks as a matter of course.
Their view, as expressed in a recent article by Deputy Attorney General Lisa Monaco, is that if you have an intruder in your home, you do not hesitate to call 911, and if you have a cyberattacks in your networks, you should call the FBI. The government notes that much of what investigators and prosecutors will know about a ransomware or digital extortion attack or other intrusion depends on what and when victims tell law enforcement. Sometimes the government can recover the ransom – as in the Colonial Pipeline case earlier this year – and it can also recover exfiltrated data, identify perpetrators and prevent future attacks.
Businesses have historically viewed the disclosure from a very different frame of reference. In their view, why should they disclose information that might eventually become public and that tells the world about network vulnerabilities? Is the possibility of catching the bad guys really worth the reputational damage of admitting that the business was hacked? Why should our business have the business’s name dragged through the mud? Why should we have to endure enduring the cost of investigation – the employee time, the outside contractors, and the attorney’s fees? Why go through all of this trouble when the end result might be that the perpetrator is an agent of the Russian or Chinese intelligence services, a 14-year-old computer whiz in Estonia, or a criminal gang in Bulgaria? After all, none of these people are likely to be extradited or successfully prosecuted, right? And so, despite lots of speeches and lobbying from law enforcement agencies, and government/business partnerships such as the FBI’s Infraguard program, most breaches are not reported to law enforcement.
Suffice it to say that the federal government was not happy with this standoff. And when the government is unhappy, it has tools at its disposal. On October 6, Deputy Attorney General Monaco – whose prior experience includes high-level jobs at the Justice Department and the National Security Council – announced a “Civil Cyber-Fraud Initiative.”
The biggest club she pulled out of her bag was a new program to use the False Claims Act to target companies that provide deficient cybersecurity products or services, misrepresent their cybersecurity practices or protocols, or violate obligations in their government contracts and elsewhere to monitor or report cybersecurity incidents and breaches. The False Claims Act comes into play because the government has been putting more and more cybersecurity-related requirements into the Federal Acquisition Regulation and other government contract documents. When a company seeks payment on a federal contract and falsely certifies compliance with contractual requirements, the government treats the resulting payment claim as false.
As many of you know, the False Claims Act includes a whistleblower provision that awards individuals who report fraudulent conduct, incentivizing insiders and others to report cybersecurity incidents to the Department of Justice. The Act allows for triple damages, which means that the government can recover three times the amount of payment on a government contract that involves cyberfraud. And there are statutory penalties for each false claim – effectively, for each invoice submitted during the period of non-compliance. The range for those statutory penalties is currently $11,803 to $23,607 per claim. It doesn’t take long for damages to escalate astronomically.
In addition to the Department of Justice’s initiative, the Securities and Exchange Commission also has targeted cyber-related misconduct, including civil charges against public companies that allegedly mislead investors by failing to disclose data breaches. This summer, the SEC brought enforcement actions against a financial services company and educational services company for alleged failures to maintain adequate disclosure controls and procedures in connection with disclosing cybersecurity incidents. As a result, the government can bring enforcement actions even where no federal contract is involved.
This issue is not going away any time soon. The Biden Administration will ratchet up scrutiny on cybersecurity products and programs and on businesses’ internal controls and assessment and reporting of potential threats and breaches. While the current initiative is civil, it is entirely possible that egregious cases of misconduct or concealment could escalate into parallel civil and criminal investigations or multi-agency investigations of cybersecurity programs, policies, and conduct.
Any company that does or plans to do business with the federal government or receive federal government funding should take great care to make sure that its products can prevent cyberattacks and that it is fulfilling contractual obligations to safeguard data and preserve data security. Cybersecurity infrastructure and internal monitoring and reporting processes need to be carefully scrutinized before, not after, government investigators start poking around.
Whether the old way of approaching these issues was smart cost/benefit analysis or myopic loss aversion, the landscape has changed, and it’s not changing back anytime soon.