The U.S. Government Will Start Suing Contractors Who Hide Security Breaches and Incidents

Posted by Mikaela On November 8th, 2021

Under the new Civil Cyber-Fraud Initiative that the U.S. Department of Justice announced today, government contractors are accountable in a civil court if they don’t report a breach or fail to meet required cybersecurity standards.

The initiative gives the DoJ the necessary leverage to fight digital threats to sensitive information and critical systems stemming from collaborators of federal agencies.

Boosting defenses

Deputy Attorney General Lisa O. Monaco said that the initiative allows the DoJ to pursue government contractors that keep silent about a breach incident or don’t comply with cybersecurity standards.

“Well that changes today. We are announcing today that we will use our civil enforcement tools to pursue companies, those who are government contractors who receive federal funds, when they fail to follow required cybersecurity standards” – Deputy Attorney General Lisa O. Monaco

Led by the Civil Division’s Commercial Litigation Branch, Fraud Section, the initiative will use the False Claims Act (FCA), which makes liable anyone who knowingly submits false claims to the government.

A whistleblower provision in the Act allows private parties to identify and pursue fraudulent conduct. Whistleblowers benefit from protection and receive a significant part of any recovered funds.

The Civil Cyber-Fraud Initiative aims to strengthen defenses and minimize the risk of intrusion on government networks due to poor cybersecurity practices from external partners.

“The initiative will hold accountable entities or individuals that put U.S. information or systems at risk by knowingly providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cybersecurity incidents and breaches”  – U.S. Department of Justice

Benefits expected from this initiative range from increasing the security of information systems in both the private and public sector to improving overall cybersecurity practices:

  • Building broad resiliency against cybersecurity intrusions across the government, the public sector, and key industry partners
  • Holding contractors and grantees to their commitments to protect government information and infrastructure
  • Supporting government experts’ efforts to timely identify, create and publicize patches for vulnerabilities in commonly-used information technology products and services
  • Ensuring that companies that follow the rules and invest in meeting cybersecurity requirements are not at a competitive disadvantage
  • Reimbursing the government and the taxpayers for the losses incurred when companies fail to satisfy their cybersecurity obligation
  • Improving overall cybersecurity practices that will benefit the government, private users, and the American public