Listen to this post

The government’s announcement of renewed emphasis on cybersecurity enforcement has spawned recent million-dollar enforcement actions. Continued government attention on cybersecurity promises a treacherous enforcement environment in 2023 and beyond.

Several recent government initiatives have focused on cybersecurity enforcement.  Towards the end of 2021, the Department of Justice announced a Civil Cyber-Fraud Initiative to use the False Claims Act (“FCA”) to hold companies and individuals accountable for: 1) deficient cybersecurity; 2) misrepresentations of cybersecurity; and/or 3) insufficient monitoring or reporting of cybersecurity incidents. The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA”) now requires the Cybersecurity and Infrastructure Security Agency to develop and implement regulations requiring covered entities to report covered cybersecurity incidents. The FTC Safeguards Rule requires non-banking financial institutions, including mortgage brokers and automobile dealerships, to develop, implement, and maintain a comprehensive cybersecurity program to protect customer information. Most concerning is that the deadline for compliance with the FTC Safeguards Rule is now June of 2023.

In July of 2022, as part of the Civil Cyber-Fraud Initiative, the Department of Justice announced a $9 million Aerojet settlement to resolve cybersecurity fraud claims brought pursuant to the FCA by a whistleblower who was the former Senior Director of Cyber Security, Compliance, and Controls for Aerojet. The whistleblower claimed that Aerojet’s contracts with the government mandated specific cybersecurity standards, and despite knowing that its systems did not meet these standards, Aerojet pursued and fraudulently obtained the contracts.

The Aerojet qui tam and resulting settlement forecasts how use of this enforcement mechanism in the cybersecurity space might play out. The government has now specifically promised that when contractual cybersecurity standards are not satisfied, the government will attempt to utilize the FCA to enforce cybersecurity fraud claims. And, as the deadline for compliance with the FTC Safeguards Rule quickly approaches, companies must be prepared for certification requests to potentially incorporate various cybersecurity requirements, including compliance with the FTC Safeguards Rule. To avoid potential FCA liability, companies and individuals need to be absolutely aware of any cybersecurity requirements in government contracts, including how compliance is certified, and how to monitor and report any cybersecurity incidents.  Often, organizations are not aware of what they have agreed to contractually regarding cybersecurity or privacy.  A company employee may receive an email link from a customer and merely click boxes certifying compliance in order to earn the work, without ever reading the terms to which they’re binding the company.

Companies may not be prepared for the consequences of cybersecurity requirements and certifications in contracts—but they should be.  This year promises to be an even more active year for cybersecurity enforcement. 

For more information and other updates and alerts regarding privacy law developments, subscribe to Bradley’s privacy blog Online and On Point.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Daniel Fortune Daniel Fortune

Daniel Fortune represents clients in matters involving cybersecurity, white collar defense, government enforcement actions, and regulatory compliance. Prior to joining Bradley, Daniel served as the lead cybersecurity attorney at a litigation boutique, and as a state prosecutor and federal prosecutor litigating matters involving…

Daniel Fortune represents clients in matters involving cybersecurity, white collar defense, government enforcement actions, and regulatory compliance. Prior to joining Bradley, Daniel served as the lead cybersecurity attorney at a litigation boutique, and as a state prosecutor and federal prosecutor litigating matters involving computer forensics, white collar crime, and government investigations. As the Deputy Chief Assistant U.S. Attorney in the Criminal Division, he supervised major cybercrime, white collar fraud, public corruption, asset forfeiture, and national security matters. He also served as the Computer Hacking and Intellectual Property Coordinator with top-secret security clearance, working on matters involving cleared defense contractors.

Photo of Lyndsay E. Medlin Lyndsay E. Medlin

Lyndsay Medlin assists clients across industries with a variety of litigation, internal investigation, and compliance needs. Her experience includes assisting clients with drafting and developing policies and best practices to ensure compliance and prevent litigation; investigating and responding to internal whistleblower allegations, federal…

Lyndsay Medlin assists clients across industries with a variety of litigation, internal investigation, and compliance needs. Her experience includes assisting clients with drafting and developing policies and best practices to ensure compliance and prevent litigation; investigating and responding to internal whistleblower allegations, federal civil investigative demands, and state regulatory inquiries for financial services, healthcare, life sciences, and government contractor clients, and working closely with clients across industries to protect their business interests nationwide. With privacy and cybersecurity becoming paramount concerns for businesses, Lyndsay is also skilled at counseling clients regarding the nuances of privacy notices, protection of customer and client personal information, and for covered financial services clients, Bank Secrecy Act/Anti-Money Laundering compliance.