The Department of Justice (DOJ) announced Wednesday it will use the False Claims Act (FCA) to pursue cases of cybersecurity-related fraud by government contractors and grant recipients—including claims against entities that fail to report breaches and hacks in a timely manner.
“For too long, companies have chosen silence under the mistaken belief that it is less risky to hide a breach than to bring it forward and to report it,” Deputy Attorney General Lisa Monaco said in a press release. “That changes today. We are announcing today that we will use our civil enforcement tools to pursue companies, those who are government contractors who receive federal funds, when they fail to follow required cybersecurity standards — because we know that puts all of us at risk. This is a tool that we have to ensure that taxpayer dollars are used appropriately and guard the public fisc and public trust.”
The new Civil Cyber-Fraud Initiative will empower the DOJ to “hold accountable entities or individuals that put U.S. information or systems at risk by knowingly providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cybersecurity incidents and breaches.”
The initiative will use all the tools of FCA enforcement, including the whistleblower provision that encourages private parties to assist the government in identifying and pursuing fraudulent conduct. In that context, the initiative could open the floodgates for civil suits against entities regarding personal data that is lost or stolen—if a whistleblower can establish the financial harm the breach caused to the government.
The key question to be answered by courts is what constitutes harm caused by breaches and hacks beyond financial harm. Would courts place a price on sensitive government data being exposed to bad actors?
The initiative is expected to help build “broad resiliency against cybersecurity intrusions across the government, the public sector and key industry partners,” according to the DOJ, as well as hold “contractors and grantees to their commitments to protect government information and infrastructure” and reimburse “the government and the taxpayers for the losses incurred when companies fail to satisfy their cybersecurity obligations.”
Monaco also announced Wednesday the creation of a new National Cryptocurrency Enforcement Team (NCET) at the DOJ that will ”tackle complex investigations and prosecutions of criminal misuses of cryptocurrency.”
First step for the DOJ is choosing someone to lead the team, which will “identify, investigate, support, and pursue cases against cryptocurrency exchanges, infrastructure providers, and other entities that are enabling the misuse of cryptocurrency and related products to commit or facilitate criminal activity.”
Members of the NCET will be drawn from several DOJ divisions, including the Criminal Division’s Money Laundering and Asset Recovery Section, the Computer Crime and Intellectual Property Section, and Criminal Division employees drawn from U.S. attorneys’ offices across the country.